Lets consider a typical home Linux user with just a single PC and a modem/router for an internet link.
What sort of security are needed in this situation?
For example
.
Ok, Neville, I’ll take a shot at the bare minimum.
Pretty simple. The only user-dependent function is remembering to back stuff up, although I’m trying MEGA’s sync function in one distro to see how it works.
That is a great idea.
In general, what you say is a new user can just install some major linux distro like Debian or Ubuntu or OpenSuse, and it is secure enough for a simple, non-server, home system. Just need to attend to backups.
I can think of at least 2 kinds of security.
Regarding 1. I think most Linux distros are secure enough.
Regarding 2. it depends on the user. If that user runs random scripts copied from dark websites with root rights, then no distro is really secure. 
The old fashioned version of that would be having the kids bring home a floppy disk with a virus on it.
Today, what you download needs to be watched.
I wonder if mobile phones connecting to the modem/router when at home could bring about that sort of inside attack?
Hi Neville, 
part of my security setup is running as many applications/processes as possible in a sandboxed environment.
I make use of firejail for that matter (https://firejail.wordpress.com/ ).
It´s really well documented and its github-support is splendid.
It might be debatable whether or not implementing firejail for security reasons really is neccessary but to me it provides an additional layer of security.
At any rate, I use it for processes that open a port to the internet (e.g. browsers).
For online-banking it´s a must-have (at least to me):
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote
gives me the equivalent of a freshly installed browser with no “legacy issues” like bookmarks, cookies etc. in a totally detached environment.
Upon closing everything´s discarded…
Many greetings
Rosika 
I use OpenDNS, but some sort of third party DNS service is a good idea. It’ll block known malicious sites and could also be configured to block certain categories. Things like maybe guns, gambling, or porn could be blocked. Especially good to help prevent kids from seeing things you’d rather they didn’t.
A software firewall is nice to block unknown outbound requests, but this is optional.
Hi Rosike,
Yes, I think I shall adopt that, at least for important things like banking and government sites that keep personal details.
Regards
Neville
You mean one should run a home pc as a dns server?
I used to when I had FreeBSD, but now with Linux I just use the providers DNS server.
I understand what you say a out blocking things, but I can do that on the modem/router.
The old idea with multiple computers used to be to have one machine with the internet connection and a firewall, and hide the others behind it. Today the modem/router seems to take care of everything.
No. I have my router use OpenDNS as its source of DNS. Everyone on the inside uses the router itself as gateway and DNS.
I have my desktop set up as a server. I had to install open ssh server to enable this since it’s not part of the default Ubuntu installation.
If you take a look at /var/log/auth.log you’ll be amazed at the endless attempts by unauthorized users trying to log in. I see an average of about one attempt every two minutes, around the clock. They used to come from all over the world but in the last couple of years the tries are mostly from China. It’s fun to watch via the command “tail -f /var/log/auth.log”.
I set up authentication via public key encryption and disabled logins via password. Instructions to do this are well-documented online (and longer than I want to type).
My server is intended to be used only by me so there are only two entries in the authorized keys file (which is ~/.ssh/authorized_keys), one for each of my laptops. Sessions can also be opened by the operating system and you will see root, Gnome display manager, and “nobody” in addition to the authorized user(s). No unauthorized user has ever been authenticated. I’ve been using this setup for more than 10 years and estimate that there have be more than 2½ million unauthorized login attempts during that time. None have succeeded.
If you’re using only a browser and don’t have open ssh installed I think you are quite safe. The firewall in the router is sufficient. Also, turn off remote administration of your router. For several years I used ClamAV. It found only two instances of malware, both in Windows files. I no longer bother with that.
As stated in an earlier comment, the big risk is malware coming in via an email attachment. While there are hardly any worms, viruses, etc., in Linux there ARE some and new ones will surely appear. I think it’s wise to maintain good internet hygiene.
That’s why fail2ban was invented 
I protect my VPS as well as my home server with fail2ban against hammering.
I see the attackers quickly find an open ssh port, even if it’s not the standard 22 but something else. They also like to hammer postfix…
It’s awesome, how fail2ban builds a fence against those knocking on the door 
However, this is out of scope for a typical home user with one PC.
I looked at my auth.log file. It contains only local stuff.
I do have Open ssh, because I use ssh on my local network between 2 machines.
Can I restrict ssh to only working on the local net? There is no connection between the local net and the modem, except thru one computer which has dual ethernet ports.
the big risk is malware coming in via an email attachment.
I think it is important to keep reminding everyone about that.
Thank you
Neville
There are more ways to accomplish that, already summarized here:
It’s just a way to download it. If you are cautios, and don’t start -say- Java programs from unknown source, you can be safe. TB, Evolution won’t execute anything on their own.
I consider having browser extensions and allowing them auto-update is a bigger risk. Bad guys hijacking a browser-extension, and turning it into a malware is a bigger risk, I think.
Thanks ,
I think I will set ListenAddress in the SSH config
'm not sure how to restrict ssh to the local network but maybe that’s the default setting. To enable my desktop as a server I had to give it a fixed IP address (in the router) and also enable port forwarding (also in the router) in order that connection requests get sent to the server and not to, say, my phone.
It is surely not. Whithout any special actions, sshd is open to the world.
Correct! Additionally you could register at a free ddns provider, configure ddclient on your server appropriately, and you are ready to reach your home server from outside using a memorable domainname.
(Or you can use your routers builtin DDNS settings, but those aren’t so felexible, only limited numbers of DDNS providers are accessible)
I see spurts and waves of attempted hits on my kit…
I access my RPi4 from the intertubes (had DDNS setup via NoIP )
Not on port 22
Runs fail2ban
root login over SSH is disabled
Anyway - sometimes it will go months without logging (/var/log/fail2ban.log) any hits or “jailing” ip addresses - sometimes they come in floods… Nearly EVERY time I “whois” their IP addresses or CIDR’s - they’re CHINESE owned IP addresses / subnets…
Hi Neville,
I´m glad you find it worthwhile giving it a try.
For (slightly) paranoid people like me it certainly adds to one´s ease of mind 
.
Many greetings
Rosika
There is one distro (Solus) which takes a unique approach to this topic.
Solus is a user-only distro, ie it can not be set up as a server, it does not even have server daemons like ftpd or sshd in its repository.
It does have ftp and ssh, so you can ftp or ssh out of Solus, but not into it.
So if you want the ultimate in home user security, one approach is to use Solus. It makes it very difficult for you to do anything that may be insecure.
I am not sure if any other distro has that simple approach