Archive Debian Forums - User contributions [en]

Debian First Aid Kit

2026-03-10T13:08:06Z

Donald: Categories

= Debian First Aid Kit =
'''All commands are verified on Debian 13.1 (Trixie) / 6.16.3+deb13-amd64 x64_64'''

Created : 2025-10-27 15:54:21

Last Updated : 2026-03-10 07:10:53 '''ID : 544000.4'''

== Table of Contents ==

# Issues
# Package Management Issues
# Disk & Filesystem Issues
# Performance Issues
# Service & Application Errors
# Permission & Access Issues
# Hardware IssuesSystem Freezes & Crashes
# Boot Problems
# Network
# Quick Diagnostic Commands
# Useful Aliases & Shortcuts
# Tips for Effective Troubleshooting

----

== 1. System Freezes & Crashes ==

=== Check System Logs ===
<code># View logs from previous boot (after freeze/crash)</code>
<code>journalctl -b -1</code>

<code># List all available boots</code>
<code>journalctl --list-boots</code>

<code># Show only kernel messages from previous boot</code>
<code>journalctl -b -1 -k</code>

<code># Show errors and critical messages only</code>
<code>journalctl -b -1 -p err</code>

<code># Save logs to file for analysis</code>
<code>journalctl -b -1 > ~/crash-log.txt</code>

=== Common Freeze Causes to Look For ===

* '''Kernel panics''': Search for "kernel panic" or "Oops"
* '''Out of Memory (OOM)''': Search for "Out of memory" or "oom-killer"
* '''Hardware errors''': Look for "MCE" (Machine Check Exception) or "hardware error"
* '''Driver issues''': Check for module/driver failures
* '''Overheating''': Check system temperatures

=== Check System Resources ===
<code># View memory usage</code>
<code>free -h</code>

<code># Check disk space</code>
<code>df -h</code>

<code># Monitor system resources in real-time</code>
<code>htop</code>
<code># or</code>
<code>top</code>
(I prefer btop for better presentation)
You would need to install it. sudo apt install btop

<code># Check for disk errors</code>
<code>sudo dmesg | grep -i error</code>
<code>These are permanent errors due to incomplete/buggy ACPI tables in the BIOS, but they are harmless :</code>
<code>0.686554] ACPI Error: No handler for Region [ECRM] (00000000201accc4) [EmbeddedControl] (20250404/evregion-131)</code>
<code>0.686577] ACPI Error: Region EmbeddedControl (ID=3) has no handler (20250404/exfldio-261)</code>
<code>0.686594] ACPI Error: Aborting method \_SB.GPIO._EVT due to previous error (AE_NOT_EXIST) (20250404/psparse-529)</code>

== 2. Boot Problems ==

=== Check Boot Process ===
<code># View systemd boot analysis</code>
<code>systemd-analyze blame</code>

<code># See what failed during boot</code>
<code>systemctl --failed</code>

<code># Check specific service status</code>
<code>systemctl status <service-name> e.g NetworkManager.service</code>

=== Access Recovery Mode ===

# Reboot and hold <code>Shift</code> to access GRUB menu (depending on your grub timing settings)
# Select "Advanced options"
# Choose recovery mode
# Select "root" for root shell access

=== Common Boot Fixes ===
<code># Repair filesystem errors</code>
<code>Once you identify a device with lsblk</code>
<code>sudo fsck /dev/sdXN</code>

<code># Reinstall GRUB bootloader</code>
<code>sudo grub-install /dev/sdX</code>
<code>sudo update-grub</code>

<code># Check fstab for mount errors</code>
<code>cat /etc/fstab</code>

== 3. Network Issues ==

=== Diagnose Network Connection ===
<code># Check network interfaces</code>
<code>ip addr show</code>

<code># Test connectivity</code>
<code>ping -c 4 8.8.8.8</code>
<code>or</code>
<code>ping -c 6 2a00:1450:4007:809::200e</code>

<code># Check DNS resolution</code>
<code>nslookup google.com</code>

<code># View routing table</code>
<code>ip route show</code>

<code># Check active connections</code>
<code>ss -tuln</code>

=== Restart Network Service ===
<code># For systems with NetworkManager</code>
<code>sudo systemctl restart NetworkManager</code>

<code># For systems with networking service</code>
<code>sudo systemctl restart networking</code>

<code># Bring interface down and up</code>
<code>sudo ip link set eth0 down</code>
<code>sudo ip link set eth0 up</code>

<code>If you need to prove to your server host something that is beyond your control, you can always get out the big guns with MTR.</code>

= <code>MTR (It’s Traceroute on Steroids)</code> =

== What is MTR? ==
MTR combines the functionality of <code>ping</code> and <code>traceroute</code> into a single real-time network diagnostic tool. It continuously monitors the path between your system and a destination, providing detailed statistics about latency and packet loss at each hop.

== Installation ==
<code>sudo apt install mtr</code>

== Basic Usage ==
<code># Basic MTR (interactive mode)</code>
<code>mtr google.com</code>

<code># Report mode (run 10 cycles and exit)</code>
<code>mtr --report google.com</code>

<code># Specify number of pings</code>
<code>mtr --report-cycles 50 google.com</code>

<code># Use TCP instead of ICMP</code>
<code>mtr --tcp google.com</code>

<code># Use UDP</code>
<code>mtr --udp google.com</code>

<code># No DNS resolution (faster, shows IPs only)</code>
<code>mtr --no-dns google.com</code>

<code># Show both hostnames and IPs</code>
<code>mtr --show-ips google.com</code>

== Understanding MTR Output ==

=== Sample Output ===
<code>HOST: hostname Loss% Snt Last Avg Best Wrst StDev</code>
<code>1.|-- 192.168.1.1 0.0% 10 1.2 1.5 1.0 2.3 0.4</code>
<code>2.|-- 10.0.0.1 0.0% 10 8.5 9.2 7.8 12.1 1.3</code>
<code>3.|-- isp-gateway.net 0.0% 10 15.3 16.1 14.2 19.8 1.8</code>
<code>4.|-- ??? 100.0% 10 0.0 0.0 0.0 0.0 0.0</code>
<code>5.|-- google.com 0.0% 10 25.4 26.8 24.1 32.5 2.4</code>

=== Column Meanings ===

* '''HOST''': Hostname or IP address of each hop in the route
* '''Loss%''': Percentage of packets lost at this hop
* '''Snt''': Number of packets sent to this hop
* '''Last''': Latency of the most recent packet (milliseconds)
* '''Avg''': Average latency across all packets (milliseconds)
* '''Best''': Lowest latency recorded (milliseconds)
* '''Wrst''': Highest latency recorded (milliseconds)
* '''StDev''': Standard deviation - measures latency consistency (lower is better)

== Interpreting Results ==

=== Healthy Network ===

* '''Loss% = 0%''' on all hops
* '''Stable latency''' (low StDev values)
* '''Gradual latency increase''' as hop count increases
* '''Consistent response times'''

=== Problem Indicators ===

==== 1. High Packet Loss at Specific Hop ====
<code>5.|-- problem-router.net 25.0% 10 45.3 48.2 42.1 65.8 8.4</code>
'''Analysis:'''

* If loss continues to destination: Real problem at this router
* If loss only at this hop but NOT beyond: Router may be rate-limiting ICMP (false positive, not a real problem)

'''Rule of thumb:''' If packet loss appears at hop N but hops N+1, N+2, etc. show 0% loss, it's usually just ICMP rate limiting.

==== 2. High Latency at Specific Hop ====
<code>3.|-- slow-link.net 0.0% 10 150.3 155.2 148.1 165.8 5.4</code>
'''Indicates:'''

* Network bottleneck or congested link
* Geographical distance (intercontinental hops)
* Slow routing equipment

==== 3. No Response (???) ====
<code>4.|-- ??? 100.0% 10 0.0 0.0 0.0 0.0 0.0</code>
'''Possible causes:'''

* Router configured to not respond to ICMP/traceroute packets
* Firewall blocking diagnostic packets
* '''Not necessarily a problem''' if later hops respond normally

==== 4. High Jitter (StDev) ====
<code>6.|-- unstable.net 0.0% 10 35.3 52.8 28.1 95.2 24.7</code>
'''Indicates:'''

* Inconsistent latency (high StDev of 24.7ms)
* Network congestion or instability
* Poor for real-time applications (VoIP, gaming, video calls)

==== 5. Sudden Latency Spike ====
<code>1.|-- 192.168.1.1 0.0% 10 1.2 1.5 1.0 2.3 0.4</code>
<code>2.|-- 10.0.0.1 0.0% 10 8.5 9.2 7.8 12.1 1.3</code>
<code>3.|-- problematic-hop.net 0.0% 10 180.5 185.2 178.1 195.8 6.4</code>
<code>4.|-- next-hop.net 0.0% 10 182.3 187.8 180.5 198.2 6.8</code>
'''Problem identified:''' Hop 3 introduces ~170ms of latency (jump from 9ms to 180ms)

== Advanced Usage ==

=== Report Mode with Different Output Formats ===
<code># CSV format for logging and analysis</code>
<code>mtr --report --csv google.com > network-report.csv</code>

<code># JSON output for parsing</code>
<code>mtr --report --json google.com</code>

<code># XML format</code>
<code>mtr --report --xml google.com</code>

<code># Wide report (no abbreviations)</code>
<code>mtr --report-wide google.com</code>

=== Protocol Selection ===
<code># Use ICMP (default, requires no special permissions)</code>
<code>mtr google.com</code>

<code># Use UDP (alternative to ICMP)</code>
<code>mtr --udp google.com</code>

<code># Use TCP (useful for firewall testing)</code>
<code>mtr --tcp google.com</code>

<code># Test specific TCP port</code>
<code>sudo mtr --tcp --port 443 google.com</code>
<code>sudo mtr --tcp --port 22 remote-server.com</code>

=== Timing and Duration ===
<code># Specify interval between pings (default 1 second)</code>
<code>mtr --interval 0.5 google.com</code>

<code># Extended test with 100 cycles</code>
<code>mtr --report-cycles 100 google.com</code>

<code># Continuous monitoring (Ctrl+C to stop)</code>
<code>mtr google.com</code>

<code># Quick 10-cycle report</code>
<code>mtr --report-cycles 10 google.com</code>

=== Advanced Options ===
<code># Show Autonomous System (AS) numbers</code>
<code>mtr --aslookup google.com</code>

<code># Set maximum number of hops</code>
<code>mtr --max-ttl 20 google.com</code>

<code># Set packet size</code>
<code>mtr --psize 1000 google.com</code>

<code># Show both IP and hostname</code>
<code>mtr --show-ips google.com</code>

<code># Specify source address (multiple network interfaces)</code>
<code>mtr --address 192.168.1.100 google.com</code>

<code># IPv4 only</code>
<code>mtr -4 google.com</code>

<code># IPv6 only</code>
<code>mtr -6 google.com</code>

== Interactive Mode Commands ==
When running MTR in interactive mode (just <code>mtr hostname</code>), use these keys:
{| class="wikitable"
!Key
!Function
|-
|'''h'''
|Display help
|-
|'''d'''
|Toggle display mode (cycle through different views)
|-
|'''n'''
|Toggle between hostnames and IP addresses
|-
|'''r'''
|Reset all statistics
|-
|'''p'''
|Pause/unpause the display
|-
|'''q'''
|Quit MTR
|-
|'''u'''
|Switch between ICMP, UDP, and TCP modes
|-
|'''y'''
|Switch between IPv4 and IPv6
|-
|'''o'''
|Toggle field display options
|-
|'''j'''
|Toggle latency display
|}

== Practical Troubleshooting Scenarios ==

=== Scenario 1: Diagnosing Slow Website ===
<code># Run extended test to get accurate statistics</code>
<code>mtr --report-cycles 100 --no-dns example.com</code>

<code># Look for:</code>
<code># - High average latency at specific hops</code>
<code># - Packet loss at destination</code>
<code># - High StDev values (jitter)</code>

=== Scenario 2: Testing if Firewall Blocks SSH ===
<code># Test SSH port (22) connectivity</code>
<code>sudo mtr --tcp --port 22 --report-cycles 50 remote-server.com</code>

<code># If last hop shows 100% loss but earlier hops are fine:</code>
<code># - Port 22 might be filtered</code>
<code># - Try standard ICMP test for comparison</code>

=== Scenario 3: ISP Performance Issues ===
<code># Test path to reliable external server</code>
<code>mtr --report-cycles 100 8.8.8.8</code>

<code># Compare with another DNS server</code>
<code>mtr --report-cycles 100 1.1.1.1</code>

<code># If issues appear in first 3-4 hops: likely ISP problem</code>
<code># If issues appear later: problem is beyond your ISP</code>

=== Scenario 4: VPN Troubleshooting ===
<code># Test before connecting to VPN</code>
<code>mtr --report-cycles 50 --no-dns google.com > before-vpn.txt</code>

<code># Test after connecting to VPN</code>
<code>mtr --report-cycles 50 --no-dns google.com > after-vpn.txt</code>

<code># Compare the two files to see VPN impact</code>
<code>diff before-vpn.txt after-vpn.txt</code>

=== Scenario 5: Gaming/Streaming Performance ===
<code># Test for jitter (important for real-time applications)</code>
<code>mtr --report-cycles 200 game-server.com</code>

<code># Look for:</code>
<code># - Low average latency (< 50ms for gaming)</code>
<code># - Low StDev (< 5ms preferred)</code>
<code># - Zero packet loss</code>

=== Scenario 6: Intermittent Connectivity ===
<code># Long-running test to catch intermittent issues</code>
<code>mtr --report-cycles 500 --interval 1 target.com > long-test.txt</code>

<code># Monitor in real-time for several minutes</code>
<code>mtr target.com</code>
<code># Watch for sudden spikes in Loss% or latency</code>

== Continuous Monitoring ==

=== Log Network Performance Over Time ===
<code># Create timestamped reports every hour</code>
<code>while true; do</code>
<code>timestamp=$(date +%Y%m%d-%H%M%S)</code>
<code>mtr --report --report-cycles 50 google.com > "mtr-$timestamp.txt"</code>
<code>sleep 3600</code>
<code>done</code>

=== Monitor Multiple Destinations ===
<code># Create a simple monitoring script</code>
<code>#!/bin/bash</code>
<code>echo "=== MTR Report $(date) ===" > daily-network-report.txt</code>
<code>echo "" >> daily-network-report.txt</code>

<code>echo "Google DNS:" >> daily-network-report.txt</code>
<code>mtr --report --report-cycles 50 --no-dns 8.8.8.8 >> daily-network-report.txt</code>
<code>echo "" >> daily-network-report.txt</code>

<code>echo "Cloudflare DNS:" >> daily-network-report.txt</code>
<code>mtr --report --report-cycles 50 --no-dns 1.1.1.1 >> daily-network-report.txt</code>
<code>echo "" >> daily-network-report.txt</code>

<code>echo "Your Server:" >> daily-network-report.txt</code>
<code>mtr --report --report-cycles 50 your-server.com >> daily-network-report.txt</code>

== Useful Aliases for .bashrc ==
<code># Quick network path analysis</code>
<code>alias mtrreport='mtr --report --report-cycles 50 --no-dns'</code>

<code># Monitor connection to Google DNS</code>
<code>alias netcheck='mtr --report-cycles 20 8.8.8.8'</code>

<code># Extended network test</code>
<code>alias mtrlong='mtr --report-cycles 100'</code>

<code># TCP port 443 test (HTTPS)</code>
<code>alias mtrhttps='sudo mtr --tcp --port 443 --report-cycles 30'</code>

<code># Quick comparison of major DNS providers</code>
<code>alias dnstest='echo "Google:" && mtr --report-cycles 20 8.8.8.8 && echo -e "\nCloudflare:" && mtr --report-cycles 20 1.1.1.1'</code>
After adding to <code>~/.bashrc</code>:
<code>source ~/.bashrc</code>

== Troubleshooting Tips ==

=== 1. Permission Issues ===
If you get permission errors with TCP mode:
<code># Use sudo for TCP on privileged ports</code>
<code>sudo mtr --tcp --port 443 example.com</code>

<code># Or set capabilities (one-time setup)</code>
<code>sudo setcap cap_net_raw+ep /usr/bin/mtr-packet</code>

=== 2. False Positives ===
'''Common false positive:''' Packet loss at intermediate hops but NOT at the destination.

Example:
<code>3.|-- router.isp.net 20.0% 50 15.3 16.1 14.2 19.8 1.8</code>
<code>4.|-- next-hop.net 0.0% 50 18.5 19.2 17.8 22.1 1.3</code>
<code>5.|-- destination.com 0.0% 50 25.4 26.8 24.1 32.5 2.4</code>
'''This is OK!''' Hop 3 shows 20% loss, but hops 4 and 5 show 0% loss. The router at hop 3 is rate-limiting ICMP responses, but actual traffic flows normally.

=== 3. DNS Resolution Delays ===
If MTR seems slow to start:
<code># Skip DNS resolution for faster results</code>
<code>mtr --no-dns target.com</code>

<code># Resolve names afterward if needed</code>
<code>host 203.0.113.1</code>

=== 4. Comparing Results ===
<code># Run multiple tests and compare</code>
<code>mtr --report --report-cycles 50 example.com > test1.txt</code>
<code>sleep 60</code>
<code>mtr --report --report-cycles 50 example.com > test2.txt</code>
<code>diff test1.txt test2.txt</code>

== When to Use MTR vs Other Tools ==
{| class="wikitable"
!Tool
!Best For
!Limitations
|-
|'''MTR'''
|Continuous monitoring, identifying problem hops, detailed statistics
|Requires installation
|-
|'''ping'''
|Quick connectivity test, simple latency check
|Only tests endpoint
|-
|'''traceroute'''
|One-time path discovery
|No continuous monitoring
|-
|'''ss/netstat'''
|Local connection status
|Doesn't test remote paths
|}

== Best Practices ==

# '''Run enough cycles''': Use at least 50-100 cycles for accurate statistics
# '''Use --no-dns''': Faster and avoids DNS resolution issues during testing
# '''Check multiple times''': Network conditions vary; test at different times
# '''Compare protocols''': Try ICMP, UDP, and TCP if one shows issues
# '''Document findings''': Save reports with timestamps for trend analysis
# '''Test known-good hosts''': Use 8.8.8.8 or 1.1.1.1 to verify your network first
# '''Be patient''': Let MTR run for at least 30-60 seconds before drawing conclusions

== Reading Between the Lines ==

=== Good Network Health Example ===
<code>HOST: hostname Loss% Snt Last Avg Best Wrst StDev</code>
<code>1.|-- 192.168.1.1 0.0% 50 1.1 1.2 0.9 2.1 0.2</code>
<code>2.|-- 10.0.0.1 0.0% 50 8.2 8.5 7.5 10.2 0.5</code>
<code>3.|-- isp-gateway.net 0.0% 50 15.1 15.5 14.0 18.3 0.8</code>
<code>4.|-- google.com 0.0% 50 24.8 25.2 23.5 28.1 1.1</code>
✅ No packet loss, consistent latency, low jitter

=== Problem Network Example ===
<code>HOST: hostname Loss% Snt Last Avg Best Wrst StDev</code>
<code>1.|-- 192.168.1.1 0.0% 50 1.2 1.5 1.0 2.3 0.3</code>
<code>2.|-- 10.0.0.1 5.0% 50 45.3 52.8 8.1 245.2 45.7</code>
<code>3.|-- ??? 100.0% 50 0.0 0.0 0.0 0.0 0.0</code>
<code>4.|-- destination.com 15.0% 50 95.4 125.8 48.2 385.5 78.2</code>
❌ Packet loss at hop 2 and destination, high jitter, very high worst-case latency

== Summary ==
MTR is your Swiss Army knife for network diagnostics. Key takeaways:

* Use <code>--report-cycles 50+</code> for reliable data
* Watch for packet loss at the '''destination''' (intermediate losses may be false positives)
* High '''StDev''' indicates unstable connection
* High '''Avg''' latency shows slow links
* Use <code>--no-dns</code> for faster results
* Compare '''ICMP''', '''UDP''', and '''TCP''' modes if issues appear
* Test at different times of day for comprehensive analysis

== 4. Package Management Issues ==

=== Fix Broken Packages ===
<code># Update package lists</code>
<code>sudo apt update</code>

<code># Fix broken dependencies</code>
<code>sudo apt --fix-broken install</code>

<code># Reconfigure packages</code>
<code>sudo dpkg --configure -a</code>
<code>(if no output, there is nothing to do)</code>

<code># Clean package cache</code>
<code>sudo apt clean</code>
<code>sudo apt autoclean</code>

<code># Remove unused packages</code>
<code>sudo apt autoremove</code>

=== Handle Held or Locked Packages ===
<code># If apt is locked, find the process</code>
<code>sudo lsof /var/lib/dpkg/lock-frontend</code>

<code># Force remove lock (use carefully)</code>
<code>sudo rm /var/lib/dpkg/lock-frontend</code>
<code>sudo rm /var/lib/apt/lists/lock</code>

<code># Reconfigure dpkg</code>
<code>sudo dpkg --configure -a</code>

== 5. Disk & Filesystem Issues ==

=== Check Disk Health ===
<code># Check disk space</code>
<code>df -h</code>

<code># Check inode usage</code>
<code>df -i</code>

<code># View disk I/O statistics</code>
<code>iostat -x 1</code>
<code>(Make sure you have sysstat which includes useful performance monitoring tools other than iostat - disk I/O statistics</code>

* <code>mpstat</code> - CPU statistics

* <code>sar</code> - system activity reporter

* <code>pidstat</code> - process statistics

* <code>cifsiostat</code> - CIFS statistics

<code>''# Show stats in MB instead of KB'' iostat -xm 2</code>

<code>''# Monitor specific device'' iostat -x sda 1</code>
<code># Check for disk errors in dmesg</code>
<code>sudo dmesg | grep -i "error\|fail"</code>

<code># SMART disk health (if smartmontools installed)</code>
<code>sudo smartctl -a /dev/sda</code>

=== Repair Filesystem ===
<code># Unmount the partition first</code>
<code>sudo umount /dev/sdXN</code>

<code># Run filesystem check</code>
<code>sudo fsck /dev/sdXN</code>

<code># For ext4 specifically</code>
<code>sudo e2fsck -f /dev/sdXN</code>

== 6. Performance Issues ==

=== Identify Resource Hogs ===
<code># CPU usage by process</code>
<code>top -o %CPU</code>

<code># Memory usage by process</code>
<code>top -o %MEM</code>

<code># Disk usage by directory</code>
<code>du -sh /* | sort -h</code>

<code># Find large files</code>
<code>find / -type f -size +100M 2>/dev/null</code>

<code># Check running processes</code>
<code>ps aux --sort=-%mem | head -20</code>

=== System Temperature Monitoring ===
<code># Install sensors (if not installed)</code>
<code>sudo apt install lm-sensors</code>
<code>sudo sensors-detect</code>

<code># View temperatures</code>
<code>sensors</code>

<code># Real-time temperature monitoring</code>
<code>watch -n 2 sensors</code>
<code>''I have it as an alias in ~/.bashrc''</code>
<code>''Go to 11. Useful Aliases & Shortcuts''</code>

== 7. Service & Application Errors ==

=== Debug Service Problems ===
<code># Check service status</code>
<code>sudo systemctl status service-name</code>

<code># View service logs</code>
<code>sudo journalctl -u service-name</code>

<code># Restart a service</code>
<code>sudo systemctl restart service-name</code>

<code># Enable service at boot</code>
<code>sudo systemctl enable service-name</code>

<code># View recent service failures</code>
<code>journalctl -p err -b</code>

=== Application Crash Investigation ===
<code># Check for core dumps</code>
<code>ls -lh /var/crash/</code>

<code># View application-specific logs</code>
<code>ls /var/log/</code>

<code># Check syslog for application errors</code>
<code>sudo tail -f /var/log/syslog</code>

== 8. Permission & Access Issues ==

=== Fix Common Permission Problems ===
<code># Check file ownership</code>
<code>ls -l /path/to/file</code>

<code># Change ownership</code>
<code>sudo chown michael:michael /path/to/file</code>
user:group

<code># Change permissions</code>
<code>sudo chmod 644 /path/to/file</code>

<code># Recursively fix permissions</code>
<code>sudo chown -R user:group /path/to/directory</code>

=== User & Authentication Issues ===
<code># Check user information</code>
<code>id username</code>

<code># View user login history</code>
<code>last -a</code>

<code># Check failed login attempts</code>
<code>sudo journalctl | grep "authentication failure"</code>

<code># Reset user password</code>
<code>sudo passwd username</code>

== 9. Hardware Issues ==

=== Identify Hardware ===
<code># List all hardware</code>
<code>sudo lshw -short</code>
(May not be installed by default)
sudo apt install lshw

<code># PCI devices</code>
<code>lspci -v</code>

<code># USB devices</code>
<code>lspci -v</code>

<code># CPU information</code>
<code>lscpu</code>

<code># Memory information</code>
<code>sudo dmidecode --type memory</code>

=== Check Hardware Errors ===
<code># Kernel ring buffer (hardware messages)</code>
<code>dmesg | less</code>
<code>(If no output, good, no errors)</code>
<code>q to quit</code>

<code># Search for specific hardware issues</code>
<code>dmesg | grep -i "error\|fail\|warn"</code>

<code># Check for USB issues</code>
<code>dmesg | grep -i usb</code>

== 10. Quick Diagnostic Commands ==

=== System Information at a Glance ===
<code># Uptime and load average</code>
<code>uptime</code>

<code># Kernel version</code>
<code>uname -r</code>

<code># Debian version</code>
<code>cat /etc/debian_version</code>

<code># System summary</code>
<code>sudo inxi -Fxz</code>

=== Emergency Toolkit ===
<code># Create a diagnostic report</code>
<code>sudo journalctl -b > ~/system-report.txt</code>
<code>dmesg >> ~/system-report.txt</code>
<code>systemctl --failed >> ~/system-report.txt</code>
<code>df -h >> ~/system-report.txt</code>
<code>free -h >> ~/system-report.txt</code>

<code># Watch logs in real-time</code>
<code>sudo journalctl -f</code>

<code># Monitor system resources continuously</code>
<code>watch -n 1 'free -h && df -h'</code>

== 11. Useful Aliases & Shortcuts ==
Add these to your <code>~/.bashrc</code> for quick access to common troubleshooting commands:
<code># Monitor system temperatures in real-time</code>
<code>alias temps="watch -n 2 'for i in /sys/class/hwmon/hwmon*/; do echo -n \"\$(cat \${i}name): \"; cat \${i}temp*_input 2>/dev/null | while read temp; do echo \"scale=1; \$temp/1000\" | bc; done | tr \"\n\" \" \"; echo \"°C\"; done'"</code>
<code>''or run the watch command in the shell without the opening and closing double quotes.''</code>

<code># Quick system status</code>
<code>alias sysstat='echo "=== CPU ===" && uptime && echo -e "\n=== Memory ===" && free -h && echo -e "\n=== Disk ===" && df -h && echo -e "\n=== Top Processes ===" && ps aux --sort=-%mem | head -10'</code>
<code>(It’s a messy mayout, but I’m terrible with awk. Feel free to improve the layoput for me)</code>

<code># View last boot logs</code>
<code>alias lastboot='journalctl -b -1'</code>

<code># Check failed services</code>
<code>alias failedservices='systemctl --failed'</code>

<code># Monitor logs in real-time</code>
<code>alias watchlog='sudo journalctl -f'</code>

<code># Quick network status</code>
<code>alias netstat='ip addr show && echo -e "\n=== Routes ===" && ip route show'</code>
After adding these, run:
<code>source ~/.bashrc</code>
----

== Tips for Your Troubleshooting ==

# '''First check logs''': <code>journalctl</code> and <code>dmesg</code> are your best friends
# '''Work through the sections''': Change one thing at a time
# '''Document changes''': Keep notes on what you've tried
# '''Search for error messages''': Copy exact error messages into search engines or AI
# '''Check recent changes''': What you did before it happened? Install something, update packages, kernel?
# '''Make backups''': Before major changes, backup important data
# '''Use verbose mode''': Add <code>-v</code> or <code>-vv</code> flags to commands for more detail
# '''Check forums''': Debian forum, Reddit, Stack Exchange, and mailing lists

----'''Remember''': If in doubt, search for the specific error message along with "Debian" and the version number. e.g. Debian 13 or point release if needed, Debian 13,1

This work was contributed by distro-nix on Debian User Forums on 2025-10-27 23:38:22

I welcome comments, suggestions or resources : dev@divsmart.com .

[[index.php?title=Category:Troubleshooting]]
[[index.php?title=Category:Guides]]
[[Category:Administration]]
[[Category:Guides]]
[[Category:Full Paper]]

Fonts and Themes in Cinnamon Desktop

2026-03-10T13:07:38Z

Donald: Categories

== Fonts and Themes in Cinnamon Desktop ==

* Verified on Debian 13.1 (Trixie) / 6.12.43+deb13-amd64 x64_64
* Created : 28/10/2025 21:09:21
* Last Updated : 27/10/2025 23:42:45

A comprehensive reference for managing console fonts, GUI fonts, and theme customization in Debian with Cinnamon DE.


== Table of Contents ==

<ol style="list-style-type: decimal;">
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#understanding-font-types Understanding Font Types]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#console-fonts-tty Console Fonts (TTY)]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#gui-fonts GUI Fonts]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#cinnamon-system-fonts Cinnamon System Fonts]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#theme-customization-with-css Theme Customization with CSS]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#accessibility-and-scaling Accessibility and Scaling]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#troubleshooting Troubleshooting]</blockquote></li></ol>


== Understanding Font Types ==

Linux uses different font systems depending on where text appears:


=== Console Fonts (TTY) ===

<ul>
<li><blockquote>'''Format''': PSF (PC Screen Font) - .psf or .psf.gz</blockquote></li>
<li><blockquote>'''Location''': /usr/share/consolefonts/</blockquote></li>
<li><blockquote>'''Used by''': Text-based virtual consoles (Ctrl+Alt+F2 through F6)</blockquote></li>
<li><blockquote>'''Loaded''': Before graphical system starts</blockquote></li>
<li><blockquote>'''Limitations''': No anti-aliasing, fixed character grid</blockquote></li></ul>


=== GUI Fonts ===

<ul>
<li><blockquote>'''Formats''': TrueType (.ttf), OpenType (.otf)</blockquote></li>
<li><blockquote>'''Location''': /usr/share/fonts/truetype/, /usr/share/fonts/opentype/</blockquote></li>
<li><blockquote>'''Used by''': All graphical applications</blockquote></li>
<li><blockquote>'''Features''': Anti-aliasing, scalability, subpixel rendering</blockquote></li></ul>


=== Why Two Systems? ===

The Linux console operates at a lower level than the graphical interface. It needs to display text even if the GUI fails to load, so it uses simpler font formats that don't require graphics libraries.


== Console Fonts (TTY) ==


=== Installing Console Fonts ===

Install Terminus (popular monospace console font):

sudo apt update

sudo apt install console-setup xfonts-terminus


=== Configuring Console Fonts ===


==== Method 1: Interactive Configuration ====

sudo dpkg-reconfigure console-setup

Follow the prompts:

<ol style="list-style-type: decimal;">
<li><blockquote>'''Encoding''': UTF-8</blockquote></li>
<li><blockquote>'''Character set''': Guess optimal character set</blockquote></li>
<li><blockquote>'''Font''': Terminus</blockquote></li>
<li><blockquote>'''Font size''': Choose from available sizes</blockquote></li></ol>

Available Terminus sizes: 8x14, 8x16, 10x20, 12x24, 14x28, 16x32

Recommendation: 16x32 for good readability


==== Method 2: Direct Configuration File Editing ====

Edit /etc/default/console-setup:

sudo nano /etc/default/console-setup

Add or modify these lines:

FONTFACE="Terminus"

FONTSIZE="16x32"

Other useful settings you might find:

CHARMAP="UTF-8"

CODESET="guess"


=== Applying Console Font Changes ===

The changes take effect on boot, but to apply immediately on all consoles:

sudo setupcon

'''Note''': This command only works when run from an actual TTY console, not from a terminal emulator in the GUI. If you get "not on the console" error, that's normal - the configuration is saved and will apply on next boot or when you switch to a TTY.


=== Testing Console Fonts ===

<ol style="list-style-type: decimal;">
<li><blockquote>Switch to virtual console: Ctrl + Alt + F2</blockquote></li>
<li><blockquote>Log in with your credentials</blockquote></li>
<li><blockquote>Check the font - you should see Terminus</blockquote></li>
<li><blockquote>Return to GUI: Ctrl + Alt + F1 or Ctrl + Alt + F7</blockquote></li></ol>


=== Viewing Available Console Fonts ===

List all available console fonts:

ls /usr/share/consolefonts/

Filter for Terminus fonts:

ls /usr/share/consolefonts/ | grep -i ter


=== Temporarily Testing Console Fonts ===

To test a font before making it permanent:

setfont /usr/share/consolefonts/Ter16x32n.psf.gz

'''Important''': setfont only works when run from a TTY console (Ctrl+Alt+F2), not from GUI terminals.

To check current console font (from TTY):

setfont -v


== GUI Fonts ==


=== Installing GUI Fonts ===


==== System-wide Installation ====

Install Terminus for graphical applications:

sudo apt install fonts-terminus

Install other popular fonts:

# Programming fonts

sudo apt install fonts-firacode fonts-hack fonts-jetbrains-mono

# General purpose fonts

sudo apt install fonts-liberation fonts-dejavu fonts-noto

# More options

sudo apt install fonts-ubuntu fonts-roboto

After installing, log out and back in, or rebuild font cache:

fc-cache -fv


==== User-only Installation ====

To install fonts just for your user account:

<ol style="list-style-type: decimal;">
<li><blockquote>Create fonts directory:</blockquote></li></ol>

mkdir -p ~/.local/share/fonts

<ol start="2" style="list-style-type: decimal;">
<li><blockquote>Copy font files (.ttf or .otf) to this directory:</blockquote></li></ol>

cp /path/to/your/font.ttf ~/.local/share/fonts/

<ol start="3" style="list-style-type: decimal;">
<li><blockquote>Rebuild font cache:</blockquote></li></ol>

fc-cache -fv


=== Font Locations ===

'''System-wide fonts''':

/usr/share/fonts/truetype/

/usr/share/fonts/opentype/

/usr/share/fonts/X11/

'''User-specific fonts''':

~/.local/share/fonts/


=== Listing Available Fonts ===

List all fonts available to GUI applications:

fc-list

Search for specific font:

fc-list | grep -i terminus

fc-list | grep -i dejavu

List fonts with details:

fc-list : family style file


=== Configuring Terminal Emulator Fonts ===


==== GNOME Terminal (default in Cinnamon) ====

<ol style="list-style-type: decimal;">
<li><blockquote>Open GNOME Terminal</blockquote></li>
<li><blockquote>Menu → Preferences</blockquote></li>
<li><blockquote>Select your profile</blockquote></li>
<li><blockquote>Go to '''Text''' tab</blockquote></li>
<li><blockquote>Uncheck "Use the system fixed-width font"</blockquote></li>
<li><blockquote>Click font button and select Terminus (or other font)</blockquote></li>
<li><blockquote>Choose size (12, 14, or 16 recommended)</blockquote></li></ol>


==== Guake (Drop-down Terminal) ====

Install GUI version of Terminus first:

sudo apt install fonts-terminus

guake --quit

guake &

Configure via GUI:

<ol style="list-style-type: decimal;">
<li><blockquote>Open Guake (F12)</blockquote></li>
<li><blockquote>Right-click → Preferences</blockquote></li>
<li><blockquote>Go to '''Appearance''' tab</blockquote></li>
<li><blockquote>Uncheck "Use the system fixed width font"</blockquote></li>
<li><blockquote>Select Terminus and size</blockquote></li></ol>

Configure via command line:

gsettings set org.guake.style.font use-system-font false

gsettings set org.guake.style.font font-name 'Terminus 12'


== Cinnamon System Fonts ==


=== Quick Font Configuration ===

Open '''System Settings''':

cinnamon-settings

Navigate to: '''Font Selection'''

You'll see these options:

<ul>
<li><blockquote>'''Default font''': Used for menus, buttons, dialogs (recommended: 10-12pt)</blockquote></li>
<li><blockquote>'''Desktop font''': Used for desktop icon labels (recommended: 10-11pt)</blockquote></li>
<li><blockquote>'''Document font''': Used in document viewers (recommended: 11pt)</blockquote></li>
<li><blockquote>'''Monospace font''': Used in terminals and code editors (recommended: Terminus 12pt)</blockquote></li>
<li><blockquote>'''Window title font''': Used in window title bars (recommended: 10-11pt bold)</blockquote></li></ul>


=== Recommended Configuration for Better Readability ===

Default font: Sans 11 or 12

Desktop font: Sans 10 or 11

Document font: Sans 11

Monospace font: Terminus 12 or 14

Window title font: Sans Bold 10 or 11


=== Using Command Line to Change Fonts ===

View current settings:

gsettings get org.cinnamon.desktop.interface font-name

gsettings get org.gnome.desktop.interface monospace-font-name

Change default font:

gsettings set org.cinnamon.desktop.interface font-name 'Sans 12'

Change monospace font:

gsettings set org.gnome.desktop.interface monospace-font-name 'Terminus 12'


=== Font Recommendations by Use Case ===

'''For general readability''':

<ul>
<li><blockquote>Default: DejaVu Sans 11-12</blockquote></li>
<li><blockquote>Monospace: Terminus 12 or DejaVu Sans Mono 11</blockquote></li></ul>

'''For programming''':

<ul>
<li><blockquote>Monospace: Fira Code 11, JetBrains Mono 11, or Hack 11</blockquote></li></ul>

'''For visually impaired users''':

<ul>
<li><blockquote>Default: Sans 13-14</blockquote></li>
<li><blockquote>Monospace: Terminus 14-16</blockquote></li>
<li><blockquote>Consider UI scaling (see Accessibility section)</blockquote></li></ul>


== Theme Customization with CSS ==

Cinnamon themes use CSS for styling. You can customize any theme to change fonts, colors, spacing, and more.


=== Finding Your Current Theme ===

Check which theme you're using:

gsettings get org.cinnamon.theme name

List available themes:

ls /usr/share/themes/

ls ~/.themes/

View your theme in System Settings: '''System Settings → Themes'''


=== Creating a Custom Theme Copy ===

Always work on a copy to avoid breaking your system:

# Copy system theme to your user directory

cp -r /usr/share/themes/YOUR-THEME-NAME ~/.themes/

# Example:

cp -r /usr/share/themes/Mint-Y ~/.themes/

cp -r /usr/share/themes/Green-Submarine ~/.themes/


=== Theme Structure ===

A typical Cinnamon theme:

~/.themes/YOUR-THEME-NAME/

├── cinnamon/

│ ├── cinnamon.css # Main styling file

│ ├── thumbnail.png

│ └── assets/ # Images, icons

├── gtk-3.0/ # GTK3 application styling

├── gtk-2.0/ # GTK2 application styling

├── metacity-1/ # Window decorations

└── index.theme # Theme metadata

The file you'll edit most: cinnamon/cinnamon.css


=== Editing Theme CSS ===

Open the CSS file:

nano ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css


==== Common CSS Selectors ====

/* Overall stage - affects most UI elements */

stage {

font-size: 10pt;

font-family: sans-serif;

}

/* Main menu */

.menu {

font-size: 10pt;

background-color: rgba(48, 48, 48, 0.95);

border-radius: 8px;

}

/* Menu application buttons */

.menu-application-button-label {

font-size: 9pt;

padding-left: 10px;

}

/* Panel (taskbar) */

.panel {

font-size: 9pt;

background-color: #2b2b2b;

height: 32px;

}

/* Panel applet labels */

.panel-button {

font-size: 9pt;

}

/* Notifications */

.notification {

font-size: 10pt;

}

/* Window list buttons */

.window-list-item-box {

font-size: 9pt;

}

/* Tooltips */

.tooltip {

font-size: 9pt;

}


=== Example: Increasing Menu Font Size ===

Find the menu section and modify:

.menu {

font-size: 14pt; /* Increase from default 9-10pt */

background-color: rgba(48, 48, 48, 0.95);

border-radius: 8px;

}

.menu-application-button-label {

font-size: 13pt; /* Increase menu item text */

padding-left: 10px;

}

/* Also increase category labels */

.menu-category-button-label {

font-size: 13pt;

}


=== Example: Changing Font Family ===

stage {

font-family: "DejaVu Sans", sans-serif;

font-size: 11pt;

}

/* Use monospace for specific elements */

.some-element {

font-family: "Terminus", "DejaVu Sans Mono", monospace;

}


=== Applying CSS Changes ===

After editing the CSS file:

<ol style="list-style-type: decimal;">
<li><blockquote>Save the file: Ctrl+O then Enter (in nano)</blockquote></li>
<li><blockquote>Exit: Ctrl+X (in nano)</blockquote></li>
<li><blockquote>Restart Cinnamon: Press Alt+F2, type r, press Enter</blockquote></li></ol>

Or reload from command line:

# Ensure theme is set

gsettings set org.cinnamon.theme name 'YOUR-THEME-NAME'

# Restart Cinnamon

cinnamon --replace &


=== CSS Tips and Tricks ===

'''Finding the right selector''': Use Cinnamon's Looking Glass debugger

<ol style="list-style-type: decimal;">
<li><blockquote>Press Alt+F2</blockquote></li>
<li><blockquote>Type lg and press Enter</blockquote></li>
<li><blockquote>Go to '''Picker''' tab</blockquote></li>
<li><blockquote>Click on UI elements to see their CSS classes</blockquote></li></ol>

'''Testing changes quickly''': Keep the CSS file open in one workspace, test in another, and use Alt+F2 → r to reload.

'''Backup before editing''':

cp ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css.backup

'''Restore backup if needed''':

cp ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css.backup ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css


=== Common CSS Properties ===

/* Fonts */

font-family: "Font Name", fallback;

font-size: 10pt; /* or 12px, 1.2em */

font-weight: bold; /* or normal, 600 */

font-style: italic;

/* Colors */

color: #ffffff;

background-color: rgba(48, 48, 48, 0.95);

border-color: #444444;

/* Spacing */

padding: 10px;

margin: 5px;

padding-left: 10px;

/* Borders */

border: 1px solid #444444;

border-radius: 8px;

/* Sizing */

width: 300px;

height: 40px;

min-width: 200px;


== Accessibility and Scaling ==


=== UI Scaling (Recommended for Visual Impairment) ===


==== Via System Settings ====

'''System Settings → Display → UI Scale'''

Options typically: 100%, 125%, 150%, 200%

Start with 125% and adjust as needed.


==== Via Command Line ====

# Check current scaling

gsettings get org.cinnamon.desktop.interface scaling-factor

# Set scaling (1 = 100%, 2 = 200%)

gsettings set org.cinnamon.desktop.interface scaling-factor 2

'''Note''': Fractional scaling (1.25, 1.5) may not be available on all systems.


=== Text Scaling Only ===

If you don't want to scale everything, increase text size:

# Increase text scaling factor

gsettings set org.gnome.desktop.interface text-scaling-factor 1.25

Values: 1.0 = 100%, 1.25 = 125%, 1.5 = 150%


=== High Contrast Themes ===

'''System Settings → Themes'''

Look for high-contrast themes:

<ul>
<li><blockquote>HighContrast (if available)</blockquote></li>
<li><blockquote>HighContrastInverse</blockquote></li></ul>

Or install:

sudo apt install gnome-themes-extra


=== Large Cursor ===

'''System Settings → Mouse and Touchpad → Cursor'''

Select a larger cursor size (32px or 48px).

Or via command line:

gsettings set org.cinnamon.desktop.interface cursor-size 32


=== Desktop Zoom (Magnifier) ===

'''System Settings → Accessibility → Zoom'''

Enable desktop magnification. Typical shortcut: Alt + Super + 8


=== Font Smoothing ===

Ensure font smoothing is enabled for better readability:

gsettings set org.cinnamon.settings-daemon.plugins.xsettings antialiasing 'rgba'

gsettings set org.cinnamon.settings-daemon.plugins.xsettings hinting 'slight'

Options for antialiasing: none, grayscale, rgba Options for hinting: none, slight, medium, full

Recommended: rgba with slight hinting


== Troubleshooting ==


=== Console Font Issues ===

'''Problem''': setupcon says "not on the console"

'''Solution''': This is normal when running from GUI. The configuration is saved. Test by switching to TTY with Ctrl+Alt+F2.

'''Problem''': Font changes don't persist after reboot

'''Solution''': Verify /etc/default/console-setup has correct settings. Run sudo dpkg-reconfigure console-setup again.

'''Problem''': setfont gives "couldn't get file descriptor" error

'''Solution''': setfont only works from actual TTY console, not GUI terminal emulators.


=== GUI Font Issues ===

'''Problem''': Installed font doesn't appear in applications

'''Solution''':

# Rebuild font cache

fc-cache -fv

# Log out and back in

# Or restart the application

'''Problem''': Font looks pixelated or ugly

'''Solution''': Check antialiasing settings:

gsettings set org.cinnamon.settings-daemon.plugins.xsettings antialiasing 'rgba'

'''Problem''': Terminus not showing in Guake

'''Solution''': Install the TrueType version:

sudo apt install fonts-terminus

guake --quit

guake &


=== Theme CSS Issues ===

'''Problem''': CSS changes don't take effect

'''Solution''':

<ol style="list-style-type: decimal;">
<li><blockquote>Save the CSS file</blockquote></li>
<li><blockquote>Restart Cinnamon: Alt+F2 → r</blockquote></li>
<li><blockquote>Verify you're editing the active theme's CSS</blockquote></li>
<li><blockquote>Check for CSS syntax errors</blockquote></li></ol>

'''Problem''': Cinnamon crashes after CSS edit

'''Solution''': Boot to TTY (Ctrl+Alt+F2), restore backup:

cp ~/.themes/YOUR-THEME/cinnamon/cinnamon.css.backup ~/.themes/YOUR-THEME/cinnamon/cinnamon.css

Then switch back to GUI and restart Cinnamon.

'''Problem''': Can't find the right CSS selector

'''Solution''': Use Looking Glass:

<ol style="list-style-type: decimal;">
<li><blockquote>Alt+F2 → type lg → Enter</blockquote></li>
<li><blockquote>Go to Picker tab</blockquote></li>
<li><blockquote>Click UI element to see its classes</blockquote></li></ol>


=== Scaling Issues ===

'''Problem''': UI scaling makes everything blurry

'''Solution''': Some applications don't handle scaling well. Try:

<ul>
<li><blockquote>Integer scaling only (100%, 200%) instead of fractional</blockquote></li>
<li><blockquote>Increase font sizes instead of UI scaling</blockquote></li>
<li><blockquote>Update graphics drivers</blockquote></li></ul>

'''Problem''': Some applications ignore scaling

'''Solution''': Set scaling per-application (for X11 apps):

GDK_SCALE=2 application-name


== Quick Reference Commands ==


=== Console Fonts ===

# Configure interactively

sudo dpkg-reconfigure console-setup

# Apply changes

sudo setupcon

# List console fonts

ls /usr/share/consolefonts/

# Test font (from TTY only)

setfont /usr/share/consolefonts/Ter16x32n.psf.gz


=== GUI Fonts ===

# Install fonts

sudo apt install fonts-terminus fonts-firacode

# Rebuild font cache

fc-cache -fv

# List all fonts

fc-list

# Search for specific font

fc-list | grep -i terminus


=== Cinnamon Settings ===

# Open settings

cinnamon-settings

# Check current theme

gsettings get org.cinnamon.theme name

# Set theme

gsettings set org.cinnamon.theme name 'YOUR-THEME'

# UI scaling

gsettings set org.cinnamon.desktop.interface scaling-factor 2

# Restart Cinnamon

Alt+F2 → r


=== Theme Editing ===

# Copy theme

cp -r /usr/share/themes/THEME-NAME ~/.themes/

# Edit CSS

nano ~/.themes/THEME-NAME/cinnamon/cinnamon.css

# Backup CSS

cp ~/.themes/THEME-NAME/cinnamon/cinnamon.css{,.backup}

# Restore backup

cp ~/.themes/THEME-NAME/cinnamon/cinnamon.css{.backup,}


== Additional Resources ==

'''Official Cinnamon Documentation''': https://cinnamon-spices.linuxmint.com/

'''Cinnamon GitHub''': https://github.com/linuxmint/cinnamon

'''Theme Development Guide''': Available in Cinnamon documentation

'''Font Configuration''': man fonts-conf or man fc-cache

'''Console Setup''': man console-setup or man setupcon

'''Last Updated''': October 2025 
'''Compatible with''': Debian 13, Linux Mint 21+, any distribution using Cinnamon DE

=== Credits & Comments ===
As usual I welcome any comments, suggestions or resources : dev@divsmart.com or distro-nix on Debian Forum.
[[Category:Fonts]]
[[Category:Themes]]
[[Category:Desktop]]
[[Category:Full Paper]]

Security Hardening for Debian Users: Protecting Against Targeted Attacks

2026-03-10T13:06:46Z

Donald: Categories

== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==

==== Cybersecurity Measures Against Targeted Attacks ====

* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.

==== Description of the Threat ====
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

==== Countermeasures ====

''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''

Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.

Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.

Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote>

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

==== Practical Instructions ====

===== Linux system hardening recommendations: =====

====== Main Aspects of System Hardening ======

1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.

2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote>

3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.

4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:
* Always read a script fully before running it (less script.sh, cat script.sh).
* Never paste commands from untrusted or unverified sources into the terminal.
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote>

5. Follow a server-style access model

Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''.

Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote>

6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools.

The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.<blockquote>'''Warning:''' AppArmor, SELinux and other Mandatory Access Control (MAC) mechanisms may cause system malfunction if misconfigured. Errors in profiles or policies can result in service failures, boot issues, user session lockout, or restricted access to system resources. In some cases, system recovery may be difficult even when using recovery mode, a chroot environment, or booting from a Live/Rescue medium.
</blockquote>

It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.

Configuration changes should be applied to the host system '''only after confirming correct and stable operation in the test environment.'''

7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall.
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

8. Configure kernel parameters for maximum security (sysctl hardening).
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event).
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.

11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.

12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
* If you are certain you will never use it, remove it completely from the system.
* This practice reduces potential attack vectors and strengthens overall system security.
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications.
* Always create a full system backup before making any significant configuration changes or modifications.

13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.

14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:

<syntaxhighlight lang="bash">
bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement
</syntaxhighlight>

Why it matters:

* Allows you to quickly understand when and why a change was made.
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
* Simplifies system audits and security reviews.

====== Related Aspects of Internet Security ======

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:

* relying on human memory, with the risk of forgetting or confusing credentials;
* storing passwords on paper media, which can be damaged, lost, or stolen;
* saving passwords in web browsers in unencrypted form;
* keeping passwords in plain text files on the desktop or in other directories without encryption;
* and similar approaches.
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.

A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.

Regularly create up-to-date backups of the ''encrypted'' password database.

Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.

Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.

In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.

It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote>

2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey].

The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number.

For now, it is one of the most reliable hardware-based options for two-factor authentication.

3. Using VPN to improve privacy and security

* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.

4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote>

In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.

5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.

It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.

Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.

Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.

Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.

7. Hardware Firewall

If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.

Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:

* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).
* You have well-founded suspicions that you or your organization could be the target of a directed attack.

Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.

However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:

* Configuring the basic security of your router.
* Using a software firewall and antivirus on your PC.
* Timely updating your operating system and applications.
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).

A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.

<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote>

8. It is also important to consider the possibility of hardware-level attacks.
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.

If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.

'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''

===== Examples of Deep Custom Security Configurations =====

Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.

These are not universal templates, but references illustrating advanced system hardening.

[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]

==== UsefulPrograms ====

Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion).

[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]

==== Additional articles on the author's site: ====

<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote>

[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures.

[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.

[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.

==== External Resources ====

[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.]
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team.

[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy]
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations.

[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples.

[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor]
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system.

[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.]
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions.

[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices]
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.

==== Provenance ====

This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131

it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks
[[Category:Security]]
[[Category:Administration]]
[[Category:Guides]]
[[Category:Full Paper]]

MTR Network Diagnostics

2026-03-10T13:05:51Z

Donald: Categories

= MTR: Network Path Diagnostics =

MTR combines the functionality of ping and traceroute into a single tool that monitors every hop along a network path continuously, producing statistical output that identifies where latency and packet loss actually occur. When basic connectivity tools confirm a problem exists but don’t locate it, MTR provides the data needed to isolate it.

=== Installation ===
<code>sudo apt install mtr</code>

MTR is available in the Debian main repository and requires no additional sources. It is maintained across all current Debian releases and installs without external dependencies. The package name is mtr, which includes both the command-line interface and mtr-packet, the helper binary responsible for sending and receiving network packets.

=== Basic Usage ===
MTR operates in two modes: interactive, which displays a live updating view of the network path, and report mode, which runs a fixed number of cycles and prints a summary.

* Interactive mode
<code>mtr example.com</code>

* Report mode — 50 cycles, no DNS resolution
<code>mtr --report --report-cycles 50 --no-dns example.com</code>

* TCP mode — useful when ICMP is filtered
<code>sudo mtr --tcp --port 443 example.com</code>

* Save report to file
<code>mtr --report --report-cycles 100 --no-dns example.com > mtr-report.txt</code>

{| class="wikitable"
|+ Output Example
|-
! Host !! hostname !! Loss% !! Snt !! Last !! Ave !! Best !! Wrst !! StDEV
|-
| 1. || 192.168.1.1 || 0.0% || 50 || 1.2 || 1.5 || 1.0 || 2.3 || 0.4
|-
| 2. || 10.0.0.1 || 0.0% || 50 || 8.5 || 9.2 || 7.8 || 12.1 || 1.3
|-
| 3. || isp-gateway.net || 0.0% || 50 || 15.3 || 16.1 || 14.2 || 19.8 || 1.8
|-
| 4. || ??? || 100.0% || 50 || 0.0 || 0.0 || 0.0 || 0.0 || 0.0
|-
| 5. || destination.com || 0.0%|| 50|| 25.4|| 26.8|| 24.1|| 32.5|| 2.4
|-
|}
Each row represents one hop. The columns report packet loss percentage, packets sent, and latency values in milliseconds — last, average, best, worst, and standard deviation. Standard deviation measures consistency: a low value indicates stable latency, a high value indicates jitter.

==== Interpreting Results ====

'''Packet loss at an intermediate hop that does not persist to subsequent hops''' is typically not a network problem. Many routers deprioritise or rate-limit ICMP responses while forwarding traffic normally. If hop 4 shows 100% loss but hop 5 responds cleanly, traffic is flowing through hop 4 — it simply isn’t generating diagnostic replies.

'''Packet loss that begins at a hop and continues through to the destination''' indicates a genuine problem at or beyond that hop.

'''A sudden increase in latency at a specific hop that persists to all subsequent hops''' points to a congested or slow link at that point in the path.

'''High standard deviation''' indicates unstable latency, which affects real-time applications such as VoIP and video conferencing even when average latency appears acceptable.

'''A large latency increase with stable standard deviation and no packet loss''' reflects geographic distance or a slower interconnect, not a fault.

'''Problems confined to the first hop''' — your local router — and absent from all subsequent hops point to a local network issue: wireless interference, a misconfigured interface, or a problem with the router itself.

==== Practical Scenarios ====
===== Isolating a problem for an ISP or hosting provider =====

Run an extended report against a known external address and save the output:
<code>mtr --report-cycles 100 --no-dns 8.8.8.8 > isp-report.txt</code>

The report shows exactly where in the path packet loss or latency appears, which hop belongs to which network, and whether the problem is within the provider’s infrastructure or beyond it.

===== Testing when ICMP is filtered =====
Some paths block ICMP but pass TCP traffic. Testing with TCP against a specific port confirms whether a service is reachable end-to-end:

<code>sudo mtr --tcp --port 22 --report-cycles 50 remote-server.com
</code>

<code>sudo mtr --tcp --port 443 --report-cycles 50 remote-server.com
</code>
===== Diagnosing jitter for real-time applications =====
Run a longer test and focus on the StDev column:

<code>mtr --report-cycles 200 game-server.com</code>

Values above 5ms in the StDev column at any hop that persists to the destination will affect latency-sensitive applications.

==== Catching intermittent problems ====
Intermittent issues require longer observation windows than a standard report provides:

<code>mtr --report-cycles 500 --interval 1 target.com > long-test.txt
</code>

===== Protocol Selection =====

MTR supports ICMP (default), UDP, and TCP. When one protocol appears to show loss or filtering, testing with another confirms whether the issue is protocol-specific or affects all traffic:

''Icmp''
mtr example.com

''UDP''
mtr --udp example.com

''TCP on port 80''
sudo mtr --tcp --port 80 example.com

===== Output Formats =====
MTR can produce machine-readable output for logging or automated analysis:

<code>
mtr --report --csv example.com

mtr --report --json example.com

mtr --report --xml example.com
</code>

===== Additional Options =====
* Show both hostname and IP address
<code>mtr --show-ips example.com</code>

* Display Autonomous System numbers
<code>mtr --aslookup example.com</code>

* Limit maximum hops
<code>mtr --max-ttl 20 example.com</code>

* Specify source address on systems with multiple interfaces
<code>mtr --address 192.168.1.100 example.com</code>

* Force IPv4 or IPv6
<code>
mtr -4 example.com

mtr -6 example.com
</code>

===== Interactive Mode Key Bindings =====
In interactive mode, the following keys are available:
{| class="wikitable"
|+ Available keys
|-
! Key !! Action
|-
| d || Toggle display mode
|-
| n || Toggle between hostnames and IP addresses
|-
| r || Reset statistics
|-
| p || Pause and resume
|-
| u || Cycle between ICMP, UDP, and TCP
|-
| y || Toggle between IPv4 and IPv6
|-
| q || Quit
|}

===== Useful Aliases =====
These aliases cover the most common diagnostic tasks. Add them to ~/.bashrc and reload with source ~/.bashrc:

* Standard report — 50 cycles, no DNS
<code>alias mtrreport='mtr --report --report-cycles 50 --no-dns'</code>

* Extended report — 100 cycles
<code>alias mtrlong='mtr --report --report-cycles 100 --no-dns'</code>

* HTTPS path test
<code>alias mtrhttps='sudo mtr --tcp --port 443 --report-cycles 50'
</code>

===== Permission Note =====
TCP mode on privileged ports requires either sudo or the cap_net_raw capability set on the mtr-packet binary:

<code>sudo setcap cap_net_raw+ep /usr/bin/mtr-packet</code>

After setting the capability, TCP tests run without sudo.

Remember: If in doubt, search for the specific error message along with "Debian" and the version number. e.g. Debian 13 or point release if needed, Debian 13,1

As usual I welcome any comments, suggestions or resources : dev@divsmart.com or distro-nix on Debian Forum.
[[Category:HowTo]]
[[Category:Networking]]
[[Category:Full Paper]]

Main Page

2026-03-10T13:03:36Z

Donald: /* Guides (reference) */ Minor word change to title

= Welcome to the Debian User Forum Archives. =

This wiki is dedicated specific member solutions from the [https://forums.debian.net Debian User Forums] and not to be confused with the larger man style documentation driven official [https://wiki.debian.org Debian Project Wiki].

Our works here are citable formats of some of our best threads, member contributions, guides, and information that can provide assistance on or offline.

== About ==
About:
* [[Archive Debian Forums:About|Archive Debian Forums]]
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Root, Sudo, and SU|Root, sudo, su, and su -]] (forum archive)
* [[Debian First Aid Kit]] (full paper)
* [[Fonts and Themes in Cinnamon Desktop]] (full paper)
* [[To install Firefox from Mozilla repo|Installing Firefox from the Mozilla repository]] (forum archive)
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]] (full paper)

== HowTo (guides) ==
* [[MTR Network Diagnostics]] (full paper)
* [[WiFi Signal Strength and Sharing]] (forum archive)
* [[REFInd USB Drive (for emergency boot)]] (forum archive)
* [[Trixie iwd]] (forum archive)

== Licensing and Use ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].
* [[Archive AI Use]]

Main Page

2026-02-28T17:53:57Z

Donald: /* About */ moved AI policy and changed Licensing to Licensing and Use. Added the about page for the archive.

= Welcome to the Debian User Forum Archives. =

This wiki is dedicated specific member solutions from the [https://forums.debian.net Debian User Forums] and not to be confused with the larger man style documentation driven official [https://wiki.debian.org Debian Project Wiki].

Our works here are citable formats of some of our best threads, member contributions, guides, and information that can provide assistance on or offline.

== About ==
About:
* [[Archive Debian Forums:About|Archive Debian Forums]]
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Root, Sudo, and SU|Root, sudo, su, and su -]] (forum archive)
* [[Debian First Aid Kit|My Debian First Aid Kit]] (full paper)
* [[Fonts and Themes in Cinnamon Desktop]] (full paper)
* [[To install Firefox from Mozilla repo|Installing Firefox from the Mozilla repository]] (forum archive)
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]] (full paper)

== HowTo (guides) ==
* [[MTR Network Diagnostics]] (full paper)
* [[WiFi Signal Strength and Sharing]] (forum archive)
* [[REFInd USB Drive (for emergency boot)]] (forum archive)
* [[Trixie iwd]] (forum archive)

== Licensing and Use ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].
* [[Archive AI Use]]

The Debian Project

2026-02-28T17:50:24Z

Donald: Typo correction, Link correction.

The [https://www.debian.org/ Debian Project] is an association of individuals who have made common cause to create a free operating system. This operating system that we have created is called '''Debian'''.

An operating system is the set of basic programs and utilities that make your computer run. At the core of an operating system is the kernel. The kernel is the most fundamental program on the computer and does all the basic housekeeping and lets you start other programs.

Debian systems currently use the Linux kernel or the FreeBSD kernel. Linux is a piece of software started by Linus Torvalds and supported by thousands of programmers worldwide. FreeBSD is an operating system including a kernel and other software.

However, work is in progress to provide Debian for other kernels, primarily for the Hurd. The Hurd is a collection of servers that run on top of a microkernel (such as Mach) to implement different features. The Hurd is free software produced by the GNU project.

A large part of the basic tools that fill out the operating system come from the GNU project; hence the names: GNU/Linux and GNU/Hurd. These tools are also free.

Of course, the thing that people want is application software: programs to help them get what they want to do done, from editing documents to running a business to playing games to writing more software. Debian comes with over 70000 packages (precompiled software that is bundled up in a nice format for easy installation on your machine), a package manager (APT), and other utilities that make it possible to manage thousands of packages on thousands of computers as easily as installing a single application. All of it free.

It's a bit like a tower. At the base is the kernel. On top of that are all the basic tools. Next is all the software that you run on the computer. At the top of the tower is Debian — carefully organizing and fitting everything so it all works together.

[https://www.debian.org/intro/about About Debian]

[https://debian.org The Debian Project]
[[Category:Debian]]

Archive Debian Forums:About

2026-02-26T02:26:31Z

Donald: Slight wording change

== About Archive Debian Forums: ==

"''Archive Debian Forums exists because good technical work deserves a permanent home''."

The Debian forums hold a lot of useful knowledge—tested procedures, hard-won solutions, and practical guides built from real experience. The Archives allows the authors to have '''cited''' works and '''permanent- links''' to their works something the forums cannot offer.

Forum threads age, and when the forums are down or gone, that knowledge is gone with them.

This archive means content is attributed, versioned, and stable—available whether the forums are there or not. If you wrote something worth keeping, it gets a permanent link. If you are looking for something or sharing something, even in your own writing, you can cite what you find in a readable and professional format.

We're not an open wiki. Submissions go through a review process, which keeps the quality high and the spam out. That accountability runs both ways: authors stand behind what they publish, and readers can trust that what they're reading has been verified by their peers, and is known to work with their version.

With that being said, please enjoy the best work of the Debian User Forum community.

Archive Debian Forums:About

2026-02-26T02:04:52Z

Donald: Page creation, credit to @distro-nix

== About Archive Debian Forums: ==

"''Archive Debian Forums exists because good technical work deserves a permanent home''."

The Debian forums hold a lot of useful knowledge—tested procedures, hard-won solutions, and practical guides built from real experience. The Archives allows the authors to have '''cited''' works and '''permanent- links''' to their works something the forums cannot offer for works.

Forum threads age, and when the forums are down or gone, that knowledge is gone with them.

This archive means content is attributed, versioned, and stable—available whether the forums are there or not. If you wrote something worth keeping, it gets a permanent link. If you are looking for something or sharing something, even in your own writing, you can cite what you find.

We're not an open wiki. Submissions go through a review process, which keeps the quality high and the spam out. That accountability runs both ways: authors stand behind what they publish, and readers can trust that what they're reading has been verified by their peers, and is known to work with their version.

With that being said, please enjoy the best work of the Debian User Forum community.

MTR Network Diagnostics

2026-02-24T18:10:14Z

Donald: Added categories

Main Page

2026-02-24T18:09:37Z

Donald: /* HowTo (guides) */ Added section

= Welcome to the Debian User Forum Archives. =

This wiki is dedicated specific member solutions from the [https://forums.debian.net Debian User Forums] and not to be confused with the larger man style documentation driven official [https://wiki.debian.org Debian Project Wiki].

Our works here are citable formats of some of our best threads, member contributions, guides, and information that can provide assistance on or offline.

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Root, Sudo, and SU|Root, sudo, su, and su -]] (forum archive)
* [[Debian First Aid Kit|My Debian First Aid Kit]] (full paper)
* [[Fonts and Themes in Cinnamon Desktop]] (full paper)
* [[To install Firefox from Mozilla repo|Installing Firefox from the Mozilla repository]] (forum archive)
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]] (full paper)

== HowTo (guides) ==
* [[MTR Network Diagnostics]] (full paper)
* [[WiFi Signal Strength and Sharing]] (forum archive)
* [[REFInd USB Drive (for emergency boot)]] (forum archive)
* [[Trixie iwd]] (forum archive)

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

MTR Network Diagnostics

2026-02-24T18:08:35Z

Donald: New page

Root, Sudo, and SU

2026-02-10T21:24:33Z

Donald: Typo correction

== The Concept of Root and User: ==

"''root'' is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser. <ref>root Definition "http://www.linfo.org/root.html</ref>

An ordinary user only has control over files in his/her own "home" directory, though they may be "allowed" access to other files and applications.

'''su, su -, and sudo:'''

The <code>su</code>, <code>su -</code>, and <code>sudo</code> commands are used in a terminal to give you root access to the system. You can of course log on as root but this is not generally a good idea; once logged on in a particular identity, you tend to continue in that identity until you log off again, and it is bad practice to work as root for long periods.

Instead you should use <code>su</code> to become root "for the duration". You will need to give the root password which you set when you installed Debian. Your prompt will change to show that you are now root. When you have done what you need to do as root, type exit to get back to your own identity.

Debian has adopted specific variations for the '''su''' command:

<code>su</code> will give access to all commands except for critical system commands in the <code>/usr/sbin directory</code>. This is a function of the environment which the <code>su</code> command invokes - if you switch from user account to root with su, you retain that ''user's environment''.

<code>su -</code> will also switch you to ''root'' account but invokes the ''root environment'' which is required for any commands in the <nowiki>/usr/sbin</nowiki> directory.

For example, you can run the <code>chown</code> command '''after''' elevating to root privileges with <code>su</code>, but to run the <code>adduser</code> command you need to get root with <code>su -</code>

<code>sudo</code> should also allow running commands which require root environment like those in <nowiki>/usr/sbin/</nowiki> eg. <code>sudo blkid</code> (PM me if you have a different experience; it works here).

The <code>sudo</code> command is a more selective alternative to su, particularly useful if there are several users of your system.

By editing, as root, the file <nowiki>/etc/sudoers</nowiki>, you can give root access to a specific individual for specific commands only. This is much safer than letting them know the root password.

The man page for sudoers gives details of the syntax for this file.

The Debian installer will ask if you wish to add your user to '''sudo''' and if you wish to create a root password. If you don't specify a root password, your user will automatically be added to '''sudo'''. If you didn't add you user to '''sudo''' during install, you can do it afterwards with the command (run as <code>su -</code> and entering the root password):

<code>adduser <username> sudo</code>
of course replace <username> with your actual user name.

To use sudo, simply preface the command you wish to execute as root with the word '''sudo'''. You will be asked to enter your own user password to prove your identity.

The system will then check whether you have been given permission to execute this particular command as root; if so, it will be executed. sudo "remembers" you for a short time so that you can give a group of sudo commands without entering your password each time.

This thread was original posted on the Debian User Forums by @The Beginners guide, curated by @sunrat: http://forums.debian.net/viewtopic.php?f=32&t=58557&p=338548

Ref 1: http://www.linfo.org/root.html

[[Category:Administration]]
[[Category:HowTo]]

Debian First Aid Kit

2026-02-10T20:02:28Z

Donald: Catefory

= My Debian First Aid Kit =
'''All commands are verified on Debian 13.1 (Trixie) / 6.16.3+deb13-amd64 x64_64'''

Created : 27/10/2025 15:54:21

Last Updated : 27/10/2025 23:42:45 '''ID : 544000.3'''

== Table of Contents ==

# Issues
# Package Management Issues
# Disk & Filesystem Issues
# Performance Issues
# Service & Application Errors
# Permission & Access Issues
# Hardware IssuesSystem Freezes & Crashes
# Boot Problems
# Network
# Quick Diagnostic Commands
# Useful Aliases & Shortcuts
# Tips for Effective Troubleshooting

----

== 1. System Freezes & Crashes ==

=== Check System Logs ===
<code># View logs from previous boot (after freeze/crash)</code>
<code>journalctl -b -1</code>

<code># List all available boots</code>
<code>journalctl --list-boots</code>

<code># Show only kernel messages from previous boot</code>
<code>journalctl -b -1 -k</code>

<code># Show errors and critical messages only</code>
<code>journalctl -b -1 -p err</code>

<code># Save logs to file for analysis</code>
<code>journalctl -b -1 > ~/crash-log.txt</code>

=== Common Freeze Causes to Look For ===

* '''Kernel panics''': Search for "kernel panic" or "Oops"
* '''Out of Memory (OOM)''': Search for "Out of memory" or "oom-killer"
* '''Hardware errors''': Look for "MCE" (Machine Check Exception) or "hardware error"
* '''Driver issues''': Check for module/driver failures
* '''Overheating''': Check system temperatures

=== Check System Resources ===
<code># View memory usage</code>
<code>free -h</code>

<code># Check disk space</code>
<code>df -h</code>

<code># Monitor system resources in real-time</code>
<code>htop</code>
<code># or</code>
<code>top</code>
(I prefer btop for better presentation)
You would need to install it. sudo apt install btop

<code># Check for disk errors</code>
<code>sudo dmesg | grep -i error</code>
<code>These are permanent errors due to incomplete/buggy ACPI tables in the BIOS, but they are harmless :</code>
<code>0.686554] ACPI Error: No handler for Region [ECRM] (00000000201accc4) [EmbeddedControl] (20250404/evregion-131)</code>
<code>0.686577] ACPI Error: Region EmbeddedControl (ID=3) has no handler (20250404/exfldio-261)</code>
<code>0.686594] ACPI Error: Aborting method \_SB.GPIO._EVT due to previous error (AE_NOT_EXIST) (20250404/psparse-529)</code>

== 2. Boot Problems ==

=== Check Boot Process ===
<code># View systemd boot analysis</code>
<code>systemd-analyze blame</code>

<code># See what failed during boot</code>
<code>systemctl --failed</code>

<code># Check specific service status</code>
<code>systemctl status <service-name> e.g NetworkManager.service</code>

=== Access Recovery Mode ===

# Reboot and hold <code>Shift</code> to access GRUB menu (depending on your grub timing settings)
# Select "Advanced options"
# Choose recovery mode
# Select "root" for root shell access

=== Common Boot Fixes ===
<code># Repair filesystem errors</code>
<code>Once you identify a device with lsblk</code>
<code>sudo fsck /dev/sdXN</code>

<code># Reinstall GRUB bootloader</code>
<code>sudo grub-install /dev/sdX</code>
<code>sudo update-grub</code>

<code># Check fstab for mount errors</code>
<code>cat /etc/fstab</code>

== 3. Network Issues ==

=== Diagnose Network Connection ===
<code># Check network interfaces</code>
<code>ip addr show</code>

<code># Test connectivity</code>
<code>ping -c 4 8.8.8.8</code>
<code>or</code>
<code>ping -c 6 2a00:1450:4007:809::200e</code>

<code># Check DNS resolution</code>
<code>nslookup google.com</code>

<code># View routing table</code>
<code>ip route show</code>

<code># Check active connections</code>
<code>ss -tuln</code>

=== Restart Network Service ===
<code># For systems with NetworkManager</code>
<code>sudo systemctl restart NetworkManager</code>

<code># For systems with networking service</code>
<code>sudo systemctl restart networking</code>

<code># Bring interface down and up</code>
<code>sudo ip link set eth0 down</code>
<code>sudo ip link set eth0 up</code>

<code>If you need to prove to your server host something that is beyond your control, you can always get out the big guns with MTR.</code>

= <code>MTR (It’s Traceroute on Steroids)</code> =

== What is MTR? ==
MTR combines the functionality of <code>ping</code> and <code>traceroute</code> into a single real-time network diagnostic tool. It continuously monitors the path between your system and a destination, providing detailed statistics about latency and packet loss at each hop.

== Installation ==
<code>sudo apt install mtr</code>

== Basic Usage ==
<code># Basic MTR (interactive mode)</code>
<code>mtr google.com</code>

<code># Report mode (run 10 cycles and exit)</code>
<code>mtr --report google.com</code>

<code># Specify number of pings</code>
<code>mtr --report-cycles 50 google.com</code>

<code># Use TCP instead of ICMP</code>
<code>mtr --tcp google.com</code>

<code># Use UDP</code>
<code>mtr --udp google.com</code>

<code># No DNS resolution (faster, shows IPs only)</code>
<code>mtr --no-dns google.com</code>

<code># Show both hostnames and IPs</code>
<code>mtr --show-ips google.com</code>

== Understanding MTR Output ==

=== Sample Output ===
<code>HOST: hostname Loss% Snt Last Avg Best Wrst StDev</code>
<code>1.|-- 192.168.1.1 0.0% 10 1.2 1.5 1.0 2.3 0.4</code>
<code>2.|-- 10.0.0.1 0.0% 10 8.5 9.2 7.8 12.1 1.3</code>
<code>3.|-- isp-gateway.net 0.0% 10 15.3 16.1 14.2 19.8 1.8</code>
<code>4.|-- ??? 100.0% 10 0.0 0.0 0.0 0.0 0.0</code>
<code>5.|-- google.com 0.0% 10 25.4 26.8 24.1 32.5 2.4</code>

=== Column Meanings ===

* '''HOST''': Hostname or IP address of each hop in the route
* '''Loss%''': Percentage of packets lost at this hop
* '''Snt''': Number of packets sent to this hop
* '''Last''': Latency of the most recent packet (milliseconds)
* '''Avg''': Average latency across all packets (milliseconds)
* '''Best''': Lowest latency recorded (milliseconds)
* '''Wrst''': Highest latency recorded (milliseconds)
* '''StDev''': Standard deviation - measures latency consistency (lower is better)

== Interpreting Results ==

=== Healthy Network ===

* '''Loss% = 0%''' on all hops
* '''Stable latency''' (low StDev values)
* '''Gradual latency increase''' as hop count increases
* '''Consistent response times'''

=== Problem Indicators ===

==== 1. High Packet Loss at Specific Hop ====
<code>5.|-- problem-router.net 25.0% 10 45.3 48.2 42.1 65.8 8.4</code>
'''Analysis:'''

* If loss continues to destination: Real problem at this router
* If loss only at this hop but NOT beyond: Router may be rate-limiting ICMP (false positive, not a real problem)

'''Rule of thumb:''' If packet loss appears at hop N but hops N+1, N+2, etc. show 0% loss, it's usually just ICMP rate limiting.

==== 2. High Latency at Specific Hop ====
<code>3.|-- slow-link.net 0.0% 10 150.3 155.2 148.1 165.8 5.4</code>
'''Indicates:'''

* Network bottleneck or congested link
* Geographical distance (intercontinental hops)
* Slow routing equipment

==== 3. No Response (???) ====
<code>4.|-- ??? 100.0% 10 0.0 0.0 0.0 0.0 0.0</code>
'''Possible causes:'''

* Router configured to not respond to ICMP/traceroute packets
* Firewall blocking diagnostic packets
* '''Not necessarily a problem''' if later hops respond normally

==== 4. High Jitter (StDev) ====
<code>6.|-- unstable.net 0.0% 10 35.3 52.8 28.1 95.2 24.7</code>
'''Indicates:'''

* Inconsistent latency (high StDev of 24.7ms)
* Network congestion or instability
* Poor for real-time applications (VoIP, gaming, video calls)

==== 5. Sudden Latency Spike ====
<code>1.|-- 192.168.1.1 0.0% 10 1.2 1.5 1.0 2.3 0.4</code>
<code>2.|-- 10.0.0.1 0.0% 10 8.5 9.2 7.8 12.1 1.3</code>
<code>3.|-- problematic-hop.net 0.0% 10 180.5 185.2 178.1 195.8 6.4</code>
<code>4.|-- next-hop.net 0.0% 10 182.3 187.8 180.5 198.2 6.8</code>
'''Problem identified:''' Hop 3 introduces ~170ms of latency (jump from 9ms to 180ms)

== Advanced Usage ==

=== Report Mode with Different Output Formats ===
<code># CSV format for logging and analysis</code>
<code>mtr --report --csv google.com > network-report.csv</code>

<code># JSON output for parsing</code>
<code>mtr --report --json google.com</code>

<code># XML format</code>
<code>mtr --report --xml google.com</code>

<code># Wide report (no abbreviations)</code>
<code>mtr --report-wide google.com</code>

=== Protocol Selection ===
<code># Use ICMP (default, requires no special permissions)</code>
<code>mtr google.com</code>

<code># Use UDP (alternative to ICMP)</code>
<code>mtr --udp google.com</code>

<code># Use TCP (useful for firewall testing)</code>
<code>mtr --tcp google.com</code>

<code># Test specific TCP port</code>
<code>sudo mtr --tcp --port 443 google.com</code>
<code>sudo mtr --tcp --port 22 remote-server.com</code>

=== Timing and Duration ===
<code># Specify interval between pings (default 1 second)</code>
<code>mtr --interval 0.5 google.com</code>

<code># Extended test with 100 cycles</code>
<code>mtr --report-cycles 100 google.com</code>

<code># Continuous monitoring (Ctrl+C to stop)</code>
<code>mtr google.com</code>

<code># Quick 10-cycle report</code>
<code>mtr --report-cycles 10 google.com</code>

=== Advanced Options ===
<code># Show Autonomous System (AS) numbers</code>
<code>mtr --aslookup google.com</code>

<code># Set maximum number of hops</code>
<code>mtr --max-ttl 20 google.com</code>

<code># Set packet size</code>
<code>mtr --psize 1000 google.com</code>

<code># Show both IP and hostname</code>
<code>mtr --show-ips google.com</code>

<code># Specify source address (multiple network interfaces)</code>
<code>mtr --address 192.168.1.100 google.com</code>

<code># IPv4 only</code>
<code>mtr -4 google.com</code>

<code># IPv6 only</code>
<code>mtr -6 google.com</code>

== Interactive Mode Commands ==
When running MTR in interactive mode (just <code>mtr hostname</code>), use these keys:
{| class="wikitable"
!Key
!Function
|-
|'''h'''
|Display help
|-
|'''d'''
|Toggle display mode (cycle through different views)
|-
|'''n'''
|Toggle between hostnames and IP addresses
|-
|'''r'''
|Reset all statistics
|-
|'''p'''
|Pause/unpause the display
|-
|'''q'''
|Quit MTR
|-
|'''u'''
|Switch between ICMP, UDP, and TCP modes
|-
|'''y'''
|Switch between IPv4 and IPv6
|-
|'''o'''
|Toggle field display options
|-
|'''j'''
|Toggle latency display
|}

== Practical Troubleshooting Scenarios ==

=== Scenario 1: Diagnosing Slow Website ===
<code># Run extended test to get accurate statistics</code>
<code>mtr --report-cycles 100 --no-dns example.com</code>

<code># Look for:</code>
<code># - High average latency at specific hops</code>
<code># - Packet loss at destination</code>
<code># - High StDev values (jitter)</code>

=== Scenario 2: Testing if Firewall Blocks SSH ===
<code># Test SSH port (22) connectivity</code>
<code>sudo mtr --tcp --port 22 --report-cycles 50 remote-server.com</code>

<code># If last hop shows 100% loss but earlier hops are fine:</code>
<code># - Port 22 might be filtered</code>
<code># - Try standard ICMP test for comparison</code>

=== Scenario 3: ISP Performance Issues ===
<code># Test path to reliable external server</code>
<code>mtr --report-cycles 100 8.8.8.8</code>

<code># Compare with another DNS server</code>
<code>mtr --report-cycles 100 1.1.1.1</code>

<code># If issues appear in first 3-4 hops: likely ISP problem</code>
<code># If issues appear later: problem is beyond your ISP</code>

=== Scenario 4: VPN Troubleshooting ===
<code># Test before connecting to VPN</code>
<code>mtr --report-cycles 50 --no-dns google.com > before-vpn.txt</code>

<code># Test after connecting to VPN</code>
<code>mtr --report-cycles 50 --no-dns google.com > after-vpn.txt</code>

<code># Compare the two files to see VPN impact</code>
<code>diff before-vpn.txt after-vpn.txt</code>

=== Scenario 5: Gaming/Streaming Performance ===
<code># Test for jitter (important for real-time applications)</code>
<code>mtr --report-cycles 200 game-server.com</code>

<code># Look for:</code>
<code># - Low average latency (< 50ms for gaming)</code>
<code># - Low StDev (< 5ms preferred)</code>
<code># - Zero packet loss</code>

=== Scenario 6: Intermittent Connectivity ===
<code># Long-running test to catch intermittent issues</code>
<code>mtr --report-cycles 500 --interval 1 target.com > long-test.txt</code>

<code># Monitor in real-time for several minutes</code>
<code>mtr target.com</code>
<code># Watch for sudden spikes in Loss% or latency</code>

== Continuous Monitoring ==

=== Log Network Performance Over Time ===
<code># Create timestamped reports every hour</code>
<code>while true; do</code>
<code>timestamp=$(date +%Y%m%d-%H%M%S)</code>
<code>mtr --report --report-cycles 50 google.com > "mtr-$timestamp.txt"</code>
<code>sleep 3600</code>
<code>done</code>

=== Monitor Multiple Destinations ===
<code># Create a simple monitoring script</code>
<code>#!/bin/bash</code>
<code>echo "=== MTR Report $(date) ===" > daily-network-report.txt</code>
<code>echo "" >> daily-network-report.txt</code>

<code>echo "Google DNS:" >> daily-network-report.txt</code>
<code>mtr --report --report-cycles 50 --no-dns 8.8.8.8 >> daily-network-report.txt</code>
<code>echo "" >> daily-network-report.txt</code>

<code>echo "Cloudflare DNS:" >> daily-network-report.txt</code>
<code>mtr --report --report-cycles 50 --no-dns 1.1.1.1 >> daily-network-report.txt</code>
<code>echo "" >> daily-network-report.txt</code>

<code>echo "Your Server:" >> daily-network-report.txt</code>
<code>mtr --report --report-cycles 50 your-server.com >> daily-network-report.txt</code>

== Useful Aliases for .bashrc ==
<code># Quick network path analysis</code>
<code>alias mtrreport='mtr --report --report-cycles 50 --no-dns'</code>

<code># Monitor connection to Google DNS</code>
<code>alias netcheck='mtr --report-cycles 20 8.8.8.8'</code>

<code># Extended network test</code>
<code>alias mtrlong='mtr --report-cycles 100'</code>

<code># TCP port 443 test (HTTPS)</code>
<code>alias mtrhttps='sudo mtr --tcp --port 443 --report-cycles 30'</code>

<code># Quick comparison of major DNS providers</code>
<code>alias dnstest='echo "Google:" && mtr --report-cycles 20 8.8.8.8 && echo -e "\nCloudflare:" && mtr --report-cycles 20 1.1.1.1'</code>
After adding to <code>~/.bashrc</code>:
<code>source ~/.bashrc</code>

== Troubleshooting Tips ==

=== 1. Permission Issues ===
If you get permission errors with TCP mode:
<code># Use sudo for TCP on privileged ports</code>
<code>sudo mtr --tcp --port 443 example.com</code>

<code># Or set capabilities (one-time setup)</code>
<code>sudo setcap cap_net_raw+ep /usr/bin/mtr-packet</code>

=== 2. False Positives ===
'''Common false positive:''' Packet loss at intermediate hops but NOT at the destination.

Example:
<code>3.|-- router.isp.net 20.0% 50 15.3 16.1 14.2 19.8 1.8</code>
<code>4.|-- next-hop.net 0.0% 50 18.5 19.2 17.8 22.1 1.3</code>
<code>5.|-- destination.com 0.0% 50 25.4 26.8 24.1 32.5 2.4</code>
'''This is OK!''' Hop 3 shows 20% loss, but hops 4 and 5 show 0% loss. The router at hop 3 is rate-limiting ICMP responses, but actual traffic flows normally.

=== 3. DNS Resolution Delays ===
If MTR seems slow to start:
<code># Skip DNS resolution for faster results</code>
<code>mtr --no-dns target.com</code>

<code># Resolve names afterward if needed</code>
<code>host 203.0.113.1</code>

=== 4. Comparing Results ===
<code># Run multiple tests and compare</code>
<code>mtr --report --report-cycles 50 example.com > test1.txt</code>
<code>sleep 60</code>
<code>mtr --report --report-cycles 50 example.com > test2.txt</code>
<code>diff test1.txt test2.txt</code>

== When to Use MTR vs Other Tools ==
{| class="wikitable"
!Tool
!Best For
!Limitations
|-
|'''MTR'''
|Continuous monitoring, identifying problem hops, detailed statistics
|Requires installation
|-
|'''ping'''
|Quick connectivity test, simple latency check
|Only tests endpoint
|-
|'''traceroute'''
|One-time path discovery
|No continuous monitoring
|-
|'''ss/netstat'''
|Local connection status
|Doesn't test remote paths
|}

== Best Practices ==

# '''Run enough cycles''': Use at least 50-100 cycles for accurate statistics
# '''Use --no-dns''': Faster and avoids DNS resolution issues during testing
# '''Check multiple times''': Network conditions vary; test at different times
# '''Compare protocols''': Try ICMP, UDP, and TCP if one shows issues
# '''Document findings''': Save reports with timestamps for trend analysis
# '''Test known-good hosts''': Use 8.8.8.8 or 1.1.1.1 to verify your network first
# '''Be patient''': Let MTR run for at least 30-60 seconds before drawing conclusions

== Reading Between the Lines ==

=== Good Network Health Example ===
<code>HOST: hostname Loss% Snt Last Avg Best Wrst StDev</code>
<code>1.|-- 192.168.1.1 0.0% 50 1.1 1.2 0.9 2.1 0.2</code>
<code>2.|-- 10.0.0.1 0.0% 50 8.2 8.5 7.5 10.2 0.5</code>
<code>3.|-- isp-gateway.net 0.0% 50 15.1 15.5 14.0 18.3 0.8</code>
<code>4.|-- google.com 0.0% 50 24.8 25.2 23.5 28.1 1.1</code>
✅ No packet loss, consistent latency, low jitter

=== Problem Network Example ===
<code>HOST: hostname Loss% Snt Last Avg Best Wrst StDev</code>
<code>1.|-- 192.168.1.1 0.0% 50 1.2 1.5 1.0 2.3 0.3</code>
<code>2.|-- 10.0.0.1 5.0% 50 45.3 52.8 8.1 245.2 45.7</code>
<code>3.|-- ??? 100.0% 50 0.0 0.0 0.0 0.0 0.0</code>
<code>4.|-- destination.com 15.0% 50 95.4 125.8 48.2 385.5 78.2</code>
❌ Packet loss at hop 2 and destination, high jitter, very high worst-case latency

== Summary ==
MTR is your Swiss Army knife for network diagnostics. Key takeaways:

* Use <code>--report-cycles 50+</code> for reliable data
* Watch for packet loss at the '''destination''' (intermediate losses may be false positives)
* High '''StDev''' indicates unstable connection
* High '''Avg''' latency shows slow links
* Use <code>--no-dns</code> for faster results
* Compare '''ICMP''', '''UDP''', and '''TCP''' modes if issues appear
* Test at different times of day for comprehensive analysis

== 4. Package Management Issues ==

=== Fix Broken Packages ===
<code># Update package lists</code>
<code>sudo apt update</code>

<code># Fix broken dependencies</code>
<code>sudo apt --fix-broken install</code>

<code># Reconfigure packages</code>
<code>sudo dpkg --configure -a</code>
<code>(if no output, there is nothing to do)</code>

<code># Clean package cache</code>
<code>sudo apt clean</code>
<code>sudo apt autoclean</code>

<code># Remove unused packages</code>
<code>sudo apt autoremove</code>

=== Handle Held or Locked Packages ===
<code># If apt is locked, find the process</code>
<code>sudo lsof /var/lib/dpkg/lock-frontend</code>

<code># Force remove lock (use carefully)</code>
<code>sudo rm /var/lib/dpkg/lock-frontend</code>
<code>sudo rm /var/lib/apt/lists/lock</code>

<code># Reconfigure dpkg</code>
<code>sudo dpkg --configure -a</code>

== 5. Disk & Filesystem Issues ==

=== Check Disk Health ===
<code># Check disk space</code>
<code>df -h</code>

<code># Check inode usage</code>
<code>df -i</code>

<code># View disk I/O statistics</code>
<code>iostat -x 1</code>
<code>(Make sure you have sysstat which includes useful performance monitoring tools other than iostat - disk I/O statistics</code>

* <code>mpstat</code> - CPU statistics

* <code>sar</code> - system activity reporter

* <code>pidstat</code> - process statistics

* <code>cifsiostat</code> - CIFS statistics

<code>''# Show stats in MB instead of KB'' iostat -xm 2</code>

<code>''# Monitor specific device'' iostat -x sda 1</code>
<code># Check for disk errors in dmesg</code>
<code>sudo dmesg | grep -i "error\|fail"</code>

<code># SMART disk health (if smartmontools installed)</code>
<code>sudo smartctl -a /dev/sda</code>

=== Repair Filesystem ===
<code># Unmount the partition first</code>
<code>sudo umount /dev/sdXN</code>

<code># Run filesystem check</code>
<code>sudo fsck /dev/sdXN</code>

<code># For ext4 specifically</code>
<code>sudo e2fsck -f /dev/sdXN</code>

== 6. Performance Issues ==

=== Identify Resource Hogs ===
<code># CPU usage by process</code>
<code>top -o %CPU</code>

<code># Memory usage by process</code>
<code>top -o %MEM</code>

<code># Disk usage by directory</code>
<code>du -sh /* | sort -h</code>

<code># Find large files</code>
<code>find / -type f -size +100M 2>/dev/null</code>

<code># Check running processes</code>
<code>ps aux --sort=-%mem | head -20</code>

=== System Temperature Monitoring ===
<code># Install sensors (if not installed)</code>
<code>sudo apt install lm-sensors</code>
<code>sudo sensors-detect</code>

<code># View temperatures</code>
<code>sensors</code>

<code># Real-time temperature monitoring</code>
<code>watch -n 2 sensors</code>
<code>''I have it as an alias in ~/.bashrc''</code>
<code>''Go to 11. Useful Aliases & Shortcuts''</code>

== 7. Service & Application Errors ==

=== Debug Service Problems ===
<code># Check service status</code>
<code>sudo systemctl status service-name</code>

<code># View service logs</code>
<code>sudo journalctl -u service-name</code>

<code># Restart a service</code>
<code>sudo systemctl restart service-name</code>

<code># Enable service at boot</code>
<code>sudo systemctl enable service-name</code>

<code># View recent service failures</code>
<code>journalctl -p err -b</code>

=== Application Crash Investigation ===
<code># Check for core dumps</code>
<code>ls -lh /var/crash/</code>

<code># View application-specific logs</code>
<code>ls /var/log/</code>

<code># Check syslog for application errors</code>
<code>sudo tail -f /var/log/syslog</code>

== 8. Permission & Access Issues ==

=== Fix Common Permission Problems ===
<code># Check file ownership</code>
<code>ls -l /path/to/file</code>

<code># Change ownership</code>
<code>sudo chown michael:michael /path/to/file</code>
user:group

<code># Change permissions</code>
<code>sudo chmod 644 /path/to/file</code>

<code># Recursively fix permissions</code>
<code>sudo chown -R user:group /path/to/directory</code>

=== User & Authentication Issues ===
<code># Check user information</code>
<code>id username</code>

<code># View user login history</code>
<code>last -a</code>

<code># Check failed login attempts</code>
<code>sudo journalctl | grep "authentication failure"</code>

<code># Reset user password</code>
<code>sudo passwd username</code>

== 9. Hardware Issues ==

=== Identify Hardware ===
<code># List all hardware</code>
<code>sudo lshw -short</code>
(May not be installed by default)
sudo apt install lshw

<code># PCI devices</code>
<code>lspci -v</code>

<code># USB devices</code>
<code>lspci -v</code>

<code># CPU information</code>
<code>lscpu</code>

<code># Memory information</code>
<code>sudo dmidecode --type memory</code>

=== Check Hardware Errors ===
<code># Kernel ring buffer (hardware messages)</code>
<code>dmesg | less</code>
<code>(If no output, good, no errors)</code>
<code>q to quit</code>

<code># Search for specific hardware issues</code>
<code>dmesg | grep -i "error\|fail\|warn"</code>

<code># Check for USB issues</code>
<code>dmesg | grep -i usb</code>

== 10. Quick Diagnostic Commands ==

=== System Information at a Glance ===
<code># Uptime and load average</code>
<code>uptime</code>

<code># Kernel version</code>
<code>uname -r</code>

<code># Debian version</code>
<code>cat /etc/debian_version</code>

<code># System summary</code>
<code>sudo inxi -Fxz</code>

=== Emergency Toolkit ===
<code># Create a diagnostic report</code>
<code>sudo journalctl -b > ~/system-report.txt</code>
<code>dmesg >> ~/system-report.txt</code>
<code>systemctl --failed >> ~/system-report.txt</code>
<code>df -h >> ~/system-report.txt</code>
<code>free -h >> ~/system-report.txt</code>

<code># Watch logs in real-time</code>
<code>sudo journalctl -f</code>

<code># Monitor system resources continuously</code>
<code>watch -n 1 'free -h && df -h'</code>

== 11. Useful Aliases & Shortcuts ==
Add these to your <code>~/.bashrc</code> for quick access to common troubleshooting commands:
<code># Monitor system temperatures in real-time</code>
<code>alias temps="watch -n 2 'for i in /sys/class/hwmon/hwmon*/; do echo -n \"\$(cat \${i}name): \"; cat \${i}temp*_input 2>/dev/null | while read temp; do echo \"scale=1; \$temp/1000\" | bc; done | tr \"\n\" \" \"; echo \"°C\"; done'"</code>
<code>''or run the watch command in the shell without the opening and closing double quotes.''</code>

<code># Quick system status</code>
<code>alias sysstat='echo "=== CPU ===" && uptime && echo -e "\n=== Memory ===" && free -h && echo -e "\n=== Disk ===" && df -h && echo -e "\n=== Top Processes ===" && ps aux --sort=-%mem | head -10'</code>
<code>(It’s a messy mayout, but I’m terrible with awk. Feel free to improve the layoput for me)</code>

<code># View last boot logs</code>
<code>alias lastboot='journalctl -b -1'</code>

<code># Check failed services</code>
<code>alias failedservices='systemctl --failed'</code>

<code># Monitor logs in real-time</code>
<code>alias watchlog='sudo journalctl -f'</code>

<code># Quick network status</code>
<code>alias netstat='ip addr show && echo -e "\n=== Routes ===" && ip route show'</code>
After adding these, run:
<code>source ~/.bashrc</code>
----

== Tips for Your Troubleshooting ==

# '''First check logs''': <code>journalctl</code> and <code>dmesg</code> are your best friends
# '''Work through the sections''': Change one thing at a time
# '''Document changes''': Keep notes on what you've tried
# '''Search for error messages''': Copy exact error messages into search engines or AI
# '''Check recent changes''': What you did before it happened? Install something, update packages, kernel?
# '''Make backups''': Before major changes, backup important data
# '''Use verbose mode''': Add <code>-v</code> or <code>-vv</code> flags to commands for more detail
# '''Check forums''': Debian forum, Reddit, Stack Exchange, and mailing lists

----'''Remember''': If in doubt, search for the specific error message along with "Debian" and the version number. e.g. Debian 13 or point release if needed, Debian 13,1

As usual I welcome any comments, suggestions or resources : '''dev@divsmart.com''' or '''distro-nix''' on Debian Forum.

[[Category:Troubleshooting]]
[[Category: Guides]]

Main Page

2026-02-10T19:59:48Z

Donald: /* Guides (reference) */ Page name changed

= Welcome to the Debian User Forum Archives. =

This wiki is dedicated specific member solutions from the [https://forums.debian.net Debian User Forums] and not to be confused with the larger man style documentation driven official [https://wiki.debian.org Debian Project Wiki].

Our works here are citable formats of some of our best threads, member contributions, guides, and information that can provide assistance on or offline.

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Root, Sudo, and SU|Root, sudo, su, and su -]] (forum archive)
* [[Debian First Aid Kit|My Debian First Aid Kit]] (full paper)
* [[Fonts and Themes in Cinnamon Desktop]] (full paper)
* [[To install Firefox from Mozilla repo|Installing Firefox from the Mozilla repository]] (forum archive)
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]] (full paper)

== HowTo (guides) ==
* [[WiFi Signal Strength and Sharing]] (forum archive)
* [[REFInd USB Drive (for emergency boot)]] (forum archive)
* [[Trixie iwd]] (forum archive)

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

Root, Sudo, and SU

2026-02-10T19:58:22Z

Donald: Donald moved page Sudo to Root, Sudo, and SU without leaving a redirect: Clarification of title

== The Concept of Root and User: ==

"''root'' is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser. <ref>root Definition "http://www.linfo.org/root.html</ref>

An ordinary user only has control over files in his/her own "home" directory, though they may be "allowed" access to other files and applications.

'''su, su -, and sudo:'''

The <code>su</code>, <code>su -</code>, and <code>sudo</code> commands are used in a terminal to give you root access to the system. You can of course log on as root but this is not generally a good idea; once logged on in a particular identity, you tend to continue in that identity until you log off again, and it is bad practice to work as root for long periods.

Instead you should use <code>su</code> to become root "for the duration". You will need to give the root password which you set when you installed Debian. Your prompt will change to show that you are now root. When you have done what you need to do as root, type exit to get back to your own identity.

Debian has adopted specific variations for the '''su''' command:

<code>su</code> will give access to all commands except for critical system commands in the <code>/usr/sbin directory</code>. This is a function of the environment which the <code>su</code> command invokes - if you switch from user account to root with su, you retain that ''user's environment''.

<code>su -</code> will also switch you to ''root'' account but invokes the ''root environment'' which is required for any commands in the <nowiki>/usr/sbin</nowiki> directory.

For example, you can run the <code>chown</code> command '''after''' elevating to root privileges with <code>su</code>, but to run the <code>adduser</code> command you need to get root with <code>su -</code>

<code>sudo</code> should also allow running commands which require root environment like those in <nowiki>/usr/sbin/</nowiki> eg. <code>sudo blkid</code> (PM me if you have a different experience; it works here).

The <code>sudo</code> command is a more selective alternative to su, particularly useful if there are several users of your system.

By editing, as root, the file <nowiki>/etc/sudoers</nowiki>, you can give root access to a specific individual for specific commands only. This is much safer than letting them know the root password.

The man page for sudoers gives details of the syntax for this file.

The Debian installer will ask if you wish to add your user to '''sudo''' and if you wish to create a root password. If you don't specify a root password, your user will automatically be added to '''sudo'''. If you didn't add you user to '''sudo''' during install, you can do it afterwards with the command (run as <code>su -</code> and entering the root password):

<code>adduser <username> sudo</code>
of course replace <username> with your actual user name.

To use sudo, simply preface the command you wish to execute as root with the word '''sudo'''. You will be asked to enter your own user password to prove your identity.

The system will then check whether you have been given permission to execute this particular command as root; if so, it will be executed. sudo "remembers" you for a short time so that you can give a group of sudo commands without entering your password each time.

This thread was original posted on the Debian User Forumsm but @sunrat: http://forums.debian.net/viewtopic.php?f=32&t=58557&p=338548

Ref 1: http://www.linfo.org/root.html

[[Category:Administration]][[Category:HowTo]]

Category:Administration

2026-02-10T19:55:13Z

Donald: Created blank page

Category:Desktop

2026-02-10T19:54:15Z

Donald: Created blank page

Category:Themes

2026-02-10T19:53:57Z

Donald: Created blank page

Category:Fonts

2026-02-10T19:53:37Z

Donald: Created blank page

Fonts and Themes in Cinnamon Desktop

2026-02-10T19:53:20Z

Donald: Category:Category name

== Fonts and Themes in Cinnamon Desktop ==

* Verified on Debian 13.1 (Trixie) / 6.12.43+deb13-amd64 x64_64
* Created : 28/10/2025 21:09:21
* Last Updated : 27/10/2025 23:42:45

A comprehensive reference for managing console fonts, GUI fonts, and theme customization in Debian with Cinnamon DE.


== Table of Contents ==

<ol style="list-style-type: decimal;">
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#understanding-font-types Understanding Font Types]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#console-fonts-tty Console Fonts (TTY)]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#gui-fonts GUI Fonts]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#cinnamon-system-fonts Cinnamon System Fonts]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#theme-customization-with-css Theme Customization with CSS]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#accessibility-and-scaling Accessibility and Scaling]</blockquote></li>
<li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474bfc0#troubleshooting Troubleshooting]</blockquote></li></ol>


== Understanding Font Types ==

Linux uses different font systems depending on where text appears:


=== Console Fonts (TTY) ===

<ul>
<li><blockquote>'''Format''': PSF (PC Screen Font) - .psf or .psf.gz</blockquote></li>
<li><blockquote>'''Location''': /usr/share/consolefonts/</blockquote></li>
<li><blockquote>'''Used by''': Text-based virtual consoles (Ctrl+Alt+F2 through F6)</blockquote></li>
<li><blockquote>'''Loaded''': Before graphical system starts</blockquote></li>
<li><blockquote>'''Limitations''': No anti-aliasing, fixed character grid</blockquote></li></ul>


=== GUI Fonts ===

<ul>
<li><blockquote>'''Formats''': TrueType (.ttf), OpenType (.otf)</blockquote></li>
<li><blockquote>'''Location''': /usr/share/fonts/truetype/, /usr/share/fonts/opentype/</blockquote></li>
<li><blockquote>'''Used by''': All graphical applications</blockquote></li>
<li><blockquote>'''Features''': Anti-aliasing, scalability, subpixel rendering</blockquote></li></ul>


=== Why Two Systems? ===

The Linux console operates at a lower level than the graphical interface. It needs to display text even if the GUI fails to load, so it uses simpler font formats that don't require graphics libraries.


== Console Fonts (TTY) ==


=== Installing Console Fonts ===

Install Terminus (popular monospace console font):

sudo apt update

sudo apt install console-setup xfonts-terminus


=== Configuring Console Fonts ===


==== Method 1: Interactive Configuration ====

sudo dpkg-reconfigure console-setup

Follow the prompts:

<ol style="list-style-type: decimal;">
<li><blockquote>'''Encoding''': UTF-8</blockquote></li>
<li><blockquote>'''Character set''': Guess optimal character set</blockquote></li>
<li><blockquote>'''Font''': Terminus</blockquote></li>
<li><blockquote>'''Font size''': Choose from available sizes</blockquote></li></ol>

Available Terminus sizes: 8x14, 8x16, 10x20, 12x24, 14x28, 16x32

Recommendation: 16x32 for good readability


==== Method 2: Direct Configuration File Editing ====

Edit /etc/default/console-setup:

sudo nano /etc/default/console-setup

Add or modify these lines:

FONTFACE="Terminus"

FONTSIZE="16x32"

Other useful settings you might find:

CHARMAP="UTF-8"

CODESET="guess"


=== Applying Console Font Changes ===

The changes take effect on boot, but to apply immediately on all consoles:

sudo setupcon

'''Note''': This command only works when run from an actual TTY console, not from a terminal emulator in the GUI. If you get "not on the console" error, that's normal - the configuration is saved and will apply on next boot or when you switch to a TTY.


=== Testing Console Fonts ===

<ol style="list-style-type: decimal;">
<li><blockquote>Switch to virtual console: Ctrl + Alt + F2</blockquote></li>
<li><blockquote>Log in with your credentials</blockquote></li>
<li><blockquote>Check the font - you should see Terminus</blockquote></li>
<li><blockquote>Return to GUI: Ctrl + Alt + F1 or Ctrl + Alt + F7</blockquote></li></ol>


=== Viewing Available Console Fonts ===

List all available console fonts:

ls /usr/share/consolefonts/

Filter for Terminus fonts:

ls /usr/share/consolefonts/ | grep -i ter


=== Temporarily Testing Console Fonts ===

To test a font before making it permanent:

setfont /usr/share/consolefonts/Ter16x32n.psf.gz

'''Important''': setfont only works when run from a TTY console (Ctrl+Alt+F2), not from GUI terminals.

To check current console font (from TTY):

setfont -v


== GUI Fonts ==


=== Installing GUI Fonts ===


==== System-wide Installation ====

Install Terminus for graphical applications:

sudo apt install fonts-terminus

Install other popular fonts:

# Programming fonts

sudo apt install fonts-firacode fonts-hack fonts-jetbrains-mono

# General purpose fonts

sudo apt install fonts-liberation fonts-dejavu fonts-noto

# More options

sudo apt install fonts-ubuntu fonts-roboto

After installing, log out and back in, or rebuild font cache:

fc-cache -fv


==== User-only Installation ====

To install fonts just for your user account:

<ol style="list-style-type: decimal;">
<li><blockquote>Create fonts directory:</blockquote></li></ol>

mkdir -p ~/.local/share/fonts

<ol start="2" style="list-style-type: decimal;">
<li><blockquote>Copy font files (.ttf or .otf) to this directory:</blockquote></li></ol>

cp /path/to/your/font.ttf ~/.local/share/fonts/

<ol start="3" style="list-style-type: decimal;">
<li><blockquote>Rebuild font cache:</blockquote></li></ol>

fc-cache -fv


=== Font Locations ===

'''System-wide fonts''':

/usr/share/fonts/truetype/

/usr/share/fonts/opentype/

/usr/share/fonts/X11/

'''User-specific fonts''':

~/.local/share/fonts/


=== Listing Available Fonts ===

List all fonts available to GUI applications:

fc-list

Search for specific font:

fc-list | grep -i terminus

fc-list | grep -i dejavu

List fonts with details:

fc-list : family style file


=== Configuring Terminal Emulator Fonts ===


==== GNOME Terminal (default in Cinnamon) ====

<ol style="list-style-type: decimal;">
<li><blockquote>Open GNOME Terminal</blockquote></li>
<li><blockquote>Menu → Preferences</blockquote></li>
<li><blockquote>Select your profile</blockquote></li>
<li><blockquote>Go to '''Text''' tab</blockquote></li>
<li><blockquote>Uncheck "Use the system fixed-width font"</blockquote></li>
<li><blockquote>Click font button and select Terminus (or other font)</blockquote></li>
<li><blockquote>Choose size (12, 14, or 16 recommended)</blockquote></li></ol>


==== Guake (Drop-down Terminal) ====

Install GUI version of Terminus first:

sudo apt install fonts-terminus

guake --quit

guake &

Configure via GUI:

<ol style="list-style-type: decimal;">
<li><blockquote>Open Guake (F12)</blockquote></li>
<li><blockquote>Right-click → Preferences</blockquote></li>
<li><blockquote>Go to '''Appearance''' tab</blockquote></li>
<li><blockquote>Uncheck "Use the system fixed width font"</blockquote></li>
<li><blockquote>Select Terminus and size</blockquote></li></ol>

Configure via command line:

gsettings set org.guake.style.font use-system-font false

gsettings set org.guake.style.font font-name 'Terminus 12'


== Cinnamon System Fonts ==


=== Quick Font Configuration ===

Open '''System Settings''':

cinnamon-settings

Navigate to: '''Font Selection'''

You'll see these options:

<ul>
<li><blockquote>'''Default font''': Used for menus, buttons, dialogs (recommended: 10-12pt)</blockquote></li>
<li><blockquote>'''Desktop font''': Used for desktop icon labels (recommended: 10-11pt)</blockquote></li>
<li><blockquote>'''Document font''': Used in document viewers (recommended: 11pt)</blockquote></li>
<li><blockquote>'''Monospace font''': Used in terminals and code editors (recommended: Terminus 12pt)</blockquote></li>
<li><blockquote>'''Window title font''': Used in window title bars (recommended: 10-11pt bold)</blockquote></li></ul>


=== Recommended Configuration for Better Readability ===

Default font: Sans 11 or 12

Desktop font: Sans 10 or 11

Document font: Sans 11

Monospace font: Terminus 12 or 14

Window title font: Sans Bold 10 or 11


=== Using Command Line to Change Fonts ===

View current settings:

gsettings get org.cinnamon.desktop.interface font-name

gsettings get org.gnome.desktop.interface monospace-font-name

Change default font:

gsettings set org.cinnamon.desktop.interface font-name 'Sans 12'

Change monospace font:

gsettings set org.gnome.desktop.interface monospace-font-name 'Terminus 12'


=== Font Recommendations by Use Case ===

'''For general readability''':

<ul>
<li><blockquote>Default: DejaVu Sans 11-12</blockquote></li>
<li><blockquote>Monospace: Terminus 12 or DejaVu Sans Mono 11</blockquote></li></ul>

'''For programming''':

<ul>
<li><blockquote>Monospace: Fira Code 11, JetBrains Mono 11, or Hack 11</blockquote></li></ul>

'''For visually impaired users''':

<ul>
<li><blockquote>Default: Sans 13-14</blockquote></li>
<li><blockquote>Monospace: Terminus 14-16</blockquote></li>
<li><blockquote>Consider UI scaling (see Accessibility section)</blockquote></li></ul>


== Theme Customization with CSS ==

Cinnamon themes use CSS for styling. You can customize any theme to change fonts, colors, spacing, and more.


=== Finding Your Current Theme ===

Check which theme you're using:

gsettings get org.cinnamon.theme name

List available themes:

ls /usr/share/themes/

ls ~/.themes/

View your theme in System Settings: '''System Settings → Themes'''


=== Creating a Custom Theme Copy ===

Always work on a copy to avoid breaking your system:

# Copy system theme to your user directory

cp -r /usr/share/themes/YOUR-THEME-NAME ~/.themes/

# Example:

cp -r /usr/share/themes/Mint-Y ~/.themes/

cp -r /usr/share/themes/Green-Submarine ~/.themes/


=== Theme Structure ===

A typical Cinnamon theme:

~/.themes/YOUR-THEME-NAME/

├── cinnamon/

│ ├── cinnamon.css # Main styling file

│ ├── thumbnail.png

│ └── assets/ # Images, icons

├── gtk-3.0/ # GTK3 application styling

├── gtk-2.0/ # GTK2 application styling

├── metacity-1/ # Window decorations

└── index.theme # Theme metadata

The file you'll edit most: cinnamon/cinnamon.css


=== Editing Theme CSS ===

Open the CSS file:

nano ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css


==== Common CSS Selectors ====

/* Overall stage - affects most UI elements */

stage {

font-size: 10pt;

font-family: sans-serif;

}

/* Main menu */

.menu {

font-size: 10pt;

background-color: rgba(48, 48, 48, 0.95);

border-radius: 8px;

}

/* Menu application buttons */

.menu-application-button-label {

font-size: 9pt;

padding-left: 10px;

}

/* Panel (taskbar) */

.panel {

font-size: 9pt;

background-color: #2b2b2b;

height: 32px;

}

/* Panel applet labels */

.panel-button {

font-size: 9pt;

}

/* Notifications */

.notification {

font-size: 10pt;

}

/* Window list buttons */

.window-list-item-box {

font-size: 9pt;

}

/* Tooltips */

.tooltip {

font-size: 9pt;

}


=== Example: Increasing Menu Font Size ===

Find the menu section and modify:

.menu {

font-size: 14pt; /* Increase from default 9-10pt */

background-color: rgba(48, 48, 48, 0.95);

border-radius: 8px;

}

.menu-application-button-label {

font-size: 13pt; /* Increase menu item text */

padding-left: 10px;

}

/* Also increase category labels */

.menu-category-button-label {

font-size: 13pt;

}


=== Example: Changing Font Family ===

stage {

font-family: "DejaVu Sans", sans-serif;

font-size: 11pt;

}

/* Use monospace for specific elements */

.some-element {

font-family: "Terminus", "DejaVu Sans Mono", monospace;

}


=== Applying CSS Changes ===

After editing the CSS file:

<ol style="list-style-type: decimal;">
<li><blockquote>Save the file: Ctrl+O then Enter (in nano)</blockquote></li>
<li><blockquote>Exit: Ctrl+X (in nano)</blockquote></li>
<li><blockquote>Restart Cinnamon: Press Alt+F2, type r, press Enter</blockquote></li></ol>

Or reload from command line:

# Ensure theme is set

gsettings set org.cinnamon.theme name 'YOUR-THEME-NAME'

# Restart Cinnamon

cinnamon --replace &


=== CSS Tips and Tricks ===

'''Finding the right selector''': Use Cinnamon's Looking Glass debugger

<ol style="list-style-type: decimal;">
<li><blockquote>Press Alt+F2</blockquote></li>
<li><blockquote>Type lg and press Enter</blockquote></li>
<li><blockquote>Go to '''Picker''' tab</blockquote></li>
<li><blockquote>Click on UI elements to see their CSS classes</blockquote></li></ol>

'''Testing changes quickly''': Keep the CSS file open in one workspace, test in another, and use Alt+F2 → r to reload.

'''Backup before editing''':

cp ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css.backup

'''Restore backup if needed''':

cp ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css.backup ~/.themes/YOUR-THEME-NAME/cinnamon/cinnamon.css


=== Common CSS Properties ===

/* Fonts */

font-family: "Font Name", fallback;

font-size: 10pt; /* or 12px, 1.2em */

font-weight: bold; /* or normal, 600 */

font-style: italic;

/* Colors */

color: #ffffff;

background-color: rgba(48, 48, 48, 0.95);

border-color: #444444;

/* Spacing */

padding: 10px;

margin: 5px;

padding-left: 10px;

/* Borders */

border: 1px solid #444444;

border-radius: 8px;

/* Sizing */

width: 300px;

height: 40px;

min-width: 200px;


== Accessibility and Scaling ==


=== UI Scaling (Recommended for Visual Impairment) ===


==== Via System Settings ====

'''System Settings → Display → UI Scale'''

Options typically: 100%, 125%, 150%, 200%

Start with 125% and adjust as needed.


==== Via Command Line ====

# Check current scaling

gsettings get org.cinnamon.desktop.interface scaling-factor

# Set scaling (1 = 100%, 2 = 200%)

gsettings set org.cinnamon.desktop.interface scaling-factor 2

'''Note''': Fractional scaling (1.25, 1.5) may not be available on all systems.


=== Text Scaling Only ===

If you don't want to scale everything, increase text size:

# Increase text scaling factor

gsettings set org.gnome.desktop.interface text-scaling-factor 1.25

Values: 1.0 = 100%, 1.25 = 125%, 1.5 = 150%


=== High Contrast Themes ===

'''System Settings → Themes'''

Look for high-contrast themes:

<ul>
<li><blockquote>HighContrast (if available)</blockquote></li>
<li><blockquote>HighContrastInverse</blockquote></li></ul>

Or install:

sudo apt install gnome-themes-extra


=== Large Cursor ===

'''System Settings → Mouse and Touchpad → Cursor'''

Select a larger cursor size (32px or 48px).

Or via command line:

gsettings set org.cinnamon.desktop.interface cursor-size 32


=== Desktop Zoom (Magnifier) ===

'''System Settings → Accessibility → Zoom'''

Enable desktop magnification. Typical shortcut: Alt + Super + 8


=== Font Smoothing ===

Ensure font smoothing is enabled for better readability:

gsettings set org.cinnamon.settings-daemon.plugins.xsettings antialiasing 'rgba'

gsettings set org.cinnamon.settings-daemon.plugins.xsettings hinting 'slight'

Options for antialiasing: none, grayscale, rgba Options for hinting: none, slight, medium, full

Recommended: rgba with slight hinting


== Troubleshooting ==


=== Console Font Issues ===

'''Problem''': setupcon says "not on the console"

'''Solution''': This is normal when running from GUI. The configuration is saved. Test by switching to TTY with Ctrl+Alt+F2.

'''Problem''': Font changes don't persist after reboot

'''Solution''': Verify /etc/default/console-setup has correct settings. Run sudo dpkg-reconfigure console-setup again.

'''Problem''': setfont gives "couldn't get file descriptor" error

'''Solution''': setfont only works from actual TTY console, not GUI terminal emulators.


=== GUI Font Issues ===

'''Problem''': Installed font doesn't appear in applications

'''Solution''':

# Rebuild font cache

fc-cache -fv

# Log out and back in

# Or restart the application

'''Problem''': Font looks pixelated or ugly

'''Solution''': Check antialiasing settings:

gsettings set org.cinnamon.settings-daemon.plugins.xsettings antialiasing 'rgba'

'''Problem''': Terminus not showing in Guake

'''Solution''': Install the TrueType version:

sudo apt install fonts-terminus

guake --quit

guake &


=== Theme CSS Issues ===

'''Problem''': CSS changes don't take effect

'''Solution''':

<ol style="list-style-type: decimal;">
<li><blockquote>Save the CSS file</blockquote></li>
<li><blockquote>Restart Cinnamon: Alt+F2 → r</blockquote></li>
<li><blockquote>Verify you're editing the active theme's CSS</blockquote></li>
<li><blockquote>Check for CSS syntax errors</blockquote></li></ol>

'''Problem''': Cinnamon crashes after CSS edit

'''Solution''': Boot to TTY (Ctrl+Alt+F2), restore backup:

cp ~/.themes/YOUR-THEME/cinnamon/cinnamon.css.backup ~/.themes/YOUR-THEME/cinnamon/cinnamon.css

Then switch back to GUI and restart Cinnamon.

'''Problem''': Can't find the right CSS selector

'''Solution''': Use Looking Glass:

<ol style="list-style-type: decimal;">
<li><blockquote>Alt+F2 → type lg → Enter</blockquote></li>
<li><blockquote>Go to Picker tab</blockquote></li>
<li><blockquote>Click UI element to see its classes</blockquote></li></ol>


=== Scaling Issues ===

'''Problem''': UI scaling makes everything blurry

'''Solution''': Some applications don't handle scaling well. Try:

<ul>
<li><blockquote>Integer scaling only (100%, 200%) instead of fractional</blockquote></li>
<li><blockquote>Increase font sizes instead of UI scaling</blockquote></li>
<li><blockquote>Update graphics drivers</blockquote></li></ul>

'''Problem''': Some applications ignore scaling

'''Solution''': Set scaling per-application (for X11 apps):

GDK_SCALE=2 application-name


== Quick Reference Commands ==


=== Console Fonts ===

# Configure interactively

sudo dpkg-reconfigure console-setup

# Apply changes

sudo setupcon

# List console fonts

ls /usr/share/consolefonts/

# Test font (from TTY only)

setfont /usr/share/consolefonts/Ter16x32n.psf.gz


=== GUI Fonts ===

# Install fonts

sudo apt install fonts-terminus fonts-firacode

# Rebuild font cache

fc-cache -fv

# List all fonts

fc-list

# Search for specific font

fc-list | grep -i terminus


=== Cinnamon Settings ===

# Open settings

cinnamon-settings

# Check current theme

gsettings get org.cinnamon.theme name

# Set theme

gsettings set org.cinnamon.theme name 'YOUR-THEME'

# UI scaling

gsettings set org.cinnamon.desktop.interface scaling-factor 2

# Restart Cinnamon

Alt+F2 → r


=== Theme Editing ===

# Copy theme

cp -r /usr/share/themes/THEME-NAME ~/.themes/

# Edit CSS

nano ~/.themes/THEME-NAME/cinnamon/cinnamon.css

# Backup CSS

cp ~/.themes/THEME-NAME/cinnamon/cinnamon.css{,.backup}

# Restore backup

cp ~/.themes/THEME-NAME/cinnamon/cinnamon.css{.backup,}


== Additional Resources ==

'''Official Cinnamon Documentation''': https://cinnamon-spices.linuxmint.com/

'''Cinnamon GitHub''': https://github.com/linuxmint/cinnamon

'''Theme Development Guide''': Available in Cinnamon documentation

'''Font Configuration''': man fonts-conf or man fc-cache

'''Console Setup''': man console-setup or man setupcon

'''Last Updated''': October 2025 
'''Compatible with''': Debian 13, Linux Mint 21+, any distribution using Cinnamon DE

=== Credits & Comments ===
As usual I welcome any comments, suggestions or resources : dev@divsmart.com or distro-nix on Debian Forum.

[[Category:Fonts]]
[[Category:Themes]]
[[Category:Desktop]]

Forum jokes, lingo, and memorable quotes

2026-02-10T19:42:18Z

Donald: Category:Category name

== Inside Jokes, Lingo, and Quotes ==

===== Memorable Quotes =====
* Shiny side facing out ([https://forums.debian.net/viewtopic.php?t=157623 thread])
** The walls, ceiling and floor of my apartment are papered with heavy duty aluminum foil hung with rubber glue. Shiny side facing out. - Trihexagonal
* Why is Debian still under development??? ([https://forums.debian.net/viewtopic.php?p=455576#p455576 thread])
** If Debian is THAT GOOD, why is Debian still under development??? Why are new versions released? IF Debian was that good, we would al been using Debian version 0.() for the past 19 years.... - nomko
* ,...here, hold my tea
** Like there's a Great White swimming around somewhere wondering when he's going to develop Molars so he can enjoy the health benefits of seaweed. This [presents] a flowery non-specific justification for perpetual shiny new syndrome. ([https://forums.debian.net/viewtopic.php?p=763708#p763708 thread])

===== Inside Humor =====
The forums about header changes once in a while in some humor and to see who is paying attention. Here are the most recent:

* '''Debian Fish and Animal Emporium'''
* '''16 years of discussion about socks and the people that wear them'''
* '''We have read the manual.'''

[[Category:Forums]]
[[Category:Humor]]

Category:Boot

2026-02-10T19:39:38Z

Donald: Created blank page

REFInd USB Drive (for emergency boot)

2026-02-10T19:39:21Z

Donald: Category:Category name

[https://www.rodsbooks.com/refind/ The rEFInd boot manager], forked by Rod Smith many years ago from a prior project called rEFIt.

It's one of the finest pieces of Linux programming that never caught on. Part of the problem is that, because rEFInd only works in UEFI, it isn't suitable for default installation on distros supporting BIOS boot (which of course is most, including Debian). If one has UEFI, there's a lot to be said for replacing Grub with rEFInd, but I'm not going to tackle that here. In this tutorial, I'm only going to explain how to install rEFInd to USB drive, which is particularly useful as an emergency boot tool.
Note: It's easier to create a rEFInd USB drive in advance, obviously, but can be improvised after the excrement has hit the fan. The drive can be setup from a live session, virtual machine or any almost computer running Linux. Doesn't matter which Linux or desktop. All it does is provide a platform to format an EFI partition, download a zip file, and run an installer script directed at an external drive.

===== '''How it works''' =====
What makes rEFInd useful for emergency boot is that the Linux kernel is bootable in its own right, without need for a separate boot loader. This means rEFInd on USB drive can boot kernel images of an installed system, even if Grub and/or NVRAM have been damaged or misconfigured. It also can boot Windows (using its boot loader) even if Grub is damaged. Someone taught me this trick early in my Linux journey and I've had a rEFInd USB drive sitting next to my computer ever since. By the way, once booted, you can remove the rEFInd drive, freeing up the port.

====== '''Select target''' ======
rEFInd needs to be installed to an EFI partition. Simplest solution is to dig out an old 2.0 flash drive, put rEFInd on it and don't worry about the remaining space. Or you can create two (or more) partitions, one for rEFInd and another for something else (e.g., data files). Or you can clear a little space on a backup drive and put the EFI partition there. My personal preference is a full install USB drive with rEFInd instead of Grub.

EFI Partition. Can be very small; the rEFInd files are only about 2 MB. Anything less than 100 MB sometimes draws squawks from partitioning tools, though, so that's what I use. Partition needs to be FAT format, with boot/esp flags. For GUI, use GParted or Gnome Disks. For CLI, use fdisk or gdisk. If you're new to partitioning, plenty of tutorials are available on the internet.

====== '''Download files''' ======
rEFInd is available in several formats. For this tutorial, you want the binary zip file, download links here. Files are hosted at SourceForge; current version is 0.14.2, uploaded Apr'24. Extract zip file. Can use the Downloads folder or move first to another. Downloads is fine if planning to delete folder after creating the USB drive (always can download again, if needed).

====== '''Install''' ======
The zip file includes a script for installing rEFInd to the EFI partition. Open Terminal in the extracted folder. For example, double-click in file manager, then right-click and select '''Open in Terminal'''; or open Terminal then '''cd''' to the appropriate folder. Run command in this form (notice dot): '''./refind-install --usedefault /dev/sdxn --alldrivers''' , where sdxn = target EFI partition (e.g., sdb1); sudo not needed, but will be prompted for password.

====== Ventoy ======
If you use Ventoy, there's an even simpler option. On download page (link above), there's also a CD-R image file. Again, it's a zip file. Once extracted, there will be a .img file in the folder. Copy this to your Ventoy images folder. Ventoy will boot directly from the rEFInd img file, same as if it were an ISO.

====== '''How to Use''' ======
Attach USB drive, power up and select USB drive from firmware boot menu. If secure boot is enabled, you'll need to disable it,* but can re-enable later (after having fixed whatever is causing you to use rEFInd in the first place). rEFInd scans the computer for bootable objects, including boot loaders and Linux kernel images. Will present a horizontal row of icons with available options, first boot loaders, then kernel images. (Second row has tools.) Arrow-key to desired option, then Enter to select. To access backup kernels, similar to advanced boot options in Grub, press F2, Insert or Tab; use arrow keys to select desired kernel, then Enter to boot.
* Well, there is a way to leave secure boot enabled, provided you do the work ahead of time. You would copy rEFInd's secure boot certificate (and those of all installed systems) to the internal drive's EFI partition, then register the certificates with MOK. Only worth the trouble, though, if planning to use the USB drive for everyday boot, in which event might as well install rEFInd to the computer (see next paragraph). In any event, there's no way to certify the USB drive itself, so it will be secure boot qualified on all systems.

====== '''Replacing Grub''' ======
If you like the USB drive and decide to replace Grub on the installed system with rEFInd, I recommend the repo method (installs packages which, in turn, install rEFInd to the internal drives's EFI partition). As mentioned, unlike a USB drive, it's possible to endorse installed rEFInd so it's secure boot compatible. There are many configuration options, not particularly useful for a USB drive but handy if using rEFInd as main boot manager. Also, you will want to freeze Grub updates (sudo apt-mark hold) or even remove the Grub packages altogether. rEFInd's website (link above) discusses in detail all these issues and more.

This article was posted by pbear: https://forums.debian.net/viewtopic.php?t=163086

[[Category:HowTo]]
[[Category:Boot]]

Security Hardening for Debian Users: Protecting Against Targeted Attacks

2026-02-10T19:25:39Z

Donald: Category:Category name

== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==

==== Cybersecurity Measures Against Targeted Attacks ====

* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.

==== Description of the Threat ====
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

==== Countermeasures ====

''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''

Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.

Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.

Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote>

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

==== Practical Instructions ====

===== Linux system hardening recommendations: =====

====== Main Aspects of System Hardening ======

1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.

2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote>

3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.

4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:
* Always read a script fully before running it (less script.sh, cat script.sh).
* Never paste commands from untrusted or unverified sources into the terminal.
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote>

5. Follow a server-style access model

Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''.

Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote>

6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall.
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

8. Configure kernel parameters for maximum security (sysctl hardening).
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event).
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].

10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.

11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.

12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
* If you are certain you will never use it, remove it completely from the system.
* This practice reduces potential attack vectors and strengthens overall system security.
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications.
* Always create a full system backup before making any significant configuration changes or modifications.

13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.

14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:

<syntaxhighlight lang="bash">
bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement
</syntaxhighlight>

Why it matters:

* Allows you to quickly understand when and why a change was made.
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
* Simplifies system audits and security reviews.

====== Related Aspects of Internet Security ======

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:

* relying on human memory, with the risk of forgetting or confusing credentials;
* storing passwords on paper media, which can be damaged, lost, or stolen;
* saving passwords in web browsers in unencrypted form;
* keeping passwords in plain text files on the desktop or in other directories without encryption;
* and similar approaches.
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.

A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.

Regularly create up-to-date backups of the ''encrypted'' password database.

Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.

Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.

In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.

It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote>

2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey].

The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number.

For now, it is one of the most reliable hardware-based options for two-factor authentication.

3. Using VPN to improve privacy and security

* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.

4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote>

In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.

5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.

It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.

Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.

Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.

Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.

7. Hardware Firewall

If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.

Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:

* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).
* You have well-founded suspicions that you or your organization could be the target of a directed attack.

Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.

However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:

* Configuring the basic security of your router.
* Using a software firewall and antivirus on your PC.
* Timely updating your operating system and applications.
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).

A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.

<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote>

8. It is also important to consider the possibility of hardware-level attacks.
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.

If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.

'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''

===== Examples of Deep Custom Security Configurations =====

Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.

These are not universal templates, but references illustrating advanced system hardening.

[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]

==== UsefulPrograms ====

Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion).

[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]

==== Additional articles on the author's site: ====

<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote>

[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures.

[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.

==== External Resources ====

[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.]
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team.

[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy]
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations.

[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples.

[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.]
Implement mandatory access control to secure applications, users, and information flows on Linux.

[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor]
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system.

[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.]
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions.

[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices]
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.

==== Provenance ====

This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131

it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks

[[Category:Security]]
[[Category:Administration]]
[[Category:Guides]]

Root, Sudo, and SU

2026-02-10T19:23:59Z

Donald: /* The Concept of Root and User: */

== The Concept of Root and User: ==

"''root'' is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser. <ref>root Definition "http://www.linfo.org/root.html</ref>

An ordinary user only has control over files in his/her own "home" directory, though they may be "allowed" access to other files and applications.

'''su, su -, and sudo:'''

The <code>su</code>, <code>su -</code>, and <code>sudo</code> commands are used in a terminal to give you root access to the system. You can of course log on as root but this is not generally a good idea; once logged on in a particular identity, you tend to continue in that identity until you log off again, and it is bad practice to work as root for long periods.

Instead you should use <code>su</code> to become root "for the duration". You will need to give the root password which you set when you installed Debian. Your prompt will change to show that you are now root. When you have done what you need to do as root, type exit to get back to your own identity.

Debian has adopted specific variations for the '''su''' command:

<code>su</code> will give access to all commands except for critical system commands in the <code>/usr/sbin directory</code>. This is a function of the environment which the <code>su</code> command invokes - if you switch from user account to root with su, you retain that ''user's environment''.

<code>su -</code> will also switch you to ''root'' account but invokes the ''root environment'' which is required for any commands in the <nowiki>/usr/sbin</nowiki> directory.

For example, you can run the <code>chown</code> command '''after''' elevating to root privileges with <code>su</code>, but to run the <code>adduser</code> command you need to get root with <code>su -</code>

<code>sudo</code> should also allow running commands which require root environment like those in <nowiki>/usr/sbin/</nowiki> eg. <code>sudo blkid</code> (PM me if you have a different experience; it works here).

The <code>sudo</code> command is a more selective alternative to su, particularly useful if there are several users of your system.

By editing, as root, the file <nowiki>/etc/sudoers</nowiki>, you can give root access to a specific individual for specific commands only. This is much safer than letting them know the root password.

The man page for sudoers gives details of the syntax for this file.

The Debian installer will ask if you wish to add your user to '''sudo''' and if you wish to create a root password. If you don't specify a root password, your user will automatically be added to '''sudo'''. If you didn't add you user to '''sudo''' during install, you can do it afterwards with the command (run as <code>su -</code> and entering the root password):

<code>adduser <username> sudo</code>
of course replace <username> with your actual user name.

To use sudo, simply preface the command you wish to execute as root with the word '''sudo'''. You will be asked to enter your own user password to prove your identity.

The system will then check whether you have been given permission to execute this particular command as root; if so, it will be executed. sudo "remembers" you for a short time so that you can give a group of sudo commands without entering your password each time.

This thread was original posted on the Debian User Forumsm but @sunrat: http://forums.debian.net/viewtopic.php?f=32&t=58557&p=338548

Ref 1: http://www.linfo.org/root.html

[[Category:Administration]][[Category:HowTo]]

Debian First Aid Kit

2026-02-10T19:21:54Z

Donald: Category:Category name

Main Page

2026-02-10T19:08:55Z

Donald: Update Header text and information

= Welcome to the Debian User Forum Archives. =

This wiki is dedicated specific member solutions from the [https://forums.debian.net Debian User Forums] and not to be confused with the larger man style documentation driven official [https://wiki.debian.org Debian Project Wiki].

Our works here are citable formats of some of our best threads, member contributions, guides, and information that can provide assistance on or offline.

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Sudo|Root, sudo, su, and su -]] (forum archive)
* [[Debian First Aid Kit|My Debian First Aid Kit]] (full paper)
* [[Fonts and Themes in Cinnamon Desktop]] (full paper)
* [[To install Firefox from Mozilla repo|Installing Firefox from the Mozilla repository]] (forum archive)
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]] (full paper)

== HowTo (guides) ==
* [[WiFi Signal Strength and Sharing]] (forum archive)
* [[REFInd USB Drive (for emergency boot)]] (forum archive)
* [[Trixie iwd]] (forum archive)

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

Main Page

2026-02-10T18:52:00Z

Donald: /* Guides (reference) */ Added My Debian First Aid Kit Link to section

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Sudo|Root, sudo, su, and su -]]
* [[Debian First Aid Kit|My Debian First Aid Kit]]
* [[Fonts and Themes in Cinnamon Desktop]]
* [[To install Firefox from Mozilla repo|Installing Firefox from Mozilla repo]]
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]]

== HowTo ==
* [[WiFi Signal Strength and Sharing]]
* [[REFInd USB Drive (for emergency boot)]]
* [[Trixie iwd]]

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

Fonts and Themes in Cinnamon Desktop

2026-02-10T18:45:36Z

Donald: Added author informaiton

Debian First Aid Kit

2026-02-10T18:40:27Z

Donald: Created page with "= My Debian First Aid Kit = '''All commands are verified on Debian 13.1 (Trixie) / 6.16.3+deb13-amd64 x64_64''' Created : 27/10/2025 15:54:21 Last Updated : 27/10/2025 23:42:45 '''ID : 544000.3''' == Table of Contents == # Issues # Package Management Issues # Disk & Filesystem Issues # Performance Issues # Service & Application Errors # Permission & Access Issues # Hardware IssuesSystem Freezes & Crashes # Boot Problems # Network # Quick Diagnostic Commands # Useful..."

Main Page

2026-02-10T03:43:38Z

Donald: /* HowTo */

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== Guides (reference) ==

* [[Sudo|Root, sudo, su, and su -]]
* [[Fonts and Themes in Cinnamon Desktop]]
* [[To install Firefox from Mozilla repo|Installing Firefox from Mozilla repo]]
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]]

== HowTo ==
* [[WiFi Signal Strength and Sharing]]
* [[REFInd USB Drive (for emergency boot)]]
* [[Trixie iwd]]

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

Fonts and Themes in Cinnamon Desktop

2026-02-10T03:38:26Z

Donald: Created page with "== Fonts and Themes in Cinnamon Desktop == * Verified on Debian 13.1 (Trixie) / 6.12.43+deb13-amd64 x64_64 * Created : 28/10/2025 21:09:21 * Last Updated : 27/10/2025 23:42:45 A comprehensive reference for managing console fonts, GUI fonts, and theme customization in Debian with Cinnamon DE. == Table of Contents == <ol style="list-style-type: decimal;"> <li><blockquote>[https://claude.ai/chat/6986fa74-5020-47a2-8736-f9eaf474..."

Main Page

2026-02-09T21:43:54Z

Donald: /* HowTo */

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== HowTo ==
HowTo:

* [[Sudo|Root, sudo, su, and su -]]

* [[To install Firefox from Mozilla repo|Installing Firefox from Mozilla repo]]
* [[WiFi Signal Strength and Sharing]]
* [[REFInd USB Drive (for emergency boot)]]
* [[Trixie iwd]]
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]]

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

Root, Sudo, and SU

2026-02-09T21:42:01Z

Donald: Root and user, su, su-, sudo

== The Concept of Root and User: ==

"''root'' is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser. <ref>root Definition "http://www.linfo.org/root.html</ref>

An ordinary user only has control over files in his/her own "home" directory, though they may be "allowed" access to other files and applications.

'''su, su -, and sudo:'''

The <code>su</code>, <code>su -</code>, and <code>sudo</code> commands are used in a terminal to give you root access to the system. You can of course log on as root but this is not generally a good idea; once logged on in a particular identity, you tend to continue in that identity until you log off again, and it is bad practice to work as root for long periods.

Instead you should use <code>su</code> to become root "for the duration". You will need to give the root password which you set when you installed Debian. Your prompt will change to show that you are now root. When you have done what you need to do as root, type exit to get back to your own identity.

Debian has adopted specific variations for the '''su''' command:

<code>su</code> will give access to all commands except for critical system commands in the <code>/usr/sbin directory</code>. This is a function of the environment which the <code>su</code> command invokes - if you switch from user account to root with su, you retain that ''user's environment''.

<code>su -</code> will also switch you to ''root'' account but invokes the ''root environment'' which is required for any commands in the <nowiki>/usr/sbin</nowiki> directory.

For example, you can run the <code>chown</code> command '''after''' elevating to root privileges with <code>su</code>, but to run the <code>adduser</code> command you need to get root with <code>su -</code>

<code>sudo</code> should also allow running commands which require root environment like those in <nowiki>/usr/sbin/</nowiki> eg. <code>sudo blkid</code> (PM me if you have a different experience; it works here).

The <code>sudo</code> command is a more selective alternative to su, particularly useful if there are several users of your system.

By editing, as root, the file <nowiki>/etc/sudoers</nowiki>, you can give root access to a specific individual for specific commands only. This is much safer than letting them know the root password.

The man page for sudoers gives details of the syntax for this file.

The Debian installer will ask if you wish to add your user to '''sudo''' and if you wish to create a root password. If you don't specify a root password, your user will automatically be added to '''sudo'''. If you didn't add you user to '''sudo''' during install, you can do it afterwards with the command (run as <code>su -</code> and entering the root password):

<code>adduser <username> sudo</code>
of course replace <username> with your actual user name.

To use sudo, simply preface the command you wish to execute as root with the word '''sudo'''. You will be asked to enter your own user password to prove your identity.

The system will then check whether you have been given permission to execute this particular command as root; if so, it will be executed. sudo "remembers" you for a short time so that you can give a group of sudo commands without entering your password each time.

This thread was original posted on the Debian User Forumsm but @sunrat: http://forums.debian.net/viewtopic.php?f=32&t=58557&p=338548

Ref 1: http://www.linfo.org/root.html

File:9065951.jpg

2026-02-09T20:42:22Z

Donald: test

== Summary ==
test

File:5567959.jpg

2026-02-09T20:40:09Z

Donald: test

== Summary ==
test

File:4013906.jpg

2026-02-09T20:37:57Z

Donald: test

== Summary ==
test

File:188983.jpg

2026-01-31T20:33:26Z

Donald: tete

== Summary ==
tete

File:188785.jpg

2026-01-31T19:50:40Z

Donald: Wallpaper

== Summary ==
Wallpaper

Forum jokes, lingo, and memorable quotes

2026-01-07T18:41:45Z

Donald: /* Inside Humor */

Forum jokes, lingo, and memorable quotes

2025-12-14T01:19:08Z

Donald:

Forum jokes, lingo, and memorable quotes

2025-12-13T22:05:35Z

Donald:

== Inside Jokes, Lingo, and Quotes ==

===== Memorable Quotes =====
* Shiny side facing out ([https://forums.debian.net/viewtopic.php?t=157623 thread])
** The walls, ceiling and floor of my apartment are papered with heavy duty aluminum foil hung with rubber glue. Shiny side facing out. - Trihexagonal
* Why is Debian still under development???([https://forums.debian.net/viewtopic.php?p=455576#p455576 thread])
** If Debian is THAT GOOD, why is Debian still under development??? Why are new versions released? IF Debian was that good, we would al been using Debian version 0.() for the past 19 years.... - nomko

===== Inside Humor =====
The forums about header changes once in a while in some humor and to see who is paying attention. Here are the most recent:

* '''Debian Fish and Animal Emporium'''
* '''16 years of discussion about socks and the people that wear them'''
[[Category:Forums]]
[[Category:Humor]]
[[Category:About]]

Category:Licenses

2025-12-13T22:04:13Z

Donald: Created page with "Licensing"

Licensing

Security Hardening for Debian Users: Protecting Against Targeted Attacks

2025-12-13T18:32:18Z

Donald:

== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==

==== Cybersecurity Measures Against Targeted Attacks ====

* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.

* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.

==== Description of the Threat ====
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

==== Countermeasures ====

===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.

Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.

Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote>

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

==== Practical Instructions ====

===== Linux system hardening recommendations: =====

# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote>
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:
## Always read a script fully before running it (less script.sh, cat script.sh).
## Never paste commands from untrusted or unverified sources into the terminal.
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
## If you are certain you will never use it, remove it completely from the system.
## This practice reduces potential attack vectors and strengthens overall system security.
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:
<syntaxhighlight lang="bash">
bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement
</syntaxhighlight>Why it matters:

* Allows you to quickly understand when and why a change was made.
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
* Simplifies system audits and security reviews.

'''Related Aspects of Internet Security'''

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].

This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.

The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:

* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.

2. Using VPN to improve privacy and security

''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.

Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.

It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.

3. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

4. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''

''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''

'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''

5. It is also important to consider the possibility of hardware-level attacks.

Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.

If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.

<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote>

'''Examples of Deep Custom Security Configurations'''

Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.

These are not universal templates, but references illustrating advanced system hardening.

====== SELinux config: ======
<syntaxhighlight lang="terminfo">
root@user:/home/user# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@user:/home/user# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/agetty system_u:system_r:getty_t:s0

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:unlabeled_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
</syntaxhighlight>

====== nftables config: ======
<syntaxhighlight lang="bash">
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

# = Main chain policy =
chain input {
type filter hook input priority 0;
policy drop;

# = Common rule set =
# 🌀 Allow loopback interface (internal system processes)
iif "lo" accept

# == 🔁 Allow established and related connections ==
ct state established,related accept

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==
# If you experience issues with slow or failed page loads in your browser,
# try increasing the limit, for example:
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)

# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)

# = Set of blocked IP addresses and ranges =

# == 🧱 Blocking known botnets and proxy networks ==
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "🔥 BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop

# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan

# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==
ip frag-off & 0x1fff != 0 drop

# == 🔒 Blocking spoofed IP packets ==
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}

# = Main chain policy =
chain forward {
type filter hook forward priority 0;
policy accept;

# = Blocking various types of attacks =
# Required in chain forward only if Docker or Oracle VirtualBox is present.
# If needed — uncomment.

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
# ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
# ip protocol icmp icmp type echo-request limit rate 1/second accept
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
# ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports required for application operation ==
tcp dport {
53, # DNS — needed for domain name resolution
80, # HTTP — web traffic, updates and resource loading
443, # HTTPS — secure web traffic, VPN, browser
12043, # Custom 3D Application — specific client port
13000-13050 # Custom 3D Application — dynamic client port range
} accept

# == Allow UDP ports required for application operation ==
udp dport {
53, # DNS — needed for domain name resolution
443, # HTTPS via QUIC/HTTP3, browser protocols
3478, # STUN/TURN — WebRTC and video calls
3479-3481 # STUN/TURN — WebRTC and video calls
} accept

# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =

# These blocklists are intended for a DESKTOP / workstation.
# They block remote access, outdated services, proxies, DBs, IoT, and ports
# often used by malware, scanners, and C2 infrastructures.
#
# ⚠ If you use the system as a SERVER, enable IP forwarding,
# or run services with internal routing
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),
# carefully review the blocked ports/ranges in the forward chain —
# these services may need extra ports.
# Adjust or comment out required items if necessary.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high risk) ===
22, # SSH — common brute-force target
23, # Telnet — outdated, no encryption
3389, # RDP — Windows remote desktop
5900, # VNC — remote access, frequent vulnerabilities
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===
21, # FTP — insecure protocol
137, # NetBIOS Name Service
138, # NetBIOS Datagram
139, # NetBIOS Session
445, # SMB/CIFS — common exploit target
# === Databases (NEVER expose to the Internet) ===
3306, # MySQL/MariaDB
1433, # MS SQL Server
1434, # MS SQL Browser
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===
8080, # HTTP proxy / web interfaces — often exposed accidentally
9200, # Elasticsearch API — full remote data access
# === UPnP/IoT (insecure by design) ===
1900, # SSDP / UPnP
# === Common for malware (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell
5555, # Android ADB / IoT botnets
9001, # Tor transport (used by malware)
1234, # Netcat / reverse connections
1337, # Common C2 port used by malware
# === ⚠️ Scanner ports and potentially vulnerable services ===
1080, # SOCKS proxy — used to bypass filtering
3128, # Squid proxy — may be abused as open proxy
8000, # Alternative HTTP ports, dev servers
8888, # Web interfaces, proxies, dev tools
10000 # Webmin — remote admin panel, frequent attacks
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; abused by attackers
162 # SNMP Trap — also potentially vulnerable
} drop

# Attention! Blocking wide port ranges — be careful!
# Do not break system or application functionality!

# == TCP port ranges not used by a workstation during transit routing ==
# Blocked to prevent unwanted forwarding, hidden tunnels,
# NAT evasion, parasitic flows, and potential forward-path attacks.

tcp dport {
1024-2047, # System/legacy services; rarely needed in forward
2048-4095, # Proprietary daemons; NFS (2049) — check if used
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed
12288-16383, # Media/VoIP (TCP fallback); may break calls
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed
24576-32767, # Dynamic ranges for games/VPN; may cause issues
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM
49152-65535 # High ephemeral; widely used by modern apps
} drop

# == 🚫 Blocking UDP ports — high and dynamic ranges ==
udp dport {
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker
} drop

# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =
ip saddr {
185.0.0.0/8, # abused hosting and proxy networks
37.0.0.0/8, # cheap VPS, frequent scanning sources
88.0.0.0/8, # common brute-force and scanner range
77.0.0.0/8, # TOR/proxy nodes
91.0.0.0/8 # botnets and “grey-zone” hosting
} drop
}

chain output {
# = Main chain policy =
type filter hook output priority 0;
policy accept;

# = Blocking various types of attacks =

# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Limiting ping requests ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports and ranges required for application functionality ==
tcp dport {
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.
3306, # MySQL client. Needed if you connect to MySQL.
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.
3000, # Node.js dev servers. Needed for development.
3690, # SVN. If you work with an old repository.
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.
12043, # Required for Custom 3D Application.
13000-13050 # Required for Custom 3D Application.
} accept

# == Allow UDP ports and ranges required for applications ==
udp dport {
443, # Required for fast and stable operation of modern websites
# (Google, YouTube, ChatGPT, Cloudflare)
13000-13050 # Required for Custom 3D Application.
} accept

# = Blocking potentially dangerous / unnecessary TCP/UDP ports =

# These blocks are intended for a DESKTOP / workstation.
# ⚠ If you use the system as a SERVER —
# adjust or comment out the required ports/ranges as needed.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high-risk) ===
22, # SSH — target of brute-force attacks.
23, # Telnet — outdated, unencrypted.
3389, # RDP — Windows remote access.
5900, # VNC — remote access, often vulnerable.
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===
21, # FTP — insecure protocol.
137, # NetBIOS Name Service.
138, # NetBIOS Datagram.
139, # NetBIOS Session.
445, # SMB/CIFS — frequent exploitation target.
# === Databases (NEVER open to the Internet) ===
3306, # MySQL/MariaDB.
1433, # MS SQL Server.
1434, # MS SQL Browser.
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===
8080, # HTTP proxy / web interfaces — often exposed test interfaces.
9200, # Elasticsearch API — full remote access to data.
# === UPnP/IoT (vulnerable by design) ===
1900, # SSDP / UPnP.
# === Common malware ports (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell.
5555, # Android ADB / IoT botnets.
9001, # Tor transport (used by malware).
1234, # Netcat / reverse connections.
1337, # Common C2 malware port.
# === ⚠️ Ports of scanners and potentially vulnerable services ===
1080, # SOCKS proxy — often abused for bypassing filters.
3128, # Squid HTTP proxy — can be used as open proxy.
8000, # Alternative HTTP ports, web services — potentially vulnerable.
8888, # Alternative web interfaces — test and proxy ports.
10000 # Webmin — web admin panel, target of attacks.
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; can be abused by attackers.
162 # SNMP Trap — same, potential vulnerability.
} drop

# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️
# Do not break system or application functionality!
# If you need a range — uncomment.
# If you don’t — comment out.

# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==
tcp dport {
1-1023, # 🛑 Privileged ports.
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.
2048-3071, # Rare proprietary protocols and middleware.
3072-4999, # Mostly ports of legacy, server, corporate apps;
# rarely needed on workstations.
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.
7000-7999, # Alternative/test ports, often used by trojans.
9000-9999, # Web services, proxies, possible backdoor ports.
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,
# but not needed by most desktop services.
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,
# but system services rarely use them.
} drop

# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==
udp dport {
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.
# Usually safe to block.
2048-4095, # Rarely used standard ports, proprietary services.
# Usually safe to block.
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.
# Can block, but cautiously: may affect VPN/apps.
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.
# Might cause side effects; better test first.
12288-16383, # Old RTP/VoIP ranges and media streams.
# Can block, but might break video calls.
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.
# ❗ Do not block if you need video calls/WebRTC/VPN.
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.
# ❗ May break VPN or some apps.
} drop

# == 🕷️ Blocking suspicious IPs —
# large ranges often used by botnets, spam networks, and scanners ==
ip saddr {
185.0.0.0/8, # Abused hosting and proxy networks.
37.0.0.0/8, # Cheap VPS, scanning sources.
88.0.0.0/8, # Frequent brute-force and scanners.
77.0.0.0/8, # Massive TOR/proxy nodes.
91.0.0.0/8 # Botnets and “grey” hosting.
} drop
}
}

</syntaxhighlight>

====== sysctl config: ======
kernel parameters configuration

/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash">
# 1 Ignore ICMP on interfaces
net.ipv4.icmp_echo_ignore_all = 1

# 2 Do not respond to ICMP broadcast (against Smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 3 Enable SYN backlog reduction
net.ipv4.tcp_syncookies = 1

# 4 Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 5 Log packets with incorrect routing
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 6 Disable ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# 7 Disable packet forwarding
net.ipv4.ip_forward = 0

# 8 Disable IPv6 support
net.ipv4.conf.all.disable_ipv6 = 1
net.ipv4.conf.default.disable_ipv6 = 1

# 9 Prevent sending TCP segments with null windows
net.ipv4.tcp_rfc1337 = 1

# 10 Disable ARP filtering for automatic routing
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1

# 11 Limit the maximum size of the incoming TCP window
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# 12 Drop packets with incorrect checksums
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1

# 13 Disable IPv6 forwarding
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 14 Limit the maximum number of SYN packet retries
net.ipv4.tcp_synack_retries = 2

# 15 Increase routing cache lifetime
net.ipv4.route.max_size = 32768
</syntaxhighlight>

====== auditd rules config: ======
/etc/audit/rules.d/audit.rules

<syntaxhighlight lang="bash">
## Flush rules
-D

## Buffers
-b 8192
--backlog_wait_time 60000
-f 1

## Network audit
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept

## Logging execve commands
-a always,exit -F arch=b64 -S execve -F key=exec_log

## Audit logins and sessions
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

## sudo / su
-w /etc/sudoers -p wa -k sudo
-w /etc/sudoers.d/ -p wa -k sudo
-w /bin/su -p x -k su_cmd

## Account and configuration changes
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system_conf
-w /etc/hostname -p wa -k system_conf
-w /etc/resolv.conf -p wa -k system_conf
-w /etc/issue -p wa -k system_conf
-w /etc/network/ -p wa -k system_conf

## Time changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change

## Audit SSH connections and changes
-w /etc/ssh/sshd_config -p wa -k ssh_config_change
-w /var/log/auth.log -p wa -k ssh_login

## Audit usage of remote tools (e.g., SSH, netcat)
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process

## Audit privileged access
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes
-w /bin/sudo -p x -k sudo_command

## Monitor credential changes
#-w /root/.ssh/ -p wa -k ssh_keys
#-w /home/*/.ssh/ -p wa -k ssh_keys

## Audit use of remote network services
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect

# Log package installation and removal via dpkg
-w /usr/bin/dpkg -p x
-w /usr/sbin/apt-get -p x
-w /usr/bin/apt -p x
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks
[[Category:Security]]
[[Category:Hardening]]

Security Hardening for Debian Users: Protecting Against Targeted Attacks

2025-12-13T03:12:48Z

Donald:

== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==

==== Cybersecurity Measures Against Targeted Attacks ====

* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.

* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.

==== Description of the Threat ====
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

==== Countermeasures ====

===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.

Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.

Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote>

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

==== Practical Instructions ====

===== Linux system hardening recommendations: =====

# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote>
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:
## Always read a script fully before running it (less script.sh, cat script.sh).
## Never paste commands from untrusted or unverified sources into the terminal.
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
## If you are certain you will never use it, remove it completely from the system.
## This practice reduces potential attack vectors and strengthens overall system security.
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:
<syntaxhighlight lang="bash">
bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement
</syntaxhighlight>Why it matters:

* Allows you to quickly understand when and why a change was made.
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
* Simplifies system audits and security reviews.

'''Related Aspects of Internet Security'''

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].

This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.

The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:

* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.

2. Using VPN to improve privacy and security

''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.

Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.

It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.

3. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

4. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''

''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''

'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''

5. It is also important to consider the possibility of hardware-level attacks.

Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.

If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.

<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote>

'''Examples of Deep Custom Security Configurations'''

Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.

These are not universal templates, but references illustrating advanced system hardening.

====== SELinux config: ======
<syntaxhighlight lang="terminfo">
root@user:/home/user# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@user:/home/user# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/agetty system_u:system_r:getty_t:s0

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:unlabeled_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
</syntaxhighlight>

====== nftables config: ======
<syntaxhighlight lang="bash">
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

# = Main chain policy =
chain input {
type filter hook input priority 0;
policy drop;

# = Common rule set =
# 🌀 Allow loopback interface (internal system processes)
iif "lo" accept

# == 🔁 Allow established and related connections ==
ct state established,related accept

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==
# If you experience issues with slow or failed page loads in your browser,
# try increasing the limit, for example:
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)

# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)

# = Set of blocked IP addresses and ranges =

# == 🧱 Blocking known botnets and proxy networks ==
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "🔥 BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop

# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan

# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==
ip frag-off & 0x1fff != 0 drop

# == 🔒 Blocking spoofed IP packets ==
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}

# = Main chain policy =
chain forward {
type filter hook forward priority 0;
policy accept;

# = Blocking various types of attacks =
# Required in chain forward only if Docker or Oracle VirtualBox is present.
# If needed — uncomment.

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
# ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
# ip protocol icmp icmp type echo-request limit rate 1/second accept
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
# ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports required for application operation ==
tcp dport {
53, # DNS — needed for domain name resolution
80, # HTTP — web traffic, updates and resource loading
443, # HTTPS — secure web traffic, VPN, browser
12043, # Custom 3D Application — specific client port
13000-13050 # Custom 3D Application — dynamic client port range
} accept

# == Allow UDP ports required for application operation ==
udp dport {
53, # DNS — needed for domain name resolution
443, # HTTPS via QUIC/HTTP3, browser protocols
3478, # STUN/TURN — WebRTC and video calls
3479-3481 # STUN/TURN — WebRTC and video calls
} accept

# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =

# These blocklists are intended for a DESKTOP / workstation.
# They block remote access, outdated services, proxies, DBs, IoT, and ports
# often used by malware, scanners, and C2 infrastructures.
#
# ⚠ If you use the system as a SERVER, enable IP forwarding,
# or run services with internal routing
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),
# carefully review the blocked ports/ranges in the forward chain —
# these services may need extra ports.
# Adjust or comment out required items if necessary.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high risk) ===
22, # SSH — common brute-force target
23, # Telnet — outdated, no encryption
3389, # RDP — Windows remote desktop
5900, # VNC — remote access, frequent vulnerabilities
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===
21, # FTP — insecure protocol
137, # NetBIOS Name Service
138, # NetBIOS Datagram
139, # NetBIOS Session
445, # SMB/CIFS — common exploit target
# === Databases (NEVER expose to the Internet) ===
3306, # MySQL/MariaDB
1433, # MS SQL Server
1434, # MS SQL Browser
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===
8080, # HTTP proxy / web interfaces — often exposed accidentally
9200, # Elasticsearch API — full remote data access
# === UPnP/IoT (insecure by design) ===
1900, # SSDP / UPnP
# === Common for malware (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell
5555, # Android ADB / IoT botnets
9001, # Tor transport (used by malware)
1234, # Netcat / reverse connections
1337, # Common C2 port used by malware
# === ⚠️ Scanner ports and potentially vulnerable services ===
1080, # SOCKS proxy — used to bypass filtering
3128, # Squid proxy — may be abused as open proxy
8000, # Alternative HTTP ports, dev servers
8888, # Web interfaces, proxies, dev tools
10000 # Webmin — remote admin panel, frequent attacks
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; abused by attackers
162 # SNMP Trap — also potentially vulnerable
} drop

# Attention! Blocking wide port ranges — be careful!
# Do not break system or application functionality!

# == TCP port ranges not used by a workstation during transit routing ==
# Blocked to prevent unwanted forwarding, hidden tunnels,
# NAT evasion, parasitic flows, and potential forward-path attacks.

tcp dport {
1024-2047, # System/legacy services; rarely needed in forward
2048-4095, # Proprietary daemons; NFS (2049) — check if used
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed
12288-16383, # Media/VoIP (TCP fallback); may break calls
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed
24576-32767, # Dynamic ranges for games/VPN; may cause issues
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM
49152-65535 # High ephemeral; widely used by modern apps
} drop

# == 🚫 Blocking UDP ports — high and dynamic ranges ==
udp dport {
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker
} drop

# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =
ip saddr {
185.0.0.0/8, # abused hosting and proxy networks
37.0.0.0/8, # cheap VPS, frequent scanning sources
88.0.0.0/8, # common brute-force and scanner range
77.0.0.0/8, # TOR/proxy nodes
91.0.0.0/8 # botnets and “grey-zone” hosting
} drop
}

chain output {
# = Main chain policy =
type filter hook output priority 0;
policy accept;

# = Blocking various types of attacks =

# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Limiting ping requests ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports and ranges required for application functionality ==
tcp dport {
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.
3306, # MySQL client. Needed if you connect to MySQL.
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.
3000, # Node.js dev servers. Needed for development.
3690, # SVN. If you work with an old repository.
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.
12043, # Required for Custom 3D Application.
13000-13050 # Required for Custom 3D Application.
} accept

# == Allow UDP ports and ranges required for applications ==
udp dport {
443, # Required for fast and stable operation of modern websites
# (Google, YouTube, ChatGPT, Cloudflare)
13000-13050 # Required for Custom 3D Application.
} accept

# = Blocking potentially dangerous / unnecessary TCP/UDP ports =

# These blocks are intended for a DESKTOP / workstation.
# ⚠ If you use the system as a SERVER —
# adjust or comment out the required ports/ranges as needed.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high-risk) ===
22, # SSH — target of brute-force attacks.
23, # Telnet — outdated, unencrypted.
3389, # RDP — Windows remote access.
5900, # VNC — remote access, often vulnerable.
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===
21, # FTP — insecure protocol.
137, # NetBIOS Name Service.
138, # NetBIOS Datagram.
139, # NetBIOS Session.
445, # SMB/CIFS — frequent exploitation target.
# === Databases (NEVER open to the Internet) ===
3306, # MySQL/MariaDB.
1433, # MS SQL Server.
1434, # MS SQL Browser.
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===
8080, # HTTP proxy / web interfaces — often exposed test interfaces.
9200, # Elasticsearch API — full remote access to data.
# === UPnP/IoT (vulnerable by design) ===
1900, # SSDP / UPnP.
# === Common malware ports (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell.
5555, # Android ADB / IoT botnets.
9001, # Tor transport (used by malware).
1234, # Netcat / reverse connections.
1337, # Common C2 malware port.
# === ⚠️ Ports of scanners and potentially vulnerable services ===
1080, # SOCKS proxy — often abused for bypassing filters.
3128, # Squid HTTP proxy — can be used as open proxy.
8000, # Alternative HTTP ports, web services — potentially vulnerable.
8888, # Alternative web interfaces — test and proxy ports.
10000 # Webmin — web admin panel, target of attacks.
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; can be abused by attackers.
162 # SNMP Trap — same, potential vulnerability.
} drop

# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️
# Do not break system or application functionality!
# If you need a range — uncomment.
# If you don’t — comment out.

# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==
tcp dport {
1-1023, # 🛑 Privileged ports.
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.
2048-3071, # Rare proprietary protocols and middleware.
3072-4999, # Mostly ports of legacy, server, corporate apps;
# rarely needed on workstations.
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.
7000-7999, # Alternative/test ports, often used by trojans.
9000-9999, # Web services, proxies, possible backdoor ports.
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,
# but not needed by most desktop services.
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,
# but system services rarely use them.
} drop

# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==
udp dport {
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.
# Usually safe to block.
2048-4095, # Rarely used standard ports, proprietary services.
# Usually safe to block.
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.
# Can block, but cautiously: may affect VPN/apps.
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.
# Might cause side effects; better test first.
12288-16383, # Old RTP/VoIP ranges and media streams.
# Can block, but might break video calls.
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.
# ❗ Do not block if you need video calls/WebRTC/VPN.
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.
# ❗ May break VPN or some apps.
} drop

# == 🕷️ Blocking suspicious IPs —
# large ranges often used by botnets, spam networks, and scanners ==
ip saddr {
185.0.0.0/8, # Abused hosting and proxy networks.
37.0.0.0/8, # Cheap VPS, scanning sources.
88.0.0.0/8, # Frequent brute-force and scanners.
77.0.0.0/8, # Massive TOR/proxy nodes.
91.0.0.0/8 # Botnets and “grey” hosting.
} drop
}
}

</syntaxhighlight>

====== sysctl config: ======
kernel parameters configuration

/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash">
# 1 Ignore ICMP on interfaces
net.ipv4.icmp_echo_ignore_all = 1

# 2 Do not respond to ICMP broadcast (against Smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 3 Enable SYN backlog reduction
net.ipv4.tcp_syncookies = 1

# 4 Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 5 Log packets with incorrect routing
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 6 Disable ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# 7 Disable packet forwarding
net.ipv4.ip_forward = 0

# 8 Disable IPv6 support
net.ipv4.conf.all.disable_ipv6 = 1
net.ipv4.conf.default.disable_ipv6 = 1

# 9 Prevent sending TCP segments with null windows
net.ipv4.tcp_rfc1337 = 1

# 10 Disable ARP filtering for automatic routing
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1

# 11 Limit the maximum size of the incoming TCP window
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# 12 Drop packets with incorrect checksums
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1

# 13 Disable IPv6 forwarding
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 14 Limit the maximum number of SYN packet retries
net.ipv4.tcp_synack_retries = 2

# 15 Increase routing cache lifetime
net.ipv4.route.max_size = 32768
</syntaxhighlight>

====== auditd rules config: ======
/etc/audit/rules.d/audit.rules

<syntaxhighlight lang="bash">
## Flush rules
-D

## Buffers
-b 8192
--backlog_wait_time 60000
-f 1

## Network audit
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept

## Logging execve commands
-a always,exit -F arch=b64 -S execve -F key=exec_log

## Audit logins and sessions
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

## sudo / su
-w /etc/sudoers -p wa -k sudo
-w /etc/sudoers.d/ -p wa -k sudo
-w /bin/su -p x -k su_cmd

## Account and configuration changes
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system_conf
-w /etc/hostname -p wa -k system_conf
-w /etc/resolv.conf -p wa -k system_conf
-w /etc/issue -p wa -k system_conf
-w /etc/network/ -p wa -k system_conf

## Time changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change

## Audit SSH connections and changes
-w /etc/ssh/sshd_config -p wa -k ssh_config_change
-w /var/log/auth.log -p wa -k ssh_login

## Audit usage of remote tools (e.g., SSH, netcat)
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process

## Audit privileged access
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes
-w /bin/sudo -p x -k sudo_command

## Monitor credential changes
#-w /root/.ssh/ -p wa -k ssh_keys
#-w /home/*/.ssh/ -p wa -k ssh_keys

## Audit use of remote network services
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect

# Log package installation and removal via dpkg
-w /usr/bin/dpkg -p x
-w /usr/sbin/apt-get -p x
-w /usr/bin/apt -p x
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks
[[index.php?title=Category:HowTo]]
[[index.php?title=Category:Hardening]]
[[index.php?title=Category:Security]]

Security Hardening for Debian Users: Protecting Against Targeted Attacks

2025-12-13T03:12:26Z

Donald: Undo revision 109 by Donald (talk)

== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==

==== Cybersecurity Measures Against Targeted Attacks ====

* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.

* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.

==== Description of the Threat ====
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

==== Countermeasures ====

===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.

Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds <nowiki>'''may contain embedded backdoors, trojans, rootkits, or other forms of malware'''</nowiki>, which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.

Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is experienced and resourceful. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote>

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) so they do not catch you off guard.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

==== Practical Instructions ====

===== Linux system hardening recommendations: =====

# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser. <blockquote>Important: Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote>
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:
## Always read a script fully before running it (less script.sh, cat script.sh).
## Never paste commands from untrusted or unverified sources into the terminal.
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. My nftables config is attached below.
# Configure kernel parameters for maximum security (sysctl hardening). My 99-protect.conf config is attached below.
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). My auditd config is attached below.
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
## If you are certain you will never use it, remove it completely from the system.
## This practice reduces potential attack vectors and strengthens overall system security.
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:
<syntaxhighlight lang="bash">
bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement
</syntaxhighlight>Why it matters:

* Allows you to quickly understand when and why a change was made.
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
* Simplifies system audits and security reviews.

'''Related Aspects of Internet Security'''

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].

This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.

The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:

* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.

2. Using VPN to improve privacy and security

''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.

Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.

It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.

3. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

4. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''

''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''

'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''

5. It is also important to consider the possibility of hardware-level attacks.

Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.

If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.

<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote>

'''Examples of Deep Custom Security Configurations'''

Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.

These are not universal templates, but references illustrating advanced system hardening.

====== SELinux config: ======
<syntaxhighlight lang="terminfo">
root@user:/home/user# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@user:/home/user# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/agetty system_u:system_r:getty_t:s0

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:unlabeled_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
</syntaxhighlight>

====== nftables config: ======
<syntaxhighlight lang="bash">
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

# = Main chain policy =
chain input {
type filter hook input priority 0;
policy drop;

# = Common rule set =
# 🌀 Allow loopback interface (internal system processes)
iif "lo" accept

# == 🔁 Allow established and related connections ==
ct state established,related accept

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==
# If you experience issues with slow or failed page loads in your browser,
# try increasing the limit, for example:
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)

# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)

# = Set of blocked IP addresses and ranges =

# == 🧱 Blocking known botnets and proxy networks ==
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "🔥 BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop

# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan

# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==
ip frag-off & 0x1fff != 0 drop

# == 🔒 Blocking spoofed IP packets ==
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}

# = Main chain policy =
chain forward {
type filter hook forward priority 0;
policy accept;

# = Blocking various types of attacks =
# Required in chain forward only if Docker or Oracle VirtualBox is present.
# If needed — uncomment.

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
# ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
# ip protocol icmp icmp type echo-request limit rate 1/second accept
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
# ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports required for application operation ==
tcp dport {
53, # DNS — needed for domain name resolution
80, # HTTP — web traffic, updates and resource loading
443, # HTTPS — secure web traffic, VPN, browser
12043, # Custom 3D Application — specific client port
13000-13050 # Custom 3D Application — dynamic client port range
} accept

# == Allow UDP ports required for application operation ==
udp dport {
53, # DNS — needed for domain name resolution
443, # HTTPS via QUIC/HTTP3, browser protocols
3478, # STUN/TURN — WebRTC and video calls
3479-3481 # STUN/TURN — WebRTC and video calls
} accept

# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =

# These blocklists are intended for a DESKTOP / workstation.
# They block remote access, outdated services, proxies, DBs, IoT, and ports
# often used by malware, scanners, and C2 infrastructures.
#
# ⚠ If you use the system as a SERVER, enable IP forwarding,
# or run services with internal routing
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),
# carefully review the blocked ports/ranges in the forward chain —
# these services may need extra ports.
# Adjust or comment out required items if necessary.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high risk) ===
22, # SSH — common brute-force target
23, # Telnet — outdated, no encryption
3389, # RDP — Windows remote desktop
5900, # VNC — remote access, frequent vulnerabilities
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===
21, # FTP — insecure protocol
137, # NetBIOS Name Service
138, # NetBIOS Datagram
139, # NetBIOS Session
445, # SMB/CIFS — common exploit target
# === Databases (NEVER expose to the Internet) ===
3306, # MySQL/MariaDB
1433, # MS SQL Server
1434, # MS SQL Browser
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===
8080, # HTTP proxy / web interfaces — often exposed accidentally
9200, # Elasticsearch API — full remote data access
# === UPnP/IoT (insecure by design) ===
1900, # SSDP / UPnP
# === Common for malware (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell
5555, # Android ADB / IoT botnets
9001, # Tor transport (used by malware)
1234, # Netcat / reverse connections
1337, # Common C2 port used by malware
# === ⚠️ Scanner ports and potentially vulnerable services ===
1080, # SOCKS proxy — used to bypass filtering
3128, # Squid proxy — may be abused as open proxy
8000, # Alternative HTTP ports, dev servers
8888, # Web interfaces, proxies, dev tools
10000 # Webmin — remote admin panel, frequent attacks
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; abused by attackers
162 # SNMP Trap — also potentially vulnerable
} drop

# Attention! Blocking wide port ranges — be careful!
# Do not break system or application functionality!

# == TCP port ranges not used by a workstation during transit routing ==
# Blocked to prevent unwanted forwarding, hidden tunnels,
# NAT evasion, parasitic flows, and potential forward-path attacks.

tcp dport {
1024-2047, # System/legacy services; rarely needed in forward
2048-4095, # Proprietary daemons; NFS (2049) — check if used
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed
12288-16383, # Media/VoIP (TCP fallback); may break calls
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed
24576-32767, # Dynamic ranges for games/VPN; may cause issues
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM
49152-65535 # High ephemeral; widely used by modern apps
} drop

# == 🚫 Blocking UDP ports — high and dynamic ranges ==
udp dport {
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker
} drop

# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =
ip saddr {
185.0.0.0/8, # abused hosting and proxy networks
37.0.0.0/8, # cheap VPS, frequent scanning sources
88.0.0.0/8, # common brute-force and scanner range
77.0.0.0/8, # TOR/proxy nodes
91.0.0.0/8 # botnets and “grey-zone” hosting
} drop
}

chain output {
# = Main chain policy =
type filter hook output priority 0;
policy accept;

# = Blocking various types of attacks =

# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Limiting ping requests ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports and ranges required for application functionality ==
tcp dport {
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.
3306, # MySQL client. Needed if you connect to MySQL.
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.
3000, # Node.js dev servers. Needed for development.
3690, # SVN. If you work with an old repository.
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.
12043, # Required for Custom 3D Application.
13000-13050 # Required for Custom 3D Application.
} accept

# == Allow UDP ports and ranges required for applications ==
udp dport {
443, # Required for fast and stable operation of modern websites
# (Google, YouTube, ChatGPT, Cloudflare)
13000-13050 # Required for Custom 3D Application.
} accept

# = Blocking potentially dangerous / unnecessary TCP/UDP ports =

# These blocks are intended for a DESKTOP / workstation.
# ⚠ If you use the system as a SERVER —
# adjust or comment out the required ports/ranges as needed.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high-risk) ===
22, # SSH — target of brute-force attacks.
23, # Telnet — outdated, unencrypted.
3389, # RDP — Windows remote access.
5900, # VNC — remote access, often vulnerable.
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===
21, # FTP — insecure protocol.
137, # NetBIOS Name Service.
138, # NetBIOS Datagram.
139, # NetBIOS Session.
445, # SMB/CIFS — frequent exploitation target.
# === Databases (NEVER open to the Internet) ===
3306, # MySQL/MariaDB.
1433, # MS SQL Server.
1434, # MS SQL Browser.
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===
8080, # HTTP proxy / web interfaces — often exposed test interfaces.
9200, # Elasticsearch API — full remote access to data.
# === UPnP/IoT (vulnerable by design) ===
1900, # SSDP / UPnP.
# === Common malware ports (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell.
5555, # Android ADB / IoT botnets.
9001, # Tor transport (used by malware).
1234, # Netcat / reverse connections.
1337, # Common C2 malware port.
# === ⚠️ Ports of scanners and potentially vulnerable services ===
1080, # SOCKS proxy — often abused for bypassing filters.
3128, # Squid HTTP proxy — can be used as open proxy.
8000, # Alternative HTTP ports, web services — potentially vulnerable.
8888, # Alternative web interfaces — test and proxy ports.
10000 # Webmin — web admin panel, target of attacks.
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; can be abused by attackers.
162 # SNMP Trap — same, potential vulnerability.
} drop

# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️
# Do not break system or application functionality!
# If you need a range — uncomment.
# If you don’t — comment out.

# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==
tcp dport {
1-1023, # 🛑 Privileged ports.
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.
2048-3071, # Rare proprietary protocols and middleware.
3072-4999, # Mostly ports of legacy, server, corporate apps;
# rarely needed on workstations.
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.
7000-7999, # Alternative/test ports, often used by trojans.
9000-9999, # Web services, proxies, possible backdoor ports.
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,
# but not needed by most desktop services.
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,
# but system services rarely use them.
} drop

# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==
udp dport {
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.
# Usually safe to block.
2048-4095, # Rarely used standard ports, proprietary services.
# Usually safe to block.
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.
# Can block, but cautiously: may affect VPN/apps.
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.
# Might cause side effects; better test first.
12288-16383, # Old RTP/VoIP ranges and media streams.
# Can block, but might break video calls.
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.
# ❗ Do not block if you need video calls/WebRTC/VPN.
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.
# ❗ May break VPN or some apps.
} drop

# == 🕷️ Blocking suspicious IPs —
# large ranges often used by botnets, spam networks, and scanners ==
ip saddr {
185.0.0.0/8, # Abused hosting and proxy networks.
37.0.0.0/8, # Cheap VPS, scanning sources.
88.0.0.0/8, # Frequent brute-force and scanners.
77.0.0.0/8, # Massive TOR/proxy nodes.
91.0.0.0/8 # Botnets and “grey” hosting.
} drop
}
}

</syntaxhighlight>

====== sysctl config: ======
kernel parameters configuration

/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash">
# 1 Ignore ICMP on interfaces
net.ipv4.icmp_echo_ignore_all = 1

# 2 Do not respond to ICMP broadcast (against Smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 3 Enable SYN backlog reduction
net.ipv4.tcp_syncookies = 1

# 4 Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 5 Log packets with incorrect routing
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 6 Disable ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# 7 Disable packet forwarding
net.ipv4.ip_forward = 0

# 8 Disable IPv6 support
net.ipv4.conf.all.disable_ipv6 = 1
net.ipv4.conf.default.disable_ipv6 = 1

# 9 Prevent sending TCP segments with null windows
net.ipv4.tcp_rfc1337 = 1

# 10 Disable ARP filtering for automatic routing
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1

# 11 Limit the maximum size of the incoming TCP window
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# 12 Drop packets with incorrect checksums
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1

# 13 Disable IPv6 forwarding
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 14 Limit the maximum number of SYN packet retries
net.ipv4.tcp_synack_retries = 2

# 15 Increase routing cache lifetime
net.ipv4.route.max_size = 32768
</syntaxhighlight>

====== auditd rules config: ======
/etc/audit/rules.d/audit.rules

<syntaxhighlight lang="bash">
## Flush rules
-D

## Buffers
-b 8192
--backlog_wait_time 60000
-f 1

## Network audit
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept

## Logging execve commands
-a always,exit -F arch=b64 -S execve -F key=exec_log

## Audit logins and sessions
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

## sudo / su
-w /etc/sudoers -p wa -k sudo
-w /etc/sudoers.d/ -p wa -k sudo
-w /bin/su -p x -k su_cmd

## Account and configuration changes
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system_conf
-w /etc/hostname -p wa -k system_conf
-w /etc/resolv.conf -p wa -k system_conf
-w /etc/issue -p wa -k system_conf
-w /etc/network/ -p wa -k system_conf

## Time changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change

## Audit SSH connections and changes
-w /etc/ssh/sshd_config -p wa -k ssh_config_change
-w /var/log/auth.log -p wa -k ssh_login

## Audit usage of remote tools (e.g., SSH, netcat)
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process

## Audit privileged access
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes
-w /bin/sudo -p x -k sudo_command

## Monitor credential changes
#-w /root/.ssh/ -p wa -k ssh_keys
#-w /home/*/.ssh/ -p wa -k ssh_keys

## Audit use of remote network services
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect

# Log package installation and removal via dpkg
-w /usr/bin/dpkg -p x
-w /usr/sbin/apt-get -p x
-w /usr/bin/apt -p x
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks
[[Category:HowTo]]
[[Category:Hardening]]
[[Category:Security]]

Security Hardening for Debian Users: Protecting Against Targeted Attacks

2025-12-13T03:11:09Z

Donald:

== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==

==== Cybersecurity Measures Against Targeted Attacks ====

==
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.

* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems. ==

==== Description of the Threat ====

== Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance. Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity. They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled. Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion. There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users. The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue. Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure. ==

==== Countermeasures ====
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====

== Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence. At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice. Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations. Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary. Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model. However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential. The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines. At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote> Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''. Apply the most secure configurations available, especially if you store sensitive personal or professional information. Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access. This article is written both as a security recommendation and as a request for advice on improving system configuration. If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback. ==

==== Practical Instructions ====
===== Linux system hardening recommendations: =====

==
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote>
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:
## Always read a script fully before running it (less script.sh, cat script.sh).
## Never paste commands from untrusted or unverified sources into the terminal.
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [https://archive.forums.debian.net/Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks#nftables_config: nftables config]
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [https://archive.forums.debian.net/Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks#sysctl_config: sysctl config])
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [https://archive.forums.debian.net/Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks#auditd_rules_config: auditd rules config]
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
## If you are certain you will never use it, remove it completely from the system.
## This practice reduces potential attack vectors and strengthens overall system security.
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:
<syntaxhighlight lang="bash">
bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement
</syntaxhighlight>Why it matters:

* Allows you to quickly understand when and why a change was made.
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
* Simplifies system audits and security reviews. '''Related Aspects of Internet Security''' There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system. 1. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]]. This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system. The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:

* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication. 2. Using VPN to improve privacy and security ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications. Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards. It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals. Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised. ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords. 3. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations. 4. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy. ''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.'' ''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.'' '''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.'' 5. It is also important to consider the possibility of hardware-level attacks. Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components. If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration. <blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote> '''Examples of Deep Custom Security Configurations''' Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''. These are not universal templates, but references illustrating advanced system hardening. ==

====== SELinux config: ======

== <syntaxhighlight lang="terminfo">
root@user:/home/user# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@user:/home/user# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/agetty system_u:system_r:getty_t:s0

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:unlabeled_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
</syntaxhighlight> ==

====== nftables config: ======

== <syntaxhighlight lang="bash">
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

# = Main chain policy =
chain input {
type filter hook input priority 0;
policy drop;

# = Common rule set =
# 🌀 Allow loopback interface (internal system processes)
iif "lo" accept

# == 🔁 Allow established and related connections ==
ct state established,related accept

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==
# If you experience issues with slow or failed page loads in your browser,
# try increasing the limit, for example:
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)

# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)

# = Set of blocked IP addresses and ranges =

# == 🧱 Blocking known botnets and proxy networks ==
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "🔥 BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop

# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan

# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==
ip frag-off & 0x1fff != 0 drop

# == 🔒 Blocking spoofed IP packets ==
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}

# = Main chain policy =
chain forward {
type filter hook forward priority 0;
policy accept;

# = Blocking various types of attacks =
# Required in chain forward only if Docker or Oracle VirtualBox is present.
# If needed — uncomment.

# == 🔒 Limiting new connections from one IP (anti-DDoS) ==
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
# ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Ping rate limiting ==
# ip protocol icmp icmp type echo-request limit rate 1/second accept
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
# ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports required for application operation ==
tcp dport {
53, # DNS — needed for domain name resolution
80, # HTTP — web traffic, updates and resource loading
443, # HTTPS — secure web traffic, VPN, browser
12043, # Custom 3D Application — specific client port
13000-13050 # Custom 3D Application — dynamic client port range
} accept

# == Allow UDP ports required for application operation ==
udp dport {
53, # DNS — needed for domain name resolution
443, # HTTPS via QUIC/HTTP3, browser protocols
3478, # STUN/TURN — WebRTC and video calls
3479-3481 # STUN/TURN — WebRTC and video calls
} accept

# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =

# These blocklists are intended for a DESKTOP / workstation.
# They block remote access, outdated services, proxies, DBs, IoT, and ports
# often used by malware, scanners, and C2 infrastructures.
#
# ⚠ If you use the system as a SERVER, enable IP forwarding,
# or run services with internal routing
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),
# carefully review the blocked ports/ranges in the forward chain —
# these services may need extra ports.
# Adjust or comment out required items if necessary.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high risk) ===
22, # SSH — common brute-force target
23, # Telnet — outdated, no encryption
3389, # RDP — Windows remote desktop
5900, # VNC — remote access, frequent vulnerabilities
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===
21, # FTP — insecure protocol
137, # NetBIOS Name Service
138, # NetBIOS Datagram
139, # NetBIOS Session
445, # SMB/CIFS — common exploit target
# === Databases (NEVER expose to the Internet) ===
3306, # MySQL/MariaDB
1433, # MS SQL Server
1434, # MS SQL Browser
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===
8080, # HTTP proxy / web interfaces — often exposed accidentally
9200, # Elasticsearch API — full remote data access
# === UPnP/IoT (insecure by design) ===
1900, # SSDP / UPnP
# === Common for malware (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell
5555, # Android ADB / IoT botnets
9001, # Tor transport (used by malware)
1234, # Netcat / reverse connections
1337, # Common C2 port used by malware
# === ⚠️ Scanner ports and potentially vulnerable services ===
1080, # SOCKS proxy — used to bypass filtering
3128, # Squid proxy — may be abused as open proxy
8000, # Alternative HTTP ports, dev servers
8888, # Web interfaces, proxies, dev tools
10000 # Webmin — remote admin panel, frequent attacks
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; abused by attackers
162 # SNMP Trap — also potentially vulnerable
} drop

# Attention! Blocking wide port ranges — be careful!
# Do not break system or application functionality!

# == TCP port ranges not used by a workstation during transit routing ==
# Blocked to prevent unwanted forwarding, hidden tunnels,
# NAT evasion, parasitic flows, and potential forward-path attacks.

tcp dport {
1024-2047, # System/legacy services; rarely needed in forward
2048-4095, # Proprietary daemons; NFS (2049) — check if used
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed
12288-16383, # Media/VoIP (TCP fallback); may break calls
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed
24576-32767, # Dynamic ranges for games/VPN; may cause issues
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM
49152-65535 # High ephemeral; widely used by modern apps
} drop

# == 🚫 Blocking UDP ports — high and dynamic ranges ==
udp dport {
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker
} drop

# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =
ip saddr {
185.0.0.0/8, # abused hosting and proxy networks
37.0.0.0/8, # cheap VPS, frequent scanning sources
88.0.0.0/8, # common brute-force and scanner range
77.0.0.0/8, # TOR/proxy nodes
91.0.0.0/8 # botnets and “grey-zone” hosting
} drop
}

chain output {
# = Main chain policy =
type filter hook output priority 0;
policy accept;

# = Blocking various types of attacks =

# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# == 🛡️ Limiting ping requests ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# = Allowing required TCP/UDP ports and ranges =

# == Allow TCP ports and ranges required for application functionality ==
tcp dport {
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.
3306, # MySQL client. Needed if you connect to MySQL.
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.
3000, # Node.js dev servers. Needed for development.
3690, # SVN. If you work with an old repository.
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.
12043, # Required for Custom 3D Application.
13000-13050 # Required for Custom 3D Application.
} accept

# == Allow UDP ports and ranges required for applications ==
udp dport {
443, # Required for fast and stable operation of modern websites
# (Google, YouTube, ChatGPT, Cloudflare)
13000-13050 # Required for Custom 3D Application.
} accept

# = Blocking potentially dangerous / unnecessary TCP/UDP ports =

# These blocks are intended for a DESKTOP / workstation.
# ⚠ If you use the system as a SERVER —
# adjust or comment out the required ports/ranges as needed.

# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high-risk) ===
22, # SSH — target of brute-force attacks.
23, # Telnet — outdated, unencrypted.
3389, # RDP — Windows remote access.
5900, # VNC — remote access, often vulnerable.
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===
21, # FTP — insecure protocol.
137, # NetBIOS Name Service.
138, # NetBIOS Datagram.
139, # NetBIOS Session.
445, # SMB/CIFS — frequent exploitation target.
# === Databases (NEVER open to the Internet) ===
3306, # MySQL/MariaDB.
1433, # MS SQL Server.
1434, # MS SQL Browser.
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===
8080, # HTTP proxy / web interfaces — often exposed test interfaces.
9200, # Elasticsearch API — full remote access to data.
# === UPnP/IoT (vulnerable by design) ===
1900, # SSDP / UPnP.
# === Common malware ports (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell.
5555, # Android ADB / IoT botnets.
9001, # Tor transport (used by malware).
1234, # Netcat / reverse connections.
1337, # Common C2 malware port.
# === ⚠️ Ports of scanners and potentially vulnerable services ===
1080, # SOCKS proxy — often abused for bypassing filters.
3128, # Squid HTTP proxy — can be used as open proxy.
8000, # Alternative HTTP ports, web services — potentially vulnerable.
8888, # Alternative web interfaces — test and proxy ports.
10000 # Webmin — web admin panel, target of attacks.
} drop

# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP — network monitoring; can be abused by attackers.
162 # SNMP Trap — same, potential vulnerability.
} drop

# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️
# Do not break system or application functionality!
# If you need a range — uncomment.
# If you don’t — comment out.

# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==
tcp dport {
1-1023, # 🛑 Privileged ports.
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.
2048-3071, # Rare proprietary protocols and middleware.
3072-4999, # Mostly ports of legacy, server, corporate apps;
# rarely needed on workstations.
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.
7000-7999, # Alternative/test ports, often used by trojans.
9000-9999, # Web services, proxies, possible backdoor ports.
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,
# but not needed by most desktop services.
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,
# but system services rarely use them.
} drop

# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==
udp dport {
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.
# Usually safe to block.
2048-4095, # Rarely used standard ports, proprietary services.
# Usually safe to block.
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.
# Can block, but cautiously: may affect VPN/apps.
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.
# Might cause side effects; better test first.
12288-16383, # Old RTP/VoIP ranges and media streams.
# Can block, but might break video calls.
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.
# ❗ Do not block if you need video calls/WebRTC/VPN.
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.
# ❗ May break VPN or some apps.
} drop

# == 🕷️ Blocking suspicious IPs —
# large ranges often used by botnets, spam networks, and scanners ==
ip saddr {
185.0.0.0/8, # Abused hosting and proxy networks.
37.0.0.0/8, # Cheap VPS, scanning sources.
88.0.0.0/8, # Frequent brute-force and scanners.
77.0.0.0/8, # Massive TOR/proxy nodes.
91.0.0.0/8 # Botnets and “grey” hosting.
} drop
}
}

</syntaxhighlight> ==

====== sysctl config: ======

== kernel parameters configuration /etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash">
# 1 Ignore ICMP on interfaces
net.ipv4.icmp_echo_ignore_all = 1

# 2 Do not respond to ICMP broadcast (against Smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 3 Enable SYN backlog reduction
net.ipv4.tcp_syncookies = 1

# 4 Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 5 Log packets with incorrect routing
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 6 Disable ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# 7 Disable packet forwarding
net.ipv4.ip_forward = 0

# 8 Disable IPv6 support
net.ipv4.conf.all.disable_ipv6 = 1
net.ipv4.conf.default.disable_ipv6 = 1

# 9 Prevent sending TCP segments with null windows
net.ipv4.tcp_rfc1337 = 1

# 10 Disable ARP filtering for automatic routing
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1

# 11 Limit the maximum size of the incoming TCP window
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# 12 Drop packets with incorrect checksums
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1

# 13 Disable IPv6 forwarding
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 14 Limit the maximum number of SYN packet retries
net.ipv4.tcp_synack_retries = 2

# 15 Increase routing cache lifetime
net.ipv4.route.max_size = 32768
</syntaxhighlight> ==

====== auditd rules config: ======

== /etc/audit/rules.d/audit.rules <syntaxhighlight lang="bash">
## Flush rules
-D

## Buffers
-b 8192
--backlog_wait_time 60000
-f 1

## Network audit
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept

## Logging execve commands
-a always,exit -F arch=b64 -S execve -F key=exec_log

## Audit logins and sessions
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

## sudo / su
-w /etc/sudoers -p wa -k sudo
-w /etc/sudoers.d/ -p wa -k sudo
-w /bin/su -p x -k su_cmd

## Account and configuration changes
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system_conf
-w /etc/hostname -p wa -k system_conf
-w /etc/resolv.conf -p wa -k system_conf
-w /etc/issue -p wa -k system_conf
-w /etc/network/ -p wa -k system_conf

## Time changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change

## Audit SSH connections and changes
-w /etc/ssh/sshd_config -p wa -k ssh_config_change
-w /var/log/auth.log -p wa -k ssh_login

## Audit usage of remote tools (e.g., SSH, netcat)
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process

## Audit privileged access
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes
-w /bin/sudo -p x -k sudo_command

## Monitor credential changes
#-w /root/.ssh/ -p wa -k ssh_keys
#-w /home/*/.ssh/ -p wa -k ssh_keys

## Audit use of remote network services
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect

# Log package installation and removal via dpkg
-w /usr/bin/dpkg -p x
-w /usr/sbin/apt-get -p x
-w /usr/bin/apt -p x
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks ==
[[index.php?title=Category:HowTo]]
[[index.php?title=Category:Hardening]]
[[index.php?title=Category:Security]]

Main Page

2025-12-13T00:22:06Z

Donald: /* HowTo */

== About ==
About:
* [[Debian User Forums]]
* [[The Debian Project]]
* [[Archive AI Use]]
* [[Forum jokes, lingo, and memorable quotes]]

== HowTo ==
HowTo:

* [https://forums.debian.net/viewtopic.php?p=338577#p338577 Root, sudo, su, and su -]

* [[To install Firefox from Mozilla repo|Installing Firefox from Mozilla repo]]
* [[WiFi Signal Strength and Sharing]]
* [[REFInd USB Drive (for emergency boot)]]
* [[Trixie iwd]]
* [[Security Hardening for Debian Users: Protecting Against Targeted Attacks]]

== Licensing ==
Licensing:
* [[Publish using CC International licencing and your Forum name]].

Category:Security

2025-12-13T00:20:39Z

Donald: Created page with "Security"

Security