Interactive Hardening Guide for Pop!

Interactive Hardening Guide

This application transforms the standard hardening guide into an interactive experience. Each step is broken down into a manageable section, providing clear explanations and one-click copyable commands. Navigate using the sidebar or the cards below to begin securing your Pop!_OS system.

0️⃣ Initial System Update

Ensure your OS is fully patched against all known vulnerabilities before starting.

🛡️ VPN (Proton VPN)

Encrypt your internet traffic and hide your IP address for privacy and anonymity.

🧱 Application Firewall

Monitor and control outgoing network connections on a per-application basis.

🦠 Antivirus (ClamAV)

Perform on-demand scans of files and directories for malware.

🚫 Intrusion Prevention

Automatically block IP addresses that show malicious behavior like brute-force attacks.

👻 Anti-Rootkit Scanners

Scan for advanced malware designed to hide its presence on your system.

🌐 WAF vs Browser Protection

Clarify the difference between server-side and client-side web protection.

🖱️ Browser Protection

Block ads, trackers, and malware domains directly within your web browser.

📦 Mandatory Access Control

Use AppArmor to confine applications and prevent exploits from spreading.

🔄 Automatic Security Updates

Ensure your system automatically installs critical security patches.

🔍 System Auditing (AIDE)

Create a "security seal" to detect unauthorized changes to system files.

Step 0: Initial System Update

Purpose

Before installing any security software, it is critical to ensure the operating system is fully patched against all known vulnerabilities.

Implementation

Open a Terminal and run the following commands to synchronize your package lists and apply all available upgrades:

sudo apt update
sudo apt full-upgrade

Step 1: VPN (Proton VPN)

Purpose

A Virtual Private Network (VPN) encrypts all your internet traffic and hides your true IP address. This protects your privacy from your Internet Service Provider (ISP), prevents tracking, and makes you anonymous online.

Installation

1. (Optional) Clean up any previous failed attempts to ensure a clean slate:

sudo rm -f /etc/apt/sources.list.d/proton*
sudo rm -f /etc/apt/keyrings/proton*
sudo rm -f /usr/share/keyrings/proton*
rm -f ./protonvpn-stable-release_1.0.3-3_all.deb

2. Manually fetch and store the GPG key to verify the software's authenticity:

sudo gpg --homedir /tmp --no-default-keyring --keyring /usr/share/keyrings/protonvpn-keyring.gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys EDA3E22630349F1C

3. Manually create the repository file to tell `apt` where to find the software:

echo "deb [signed-by=/usr/share/keyrings/protonvpn-keyring.gpg] https://repo.protonvpn.com/debian stable main" | sudo tee /etc/apt/sources.list.d/protonvpn.list

4. Update package lists and install the application:

sudo apt update
sudo apt install -y proton-vpn-gnome-desktop

Setup & Usage

1. To make the VPN icon always visible in the top system tray, install the GNOME AppIndicator extension. You must log out and back in or reboot after installation.

sudo apt install gnome-shell-extension-appindicator

2. Open Applications, search for "Proton VPN", and log in.

3. In the app's settings (gear icon), enable the Kill Switch. This is a critical feature that blocks all internet traffic if the VPN disconnects, preventing your real IP address from being exposed.

Step 2: Application Firewall (OpenSnitch)

Purpose

This acts like "Little Snitch" for Linux. It monitors all outgoing network connections on an application-by-application basis. It alerts you whenever a program tries to access the internet, and you can choose to allow or deny the connection, either temporarily or permanently. This gives you granular control and visibility over your system's network activity.

Installation

1. Download and install the daemon (background service):

wget https://github.com/evilsocket/opensnitch/releases/download/v1.6.6/opensnitch_1.6.6-1_amd64.deb
sudo apt install ./opensnitch_1.6.6-1_amd64.deb

2. Download and install the GUI (user interface):

wget https://github.com/evilsocket/opensnitch/releases/download/v1.6.6/python3-opensnitch-ui_1.6.6-1_all.deb
sudo apt install ./python3-opensnitch-ui_1.6.6-1_all.deb

3. The installer will warn about a buggy library. Fix it immediately:

sudo apt install -y python3-pip
pip3 install grpcio==1.44.0

Usage: The "Teaching" Phase

After installing, you will get many pop-ups. This is normal. Your job is to "teach" OpenSnitch what is allowed. For each pop-up, analyze the application and destination, then choose to Allow or Deny for a specific duration (Once, Until restart, or Forever).

View Common Safe Alerts to "Allow Forever"

Alert: `firefox-bin is attempting to resolve ... via 127.0.0.53`
Meaning: Firefox is asking the system to look up a website address. This is a normal part of browsing.
Alert: `systemd-resolved is connecting to 10.2.0.1`
Meaning: The system's DNS service is sending the lookup request through your Proton VPN server. This proves your VPN is working correctly.
Alert: `sudo is attempting to resolve pop-os`
Meaning: A standard internal security check performed by the `sudo` command.
Alert: `chronyd is connecting to ... on UDP port 123`
Meaning: Your system is synchronizing its clock with an internet time server, which is critical for security.
Alert: `Pop!_Shop Daemon is resolving dl.flathub.org`
Meaning: Your app store is checking for software updates from the official Flatpak repository.

Step 3: On-Demand Antivirus (ClamAV)

Purpose

To scan files, downloads, and external drives for malware when you choose to. On Linux, antivirus is typically used as an on-demand scanner rather than a real-time one, mainly to find Windows-based threats that might be harmless to you but could be passed to others via file sharing.

Installation & Setup

1. Install ClamAV engine and its graphical interface, ClamTK:

sudo apt install clamav clamav-daemon clamtk

2. The background service (`clamav-daemon`) will lock update files. To run the first update manually, we must temporarily stop the service, update, and restart it:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

Usage

Open the "Show Applications" grid, search for `ClamTK`, right-click its icon, and select "Add to Favorites" to pin it to your dock. Launch it to scan files or directories.

Step 4: Host-Based Intrusion Prevention (Fail2ban)

Purpose

Fail2ban acts as a security guard for your log files. It looks for patterns of malicious behavior (like repeated failed SSH logins) and automatically blocks the attacker's IP address. This prevents brute-force password guessing attacks.

Installation & Setup

1. Install the package:

sudo apt install fail2ban

2. Create a local configuration file that is safe from being overwritten by updates:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Enable and start the service:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

4. Verify that it's working. You should see it has automatically enabled protection for SSH (`sshd`).

sudo fail2ban-client status

Step 5: Anti-Rootkit Scanners

Purpose

To scan for rootkits, a specific type of malware designed to hide its own presence, processes, and files from the operating system. Standard antivirus may not see them, so specialized scanners like `rkhunter` and `chkrootkit` are required.

Installation & Usage

1. Install both scanners:

sudo apt install rkhunter chkrootkit

2. Update `rkhunter`'s database and create a baseline snapshot of your system files:

sudo rkhunter --update
sudo rkhunter --propupd

3. Run the scans:

sudo chkrootkit
sudo rkhunter --check --sk

Interpreting Results

These tools are very sensitive and often produce false positives on a clean system. Warnings about suspicious hidden files in developer directories or "packet sniffer" warnings for NetworkManager are normal and can be safely ignored. As long as no confirmed rootkits are found, you are all clear.

Step 6: WAF vs. Browser Protection

Purpose

This section clarifies the correct tool for the job. It's important to understand the difference between protecting a server and protecting a client like your laptop.

WAF (Web Application Firewall)

A WAF is a security tool for a server. It inspects malicious incoming traffic to protect a website it is hosting.

Browser Protection Extension

A personal laptop is a client. You need to protect your outgoing browser activity from malicious websites you might visit.

For your personal laptop, the tool you need is a browser protection extension.

Step 7: Browser Protection (uBlock Origin)

Purpose

uBlock Origin is a wide-spectrum content blocker that protects your web browser from threats. It is not just an ad blocker. Using community-maintained blocklists, it also blocks trackers, many known malware-serving domains, and phishing sites. This is one of the most effective security measures for day-to-day browsing.

Installation

Open the Firefox web browser.
Navigate to the following URL: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
Click the "Add to Firefox" button and approve the permissions pop-up.
A shield icon will appear in your toolbar, indicating that it is active and protecting you.

Step 8: Mandatory Access Control (AppArmor)

Purpose

AppArmor is a powerful, kernel-level security module that confines applications to a strict set of rules. It protects your system *from your own applications*. If a hacker exploits a bug in Firefox, AppArmor can prevent that compromised application from accessing files outside of what it's normally allowed to, stopping the attack from spreading.

How AppArmor Works: An Analogy

Imagine Firefox is a temporary worker in your office (your system):

Without AppArmor: The worker's keycard opens every door. They can read files in the finance office or try to break into the server room.
With AppArmor: The worker's keycard *only* opens the front door and their assigned office. If they try to open any other door, an alarm sounds, and access is denied. AppArmor creates this "virtual office" for each application, restricting it to only the files and capabilities it absolutely needs to do its job.

Usage & Management

AppArmor is already installed and enabled. We just need the tools to manage it.

sudo apt install apparmor-utils

Check the status to see which applications are being protected. "Enforce Mode" is the active blocking mode, while "Complain Mode" is a report-only mode.

sudo aa-status

To switch a profile from "complain" to "enforce" mode (recommended), you must use the full profile filename found in `/etc/apparmor.d/`.

# Example for LibreOffice:
sudo aa-enforce usr.lib.libreoffice.program.oosplash
sudo aa-enforce usr.lib.libreoffice.program.soffice.bin

Step 9: Automatic Security Updates

Purpose

To ensure your system automatically downloads and installs critical security patches. This is one of the most important defenses, as it protects you from known vulnerabilities as soon as a fix is available.

Implementation

1. Install the package:

sudo apt install unattended-upgrades

2. Enable it. A text-based interface will appear; use the arrow keys to select `<Yes>` and press Enter.

sudo dpkg-reconfigure -plow unattended-upgrades

3. Verify the configuration file to ensure it's turned on. The output must include `APT::Periodic::Unattended-Upgrade "1";`

cat /etc/apt/apt.conf.d/20auto-upgrades

Step 10: System Auditing (AIDE)

Purpose

The Advanced Intrusion Detection Environment (AIDE) acts like a digital "security seal" for your filesystem. It creates a "snapshot" (a secure database) of your critical system files. You can then run a check to see if any of these files have been changed, added, or deleted without your knowledge.

How AIDE Works: The "Security Seal" Analogy

Placing the Seal (`aideinit`): You take a detailed snapshot of thousands of files—their size, permissions, and cryptographic "fingerprints." This snapshot is stored in a database, which becomes your "golden master" copy.
Inspecting the Seal (`aide --check`): AIDE re-scans all the files and compares their current fingerprints to the golden master. If anything is different, the seal is "broken," and AIDE generates a detailed report of exactly what changed.

Installation & Setup

1. Install AIDE:

sudo apt install aide

2. Create the initial "golden" database. This will take 20-30 minutes.

sudo aideinit

3. Activate the database by copying the new snapshot into place:

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Usage: The AIDE Administrator's Workflow

You must create a new "seal" after every intentional system change (like an `apt upgrade`).

Run a check *before* you make changes to ensure the system is clean. No output means the seal is intact.
```
sudo aide --config /etc/aide/aide.conf --check
```
Perform your administrative task (e.g., `sudo apt install htop`).
Update the AIDE snapshot to include your new, legitimate changes. This creates a new temporary database.
```
sudo aide --config /etc/aide/aide.conf --update
```
Promote the new snapshot to be the golden master. This replaces the old seal with the new one.
```
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
```