• Off-TopicNo

  • Solus OS Basic Security Guide for New Users

Here's a concise security guide for new Solus users, synthesized from official documentation and community resources:

1. Secure Boot Configuration

  • Solus supports Secure Boot since 4.4. On first boot with Secure Boot enabled:
    1. Manually enroll Solus' certificate in UEFI firmware
    2. Follow on-screen enrollment process
    3. Verify Secure Boot status post-installation

2. USBGuard
The USBGuard software framework helps to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing basic whitelisting and blacklisting capabilities based on device attributes.

https://github.com/USBGuard/usbguard
https://usbguard.github.io/

3. Disk Encryption

  • Full-disk encryption during installation:
    • Requires selecting "Entire Disk" option
    • LUKS encryption with strong passphrase (12+ characters)
  • Post-install options:
    • Use ecryptfs for home directory encryption
    • For dual-boot systems: Manual partitioning required

4. Firewall Configuration

  • Built-in options:
    • UFW (Uncomplicated Firewall): sudo ufw enable
    • GUFW for graphical management
    • Advanced: firewalld with zones
  • Default deny policy recommended: 
      sudo ufw default deny incoming
  sudo ufw default allow outgoing

5. System Hardening

  • Regular updates:

      sudo eopkg up

  • Hosts file management:

      sudo nano /etc/hosts
  # Add blocking entries: 127.0.0.1 malicious-domain.com

  • Disable unused services: sudo systemctl disable <service>

  • Brute-Force Protection/Hardening

    sudo eopkg install sshguard && sudo eopkg install firewalld
sudo systemctl enable sshguard && sudo systemctl enable firewalld
sudo systemctl start sshguard && sudo systemctl start firewalld

6. Antivirus & Malware

  • Primary protection:
    • Regular system updates
    • Curated software sources

7. Network Security

  • Samba configuration: 
      sudo nano /etc/samba/smb.conf
  # Restrict to SMB3: server min protocol = SMB3
  • VPN recommendations:
    • WireGuard (built-in kernel support)
    • OpenVPN (Disable with sudo systemctl disable openvpn.service)

8. Virtualization Security

  • VM best practices:
    • 32GB+ virtual disk allocation
    • Separate network interfaces
    • Regular snapshot management
  • Guest additions: 
      sudo eopkg install virtualbox-guest-common

9. Backup Strategy

  • Recommended tools:

  • Cloud integration:

  • Nextcloud client

  • Rclone for encrypted backups

  • Filen

Additional Tips:

  • Use strong passphrases (14+ characters)
  • Enable automatic security updates
  • Verify ISO checksums before installation
  • Regular security audits with lynis

For advanced configurations, reference the Solus UEFI Survival Guide and official Secure Boot documentation.

[1]: Booting with Secure Boot Enabled - Solus Help Center
[2]: Booting with Secure Boot Enabled | Solus Help Center
[3]: Graphical encryption - Solus Forum
[4]: custom partitioning + encrypt - Solus Forum
[5]: Solus OS Basic Security Guide for New Users — xbdms' Blog
[6]: UFW and GUFW
[7]: Seeking a permission-change terminal command please
[8]: Route certain domains to localhost - Solus Forum
[9]: Anti virus : r/SolusProject - Reddit
[10]: New to Solus Dash to Dock Clam Antivirus
[11]: Samba File Sharing | Solus Help Center
[12]: VirtualBox Guest Additions - Solus Forum
[13]: The Joys of Virtual Machines (VMs) - Solus Forum
[14]: Firewall Best Practices? - Solus Forum
[15]: Solus Security Test
[16]: Solus Firewalls, Antivirus
[17]: Solus OS: 2020 Installation Guide Solus OS Budgie

[18]: The State of Solus Linux
[19]: Solus for gaming and content creation. Almost the greatest linux distro...
[20]: Solus - Budgie - New version 7-2023- Tips for Users.
[21]: What Your Linux Distro Says About You
[22]: Basic Security For Every Linux Server
[23]: Become an Awe$ome Linux SysAdmin In Under 2 Hours
[24]: Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners
[25]: hosts file vs firewall vs iptables for blocking?
[26]: About Solus security
[27]: About privacy and security
[28]: New User - Total Noob Questions

    rootkit hunter was iffy back in the Win days, and with ClamAV the developer walked away from it 6 months ago claiming it was an "awful"* tool. Perhaps the limitations of their signatures and upkeep.
    Lynis standalone which is a great audit. *I can find his words if asked.

    Other than that I agree with every word.
    also for passwords, use pwgen from the repo. First-rate tool.
    Excellent write-up. edit/typo&clarify

      brent

      Thanks, i am just putting this here for myself. but if anyone want to use it for their references that is nice as well.

        As a note, neither clamav nor rkhunter are in the Solus repository.

        • h3ll replied to this.

          and neither is Timeshift as far as I remember (not currently logged in to be able to check).

          • h3ll replied to this.

            EbonJaeger

            rkhunter is deprecated

            clamav is still running just compile it yourself and you also use lynis to audit yourself as well

              h3ll Yes, but without it being in the repo it's not necessarily easy for a non-technical user to install and use. Just thought it was worth pointing out.

              • h3ll replied to this.

                  Last I knew, Timeshift also relies on cron, which Solus also does not have or support. So unless they've finally added support for systemd timers, I don't think that will work.

                  • h3ll replied to this.

                    stocc Yeah, i know just pointing out for the others too as well

                      EbonJaeger

                      For Solus systems without cron, here's how to configure Timeshift with native systemd timers:

                      1. Create Timeshift Backup Service

                      sudo nano /etc/systemd/system/timeshift-backup.service
                      [Unit]
Description=Timeshift System Backup
Requires=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/timeshift --create --comments "Scheduled snapshot" --tags D
ExecStartPost=/bin/sh -c 'date +"%%Y-%%m-%%d %%H:%%M:%%S" >> /var/log/timeshift.log'
ExecStartPost=/bin/sh -c 'echo "Snapshot created: $(ls /timeshift | tail -n1)" >> /var/log/timeshift.log'

                      2. Create Systemd Timer

                      sudo nano /etc/systemd/system/timeshift-backup.timer
                      [Unit]
Description=Weekly Timeshift Backups

[Timer]
OnCalendar=Mon *-*-* 04:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

                      3. Enable and Verify

                      sudo systemctl daemon-reload
sudo systemctl enable --now timeshift-backup.timer

# Check timer status
systemctl list-timers timeshift-backup.timer

                      Key Differences from Cron:

                      1. Persistent State: Survives reboots better than cron
                      2. Log Integration: Journal entries via: 
                           journalctl -u timeshift-backup.service -b -n 50
                      3. Calendar Flexibility: Supports more complex schedules like: 
                           OnCalendar=*-*-1,15 03:00:00  # 1st/15th of month

                      Note: Solus' curated updates mean you should still manually verify Timeshift snapshots after major system updates:

                      sudo eopkg check | grep -q "broken" && timeshift --restore

                          Is this output from an LLM? Seems littered with weird/wrong information enough to be the case.

                            Staudey

                            Nope, this is correct and you can set timeshift with systemd i tested myself and i don't use any LLM. My LLM is DeepSeek with a custom prompt for unrestricted/uncensored results and provides all correct answers only.

                                For password generation i use the dd command
                                dd if=/dev/random count=1 bs=256 2>/dev/null |openssl base64 |tr -d '\n' | cut -b-24
                                the number in the end is the wanted characters

                                  TL;DR:
                                  Guide meant for (probably Debian based) server hardening makes its way to the forum of a (non Debian based) desktop oriented distro through the "skillful" application of LLM magic.

                                    CorvusRuber

                                    I don't have any servers and this is my old updated guide i thought i share and post for my reference and others as well. Since most ppl on solus os are noobs, so i thought i help

                                      Half of your "guide" either refers to tools and packages that are not present on Solus (like timeshift, clamav or rkunter) or are meant to be used on server environments (like sshguard).
                                      The other half is either common sense ("use long passphrases"), useless ("use wireguard or openvpn": what does that mean, since this "guide" should be for "noobs" ?), or simply so devoid of context to be meaningless (like the "virtualization security" section)

                                      Again, this looks like a long winded gpt generated "guide" for the sake of karma farming, but we're not on reddit.

                                        CorvusRuber

                                        rkhunter was in the old solus thats how you know your not a og and you trying to start shit, but it is removed now due to it being depreciated in april 2025.

                                        timeshift was also in solus, but it got discontinued and but got brought back to life, here it is: https://github.com/linuxmint/timeshift

                                        clamav also used to be in the solus package manager, but later removed

                                        sshguard is still in the package manager and can be used for brute force protection + firewalld which is also in the solus packaging

                                        long passphrases is good to have if your on linux anyways so no one cant easy to guess and gain access, but ofc not too long as i mention 14+

                                        disable unused services like openvpn since it is slower and old, wireguard more speed and modern. Since mullvad uses wireguard now, makes since to use less openvpn and no point to leave it enable

                                        incase people want to run virtual machines from their actual pc for testing, trying out isos, or whatever they want

                                        you seem to refering to "chatgpt" which no linux user should be using as they collect data etc, so no its not "gpt" and actually you can refer to

                                            CorvusRuber oh also the keyword, you forgot to read and didn't bother to read it anyways. "synthesized"