Solus OS Basic Security Guide for New Users

stekte

For password generation i use the dd command
dd if=/dev/random count=1 bs=256 2>/dev/null |openssl base64 |tr -d '\n' | cut -b-24
the number in the end is the wanted characters

WetGeek

stekte For password generation i use the dd command

I just use LastPass for that. It's fully adjustable for parameters, and has the advantage of storing the result in its vault for future use whenever needed.

CorvusRuber

TL;DR:
Guide meant for (probably Debian based) server hardening makes its way to the forum of a (non Debian based) desktop oriented distro through the "skillful" application of LLM magic.

h3ll

CorvusRuber

I don't have any servers and this is my old updated guide i thought i share and post for my reference and others as well. Since most ppl on solus os are noobs, so i thought i help

CorvusRuber

Half of your "guide" either refers to tools and packages that are not present on Solus (like timeshift, clamav or rkunter) or are meant to be used on server environments (like sshguard).
The other half is either common sense ("use long passphrases"), useless ("use wireguard or openvpn": what does that mean, since this "guide" should be for "noobs" ?), or simply so devoid of context to be meaningless (like the "virtualization security" section)

Again, this looks like a long winded gpt generated "guide" for the sake of karma farming, but we're not on reddit.

h3ll

CorvusRuber

rkhunter was in the old solus thats how you know your not a og and you trying to start shit, but it is removed now due to it being depreciated in april 2025.

timeshift was also in solus, but it got discontinued and but got brought back to life, here it is: https://github.com/linuxmint/timeshift

clamav also used to be in the solus package manager, but later removed

sshguard is still in the package manager and can be used for brute force protection + firewalld which is also in the solus packaging

long passphrases is good to have if your on linux anyways so no one cant easy to guess and gain access, but ofc not too long as i mention 14+

disable unused services like openvpn since it is slower and old, wireguard more speed and modern. Since mullvad uses wireguard now, makes since to use less openvpn and no point to leave it enable

incase people want to run virtual machines from their actual pc for testing, trying out isos, or whatever they want

you seem to refering to "chatgpt" which no linux user should be using as they collect data etc, so no its not "gpt" and actually you can refer to

h3ll

CorvusRuber oh also the keyword, you forgot to read and didn't bother to read it anyways. "synthesized"

EbonJaeger

h3ll rkhunter, clamav, and timeshift are not in the deprecated package list, which would indicate that they've never been included in the Solua repository. Furthermore, I remember requests for Clam's inclusion being rejected at least once many years ago on the old issue tracker. Timeshift has also been requested several times over the years, but has always been blocked from inclusion due to its reliance on crontab, which Solus also doesn't have. What do you mean exactly by "Old Solus"?

I'm not really sure what's going on in this thread at this point, but I would like to remind everyone to be respectful. This has already gone a bit off the rails.

CorvusRuber

Still convinced to be talking to a chatbot....

h3ll

CorvusRuber

Again nothing wrong with it anyways, people actually learning and gaining certificates, it is wrong with toxic leftist community cant never go no where, but also prob also use a "chat bot" as well. Everyone should use what they want and instead of false accusing someone, how about you verify yourself?

https://addons.mozilla.org/en-US/firefox/addon/deep-fake-detector/ - Gecko

https://chromewebstore.google.com/detail/deep-fake-detector/kajehpmjflbbjfnbngcpcoingbpedlak - chromium

by Mozilla, uses various open source models for text ai detection and soon video/audio will be out

h3ll

h3ll synthesized

Synthesized meaning - Though i rewored some words and added some few or extra steps/options. To make it fit solus and before posting all commands work and excellently running on my pc.

Staudey

Some corrections/questions:

h3ll Nope, this is correct and you can set timeshift with systemd i tested myself and i don't use any LLM. My LLM is DeepSeek with a custom prompt for unrestricted/uncensored results and provides all correct answers only.

So are you using an LLM or not? I'm confused, is this a joke? 😅

h3ll New solus has removed it from package manager:
sudo eopkg install clamav rkhunter

As people have said (and now even your edited post alludes to), this command won't work because those packages aren't, and never were, part of the repository.

h3ll VPN recommendations:
WireGuard (built-in kernel support)
OpenVPN (Disable with sudo systemctl disable openvpn.service)

So do you recommend OpenVPN, or do you want people to disable it? ^^

h3ll sudo eopkg check | grep -q "broken" && timeshift --restore

This'll always fail, since grep is case-sensitive and the actual text is "Broken" with a capital B. Also I'm not sure it's a good idea to restore a backup for any "Broken" package, because most of the time that's not harmful at all, but then again I don't know how timeshift works exactly.

h3ll Synthesized meaning - Though i rewored some words and added some few or extra steps/options. To make it fit solus and before posting all commands work and excellently running on my pc.

FYI Your link doesn't work unless one is logged into kagi. In any case: Clearly you didn't run many of the commands, as they don't work (see above)

TraceyC

I understand people wanting to share information with other users to help them out. A better approach would be to write up something for the Help Center. That way, the information can be vetted and made "official" so there's no confusion or doubt.

As a user who has searched for how-to's for various things, I will always trust an organizations docs a lot more than random posts on forums or around the Internet.

h3ll

Staudey confused

Clearly you didn't test, but as for the majority you have to compile it yourself, i can also write a step by step how to get it on your solus os without package manager, or you could use flathub.

Staudey As people have said (and now even your edited post alludes to), this command won't work because those packages aren't, and never were, part of the repository.

ClamAV was never officially supported in Solus repositories. The Solus team maintained a consistent stance against including it due to its Windows-focused scanning nature and limited value for Linux desktop users. However, users could install outdated versions via Flatpak (not recommended). https://discuss.getsol.us/d/6408-new-to-solus-dash-to-dock-clam-antivirus
https://discuss.getsol.us/d/1623-reconsidering-clamav

Rkhunter (Rootkit Hunter) was previously available but removed from Solus' package manager in April 2025. Earlier discussions (2019-2023) show it was used for rootkit detection, though some users reported false positives.
https://discuss.getsol.us/d/1419-highly-suspected-compromised-solus-iso-rootkits-post-fresh-install
https://discuss.getsol.us/d/7006-threats/2

Chkrootkit isn't explicitly mentioned in Solus sources, but Linux security discussions note it's often used alongside rkhunter despite potential false positives. https://www.linux.org/threads/chkrootkit-and-rkhunter-possible-false-positives.53787/#:~:text=A%20virus,your%20password.

Staudey So do you recommend OpenVPN, or do you want people to disable it? ^^

Yes, as i said in the post, clearly didnt read less resources the better, so wireguard is modern, secure, and speed

https://mullvad.net/en/blog/removing-openvpn-15th-january-2026

Staudey This'll always fail, since grep is case-sensitive and the actual text is "Broken" with a capital B. Also I'm not sure it's a good idea to restore a backup for any "Broken" package, because most of the time that's not harmful at all, but then again I don't know how timeshift works exactly.

Good, suggestion and go test as linux is about exploring and trying new things

It used to be in the solus package managing manager back in 4.3 or somewhere as long the lines, i done my research and those rookit detection scanners are getting depreciated soon, i thought i just leave up for reference but ill remove it and keep lynis instead nowadays.

Staudey FYI Your link doesn't work unless one is logged into kagi. In any case: Clearly you didn't run many of the commands, as they don't work (see above)

You can now use kagi without a account, as they recently posted their changelogs about that and everything

https://kagi.com/search?q=synthesized+ai+meaning%3F&r=us&sh=teLIQQS0m5Ypz7beo8jPEQ - try again

Staudey

h3ll Clearly you didn't test

What are you replying to here? Didn't test what? Your clamav and rkhunter installation commands obviously didn't work, because those packages aren't part of the repository. I see you've now removed that part of your instructions, good.

For good measure, let's test your previous instructions again:

 sudo eopkg install clamav rkhunter                         
[sudo] password for thomas:
System error. Program terminated.
Repo item clamav not found

What a surprise!

h3ll Rkhunter (Rootkit Hunter) was previously available but removed from Solus' package manager in April 2025

Wrong. Your LLM seems to be confused. It's not even April 2025 yet, and it was NEVER part of the repository.

h3ll Yes, as i said in the post, clearly didnt read

In one place of your post you recommended it, in the other you told people to disable it. The problem is that I did read your post (which I regret more and more).

h3ll You can now use kagi without a account, as they recently posted their changelogs about that and everything

That's cool and all, but your initial link didn't work anyway. The new one does though.

I gotta say, I don't appreciate being accused of "not testing" and "not reading", when it seems to be you that doesn't test shit and just dumps output from some generative AI here.

hakimjonas

I'm sorry but this seems very unfocused and like you are generalizing from your own use case?

This is both a logical fallacy and also not very helpful to others. One example that others have also mentioned is about VPN. So because something I never heard about before (mulvad) wants YOU to drop openvpn it means that I should disable openvpn ? Even though my job requires me to use it?

If you want to compile a list of GENERAL advice, it should be GENERALLY applicable.

WetGeek

hakimjonas So because something I never heard about before (mulvad) wants YOU to drop openvpn it means that I should disable openvpn ?

I was pretty sure that Mullvad (which I use) does not preclude the use of OpenVPN, so I asked Grok about that:

"Yes, Mullvad does use OpenVPN. It supports OpenVPN as one of its VPN protocols, alongside WireGuard. Mullvad provides configuration files and settings for OpenVPN in its client software, allowing users to connect to its servers using this protocol. OpenVPN is known for its strong security and flexibility, which aligns with Mullvad’s focus on privacy. However, Mullvad also encourages the use of WireGuard for its speed and modern design, but OpenVPN remains fully supported for those who prefer it.
So, to sum up: Yes, Mullvad uses OpenVPN as an option for securing your connection to its VPN servers."

hakimjonas

WetGeek OK but my point was that OP posted this as:

"a concise security guide for new Solus users..."

And then precedes to recommend disabling openvpn even though this is a widely used tool. And the reason seem to be mostly about this other payed vpn service.

What ever they recommend might be correct for them but I don't see how this fits into a general guide for Solus users. But please enlighten me, I have been known to be wrong in the past.

h3ll

hakimjonas

disabling unused services on a Linux system, including Solus OS, can reduce the attack surface. Removing unnecessary software is a way to reduce the attack surface. Disabling unused services improves system security.

https://labex.io/tutorials/linux-linux-disable-command-with-practical-examples-422642
https://techcommunity.microsoft.com/blog/askperf/disabling-unnecessary-services-a-word-to-the-wise/373444
https://unix.stackexchange.com/questions/774460/from-a-security-standpoint-why-should-unused-software-be-deleted
https://discuss.getsol.us/d/4927-disabling-services
https://wafatech.sa/blog/linux/linux-security/best-practices-for-disabling-unnecessary-services-on-linux-servers/

hakimjonas

@h3ll It's not that I totally disagree but perhaps its a bit too opinionated. Again I might be wrong but I don't think inactive services present a very serious risk.

And you are probably correct in recommending wireguard but you have to understand that openvpn is not deprecated and is in fact used by many people and companies.

I for one have to use it, and actually want to suggest adding openvpn3 to eopkg - just haven't found time to learn how to correctly suggest that.

h3ll

hakimjonas

I never said you have to, only those that are security-conscious that's all. you can skip or ignore that part.

TraceyC

hakimjonas I for one have to use it, and actually want to suggest adding openvpn3 to eopkg - just haven't found time to learn how to correctly suggest that.

You're welcome to create a request for openvpn3 to be added

« Previous Page