Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• ProtectingA...etedAttacks

Targeted Cyber Attacks on Users — How to Protect Your Linux System

Cybersecurity Measures Against Targeted Attacks

Description of the Threat

Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

Countermeasures

Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is experienced and resourceful. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.

Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) so they do not catch you off guard.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

Practical Instructions

Linux system hardening recommendations:

1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.

2. If the OS is installed on a desktop that does not serve as a server, disable and remove all unnecessary remote access services. First of all: SSH servers and equivalents, remote desktop / VNC / RDP, and other network services that can allow remote access but are not really needed. They should not merely be password-protected or disabled — completely remove them from the system.

If you do need a remote-access service, use strong passwords of at least 16–20 characters or longer. Do not leave any remote-access services without passwords.

Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser or longer.

Important: Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.

3. Use only official repositories of your distribution to install software.

• Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.

4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo.

• Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:

• Always read a script fully before running it (less script.sh, cat script.sh).

• Never paste commands from untrusted or unverified sources into the terminal.

• Use sudo only when truly necessary; consider using sudoedit for editing configuration files.

• Follow the principle of least privilege — create separate user accounts and limit access rights where possible.

5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).

6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. My nftables config is attached below.

7. Configure kernel parameters for maximum security (sysctl hardening). My 99-protect.conf config is attached below.

8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). My auditd config is attached below.

9. Test the system for vulnerabilities using scanners (for example, lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.

10. If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation.

These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.

11. Follow the principle of Attack Surface Reduction (or Occam's Razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.

• If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
• If you are certain you will never use it, remove it completely from the system.

• Always simulate the removal first to see what apt would remove without actually uninstalling. Example:

  sudo apt -s remove <package>

or:

• sudo apt remove --simulate <package>

• Always check what other packages apt wants to remove.

This practice reduces potential attack vectors and strengthens overall system security.

12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.

13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it.

Format: # YYYY-MM-DD HH:MM, short description of the change, reason

Example: Editing sshd_config to disable root login via SSH:

bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement

Why it matters:

• Allows you to quickly understand when and why a change was made.
• Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
• Simplifies system audits and security reviews.

Related Aspects of Internet Security

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see Authenticator app), or a hardware security key such as a YubiKey.

The ?YubiKey hardware authenticator (USB/NFC key) offers the following advantages:

• ?YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.

• It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.

• Additionally, ?YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number.

For now, it is one of the most reliable hardware-based options for two-factor authentication.

2. Using VPN to improve privacy and security

If you are a private user, you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications. Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards. It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

If you own a server and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.

3. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

Note: Artificial intelligence tools, ?YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.

4. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.

Examples of Deep Custom Security Configurations

In this page there are examples of strong, individualized configurations for SELinux, nftables, sysctl and auditd.

Examples of Deep Custom Security Configurations.

Useful Programs

This page provides a list of programs that are useful and directly related to configuring and maintaining the security of Linux systems.

The included programs are either open-source (the majority) or commercial with freely available limited features sufficient to cover the core security tasks (a smaller portion).

Useful Programs.

Additional articles on the author's site: comprehensive analysis of targeted attacks

The author provides a detailed analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. The material has been anonymized to remove any personal data or references to real individuals.

Author's analysis of targeted attacks

External Resources

Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña. This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team.

The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations.

iptables, nftables, and You A Friendly Guide to Traffic Rules A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples.

SELinux System Administration Third Edition — Sven Vermeulen. Implement mandatory access control to secure applications, users, and information flows on Linux.

AppArmor The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system.

Security, Privacy and Anonymity in Linux Mint — Michel Nallino. A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions.

Acknowledgements

Thanks to the Linux community for feedback and improvements to this article, especially through discussions on LinuxQuestions.org.

Biography: This is blackcat568 user's biography. You can read it on blackcat568 biography.

Discussion: Please share comments and suggestions on the discussion page.

CategorySystemSecurity