Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• ProtectingA...etedAttacks

Targeted Cyber Attacks on Users — How to Protect Your Linux System

Русская версия статьи

Cybersecurity Measures Against Targeted Attacks

Description of the Threat

Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.

The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.

Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.

Countermeasures

Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.

Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds may contain embedded backdoors, trojans, rootkits, or other forms of malware, which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.

Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

The adversary type described in this article is experienced and resourceful. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.

At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.

Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.

Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) so they do not catch you off guard.

Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.

This article is written both as a security recommendation and as a request for advice on improving system configuration.

If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.

Practical Instructions

Linux system hardening recommendations:

1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.

2. If the OS is installed on a desktop that does not serve as a server, disable and remove all unnecessary remote access services. First of all: SSH servers and equivalents, remote desktop / VNC / RDP, and other network services that can allow remote access but are not really needed. They should not merely be password-protected or disabled — completely remove them from the system.

If you do need a remote-access service, use strong passwords of at least 16–20 characters or longer. Do not leave any remote-access services without passwords.

Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser or longer.

Important: Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.

3. Use only official repositories of your distribution to install software.

• Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.

4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo.

• Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:

• Always read a script fully before running it (less script.sh, cat script.sh).

• Never paste commands from untrusted or unverified sources into the terminal.

• Use sudo only when truly necessary; consider using sudoedit for editing configuration files.

• Follow the principle of least privilege — create separate user accounts and limit access rights where possible.

5. Follow a server-style access model

Do not add regular users to the sudo group. The sudo privilege should be reserved exclusively for the superuser (root). Regular users should not have the ability to execute commands as root via sudo.

Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.

Note: system users created by the kernel or services (e.g., www-data, postgres, nobody) do not have sudo access by default. Programs installed using sudo by the root user do not automatically grant sudo privileges to users created by those programs. Any virtual or service accounts remain unable to run commands with sudo unless explicitly added to the sudo-enabled group.

6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools.

The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.

It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.

Configuration changes should be applied to the host system only after confirming correct and stable operation in the test environment.

Additional recommendations:

• When restricting potentially vulnerable system services and daemons, use AppArmor profiles with the minimum required permissions (principle of least privilege).

• For potentially vulnerable user applications (browsers, messengers, database managers), prioritize isolation using sandboxing solutions (e.g., Flatpak, Firejail). Use AppArmor as an additional layer or in cases where sandboxing is not available.

• This approach creates an architecture where applications are isolated from each other and from the system. In the event that a sandboxed application is compromised, its access to other applications and the system as a whole will be maximally restricted, which significantly hinders further actions by an attacker.

7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall.

In addition to blocking all unnecessary incoming connections (on most home workstations, you can block all incoming traffic), be sure to also restrict outgoing connections — block all ports and ranges that are not required by the system and applications. This reduces the attack surface.

My nftables config can be viewed here.

In addition to iptables/nftables, it is strongly recommended to use OpenSnitch — an interactive firewall that shows in real time the IP, process, PID, and port for each connection. ?OpenSnitch allows you to flexibly block suspicious activity, which, combined with nftables, provides significantly more robust protection.

?OpenSnitch operates on top of nftables/iptables. Instead of merely showing "traffic on a port," it reveals exactly which process is trying to connect to where. The project is not widely known, yet it is extremely useful, actively developed, and deserves the community's attention and support.

8. Configure kernel parameters for maximum security (sysctl hardening). My 99-protect.conf config can be viewed here.

9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: auditd, Falco, OSSES, Wazus, AIDE, Suricata). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). My auditd config can be viewed here.

10. Test the system for vulnerabilities using scanners (for example, lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.

11. If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation.

These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.

12. Follow the principle of Attack Surface Reduction (or Occam's Razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.

• If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.
• If you are certain you will never use it, remove it completely from the system.

• Always simulate the removal first to see what apt would remove without actually uninstalling. Example:

  sudo apt -s remove <package>

or:

• sudo apt remove --simulate <package>

• Always check what other packages apt wants to remove.

This practice reduces potential attack vectors and strengthens overall system security.

13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.

14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it.

Format: # YYYY-MM-DD HH:MM, short description of the change, reason

Example: Editing sshd_config to disable root login via SSH:

bash

PermitRootLogin no
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement

Why it matters:

• Allows you to quickly understand when and why a change was made.
• Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.
• Simplifies system audits and security reviews.

15. Use desktop environments based on Wayland.

Wayland is a modern display server protocol that provides stronger application isolation. Unlike Xorg, where any client application can potentially intercept input (keyboard, mouse) and observe other windows, Wayland implements a model in which applications do not have direct access to each other or to global input; all input handling is mediated by the compositor.

This significantly reduces the impact of a single application compromise: even if an application is exploited, it cannot transparently monitor user activity in other programs.

Wayland is supported by modern desktop environments such as GNOME (the default in Debian 13), KDE Plasma, and others.

Xorg is considered outdated from a security perspective due to its architecture, which lacks proper client isolation.

It is recommended to verify that your desktop environment is actually running on Wayland rather than Xorg (for example, by checking the XDG_SESSION_TYPE environment variable).

If the GNOME interface feels unfamiliar, it can be extensively customized using extensions and system settings, allowing you to adapt window behavior and panels to your preferred workflow.

Related Aspects of Internet Security

There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.

1. Store passwords in a reliable password manager.

Outdated and insecure practices for storing passwords are still commonly encountered, including:

• relying on human memory, with the risk of forgetting or confusing credentials;
• storing passwords on paper media, which can be damaged, lost, or stolen;
• saving passwords in web browsers in unencrypted form;
• keeping passwords in plain text files on the desktop or in other directories without encryption;
• and similar approaches.

Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.

A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.

Regularly create up-to-date backups of the encrypted password database.

Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally not resistant to compromise.

Additional Practical Recommendations

A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to strictly bind this automatic input to a specific terminal window in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.

In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.

It is essential to use a strong master password and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).

2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see Authenticator app), or a hardware security key such as a YubiKey.

Hardware authenticators (USB/NFC keys), including ?YubiKey and other similar devices, offer the following advantages:

• Hardware authenticator helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.
• It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.
• Additionally, Hardware authenticator is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number.

For now, it is one of the most reliable hardware-based options for two-factor authentication.

3. Using VPN to improve privacy and security

If you are a private user, you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications. Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards. It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.

Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.

If you own a server and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.

4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.

5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.

6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.

It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.

Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.

Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.

Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.

7. Hardware Firewall

If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a hardware firewall.

Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:

• You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).
• You have well-founded suspicions that you or your organization could be the target of a directed attack.

Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.

However, this should not be viewed as a panacea. It is an additional, not the sole, layer of defense. Its presence does not negate the necessity of:

• Configuring the basic security of your router.
• Using a software firewall and antivirus on your PC.
• Timely updating your operating system and applications.
• Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).

A hardware firewall should be seamlessly integrated into your overall security architecture, forming a multi-layered (defense-in-depth) protection system. It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.

8. It is also important to consider the possibility of hardware-level attacks. Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.

If, after a thorough software-level audit, a security issue remains unresolved, it is advisable to perform a hardware-level assessment as well, including verification of device firmware integrity and configuration.

And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.

Examples of Deep Custom Security Configurations

In this page there are examples of strong, individualized configurations for nftables, sysctl and auditd.

Examples of Deep Custom Security Configurations.

Useful Programs

This page provides a list of programs that are useful and directly related to configuring and maintaining the security of Linux systems.

The included programs are either open-source (the majority) or commercial with freely available limited features sufficient to cover the core security tasks (a smaller portion).

Useful Programs.

Additional articles on the author's site:

Author's analysis of targeted attacks — The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. The material has been anonymized to remove any personal data or references to real individuals.

Information and Behavioral Hygiene for Working with a PC — This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.

Psychological Suppression via the Disbelief Effect — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.

External Resources

Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña. This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team.

Read this document — it is essential reading for any Debian user concerned with system security.

The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations.

iptables, nftables, and You A Friendly Guide to Traffic Rules A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples.

AppArmor The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system.

Security, Privacy and Anonymity in Linux Mint — Michel Nallino. A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions.

CISA — Cybersecurity Best Practices CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.

Acknowledgements

Thanks to the Linux community for feedback and improvements to this article, especially through discussions on LinuxQuestions.org.

Thanks are also extended to the Debian Forum administrators for adding this article to the Debian User Forums archive as useful and up-to-date material Debian User Forums.

Discussion: Please share comments and suggestions on the discussion page.

CategorySystemSecurity