Skip to main content

Security Essentials

1. Firewall Configuration (UFW)

A firewall controls incoming and outgoing network traffic. UFW (Uncomplicated Firewall) is a user-friendly frontend for iptables.

1.1. Installation

UFW is often pre-installed. gufw is a graphical interface for UFW, convenient for KDE.

sudo pacman -S --needed ufw gufw

1.2. Basic Configuration

It's best to set default policies first: deny all incoming traffic and allow all outgoing. Then, explicitly allow services you need.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh

1.3. Enable and Start UFW

sudo systemctl enable --now ufw.service; sudo ufw enable
  • UFW will ask for confirmation before enabling, as it might disrupt existing connections. Ensure you've allowed SSH if you're connected remotely.

1.4. Check Status

sudo ufw status verbose

2. Antivirus Setup (ClamAV)

2.1. Installation

Install clamav, clamtk, firejail, and firetools

sudo pacman -S --needed clamav clamtk firejail firetools

2.2. Configure Freshclam (Virus Definition Updater)

The default configuration files (/etc/clamav/freshclam.conf and /etc/clamav/clamd.conf) often contain lines starting with "Example". These need to be commented out or removed for ClamAV to use its internal defaults or for you to set your own values.

sudo sed -i 's/^Example/#Example/' /etc/clamav/freshclam.conf
sudo sed -i 's/^Example/#Example/' /etc/clamav/clamd.conf
  • This command comments out any line that begins with the word "Example".
  • You may still want to review these files manually (e.g., sudo nano /etc/clamav/freshclam.conf) to adjust settings like update frequency or proxy servers if needed.

2.3. Create and Set Permissions for ClamAV Directories

These directories are usually created by the package manager, but verify and set permissions.

sudo mkdir -p /var/lib/clamav
sudo chown clamav:clamav /var/lib/clamav
sudo chmod 755 /var/lib/clamav

sudo mkdir -p /var/log/clamav
sudo chown clamav:clamav /var/log/clamav
sudo chmod 750 /var/log/clamav # Only owner/group can read/write/execute

2.4. Create and Set Permissions for Log Files

sudo touch /var/log/clamav/freshclam.log
sudo chown clamav:clamav /var/log/clamav/freshclam.log
sudo chmod 640 /var/log/clamav/freshclam.log # Owner r/w, group read

sudo touch /var/log/clamav/clamd.log
sudo chown clamav:clamav /var/log/clamav/clamd.log
sudo chmod 640 /var/log/clamav/clamd.log

2.5. Manually Update Virus Definitions

Run freshclam for the first time.

sudo freshclam

2.6. Enable and Start ClamAV Services

  • clamav-freshclam: Automatically updates virus definitions.
  • clamav-daemon: The ClamAV scanning daemon (for faster on-demand scans and on-access scanning if configured).
sudo systemctl enable --now clamav-freshclam.service
sudo systemctl enable --now clamav-daemon.service

2.7. Verify Service Status

sudo systemctl status clamav-freshclam.service
sudo systemctl status clamav-daemon.service

2.8. Running a Scan

  • Command-line: 
    clamscan -r --infected /home/your_username/Downloads # Scan a directory recursively, show only infected
    clamscan -r / # Scan the entire filesystem (can take a very long time)
  • Graphical (ClamTk): Search for "ClamTk" in your application launcher.

3. System Auditing & Monitoring

3.1. Check Logs Regularly

Use journalctl to review system logs for suspicious activity.

journalctl -p err..alert # Show errors, critical, alerts, emergency logs
journalctl -u sshd.service --since "1 hour ago" # Check SSH logs from the last hour
journalctl -f # Follow logs in real-time

3.2. Consider fail2ban (Optional, More Advanced)

fail2ban scans log files (e.g., for SSH, web servers) and bans IPs that show malicious signs like too many password failures.

sudo pacman -S --needed fail2ban
# Configuration is done in /etc/fail2ban/jail.local (copy from jail.conf)
sudo systemctl enable --now fail2ban.service

Refer to the Arch Wiki for fail2ban configuration details.