By default, many of the popular Linux distros are fairly secure out of the box. Here I want to offer ten tips to keep your system running smoothly. Most of these directions are aimed at the everyday Linux user, not the highly technical person who wants to run a customized and hardened version of Arch.

If your threat model is high (e.g., you’re a whistleblower in an authoritarian country), then you’ll need more than what’s listed here (consider something like Tails OS).

But for everyday, normal people, these ten tips should help you get started:

1. Update Your System Frequently!

Whether you’re using Ubuntu, Mint, or anything else, security issues are being found, bugs are being fixed, and updates are being pushed out almost every day. But systems like Mint don’t automatically install updates. If you keep an eye on the little update notification, then you don’t need to enable auto-updates. But be aware that updates are issued often. So, if your system doesn’t auto-update, you’ll need to check that daily, or at least several times a week.

2. Install Only Verified Apps

From Fedora-based to Debian-based systems, most of the popular distros use Flatpak/Flathub to install apps through the various software stores. Mint is the only distro that I know of that blocks unverified apps from showing up in search listings by default. Other distros such as Zorin treat all apps equally.

Why is that bad? Unverified apps come from third-party sources that are not approved by the app developers. That doesn’t necessarily mean they contain malware. But there’s no guarantee that the package is safe and as the developer intended it to be.

Let’s give an example: Google Chrome is always in the top three most popular apps on Flathub. But that particular edition is an unverified app, meaning that it has been packaged and uploaded by someone who has not been officially approved to do so by Google. That in turn means the packager could potentially slip malicious code into the app someday. So, while it’s safe today, it may not be tomorrow.

If you see an app you want that’s unverified, try going directly to the developer’s website. For example, if you want Google Chrome, you can download it directly from Google for Linux. Same with Steam, Spotify, VLC, and MS Edge.

3. Turn on that Firewall

On Mint, you can very easily enable the firewall through the Welcome Screen. On other distros, you’ll need to look up how to do so. Usually Uncomplicated Firewall is installed, so you can simply type the following into your terminal:

sudo ufw enable

4. Encrypt Your Hard Drive

This has to be done when you’re installing the OS, so if you’re running Linux without encryption, it’s too late. If you haven’t set things up yet, or if you plan to reinstall soon, I would strongly suggest encrypting the entire drive. If your computer is ever stolen, thieves won’t be able to get sensitive information such as bank statements, tax returns, contacts, photos, etc. It’s bad enough to get robbed, but don’t give the thieves a treasure trove of information to put on the dark web or to use for extortion purposes.

5. Use a Strong Password to Log In

Have two strong master passwords memorized: one you use to unlock your computer and another you use to unlock your password manager. All the security in the world can’t protect you if you use a password that’s easy to guess.

6. Remove Software You Don’t Use

Getting rid of apps you downloaded and used once for a random project is good digital hygiene. It decreases the number of possible vulnerabilities on your system.

I keep a digital notepad in which I note all the apps that I used for something special but don’t need anymore. Doing so allows me to uninstall them, but then if I forget what it was called, I can look at my notes. For example, I have Czkawka listed there for finding and removing duplicate files and Handbrake for video conversion. I rarely use those apps, so I can safely uninstall them until I need them again.

7. Hesitate before Typing “sudo”

ChatGPT or someone on Reddit says, “This will fix your problem: sudo apt install something-obscure“

While malicious software can be installed this way, you can also easily break your system. If I’m being instructed to type anything into the CLI (command line interface), I try to spend a minute determining what exactly it is that I’m being asked to do. If I’m not sure, I ignore the request.

8. Consider a Distro with Wayland

X11 (aka Xorg) is very old and tends to work best with old applications. However, it lacks in security. Both X11 and Wayland are display server protocols, but with the latter being newer.

Wayland isolates apps from one another, X11 doesn’t. What that means is that apps on a system running X11 can “see” what’s in the windows of other apps, can globally log keystrokes, and even potentially take screenshots. If someone wants to spy on you and collect info, X11 is the best present you can give them. While there are security protocols in place that help mitigate the disastrous privacy and security risks of X11, they’re not perfect.

For that reason, there’s been a huge push by various distros to make Wayland the default display server. But that push has come with many hiccups due to both hardware and software compatibility issues with Wayland. There are many popular programs that simply won’t run under Wayland, including VirtualBox (though Gnome Boxes does fine).

Fedora’s systems use Wayland exclusively since security is a higher priority for them over compatibility. Ubuntu 24.04 LTS, on the other hand, lets users switch between Wayland and X11. That method is my favorite because I can run Wayland by default, but then log out and log back in with X11 if I need to do a lot of work in VirtualBox.

Mint doesn’t support Wayland yet. They’re working on it, but it’ll be 2026 or later before it’s out of the “experimental” phase.

9. Upstream vs. Downstream Updates

First, definitions: upstream updates are those which software developers push. Downstream updates are those which are applied by distro managers.

Let’s look at an example:

A few security vulnerabilities are discovered in the Linux kernel. The latest version of the kernel (e.g., 6.18.0) will include fixes for those. However, if your distro runs an older kernel (e.g., 6.11.8), then the distro developers have to patch the older kernel with the security update and then send that out to everyone. Keeping an older kernel on your system will make it more “stable” and predictable, but some new features (including support for the latest hardware) won’t make the cut.

Some distros stress upstream updates so that you’re always getting the latest desktop environment, the latest kernel, and the latest version of each app. While this can cause some unexpected bugs and compatibility issues, it’s usually the most secure option. This is the philosophy that distros like Fedora implement.

However, some people prioritize stability and are satisfied with running patched kernels, desktop environments, and software on their computer. Ubuntu, Mint, and many others follow this philosophy.

If you want the most secure, user-friendly Linux distro that stresses upstream updates, then Fedora is the system for you. If you prioritize stability and staying on one OS for a long time, then Ubuntu or Mint are good options.

10. Don’t Be Stupid

I saved the best for last. If you’re running Fedora with Wayland and keeping all your upstream updates going at full steam, all that good security can quickly be unraveled by clicking on a link you shouldn’t have. Be highly skeptical of every email, text, and phone call you receive. I don’t click or tap on any link even from frequent contacts unless it’s something I’m expecting.