🛡️ Security Guide

While these dotfiles are designed to provide a beautiful and personalized setup, privacy and security are just as important. This is an evolving journey — not a one-time setup — and we’re always open to suggestions.

[!TIP] You can tailor the security tools and settings to your preferences. All configurations can be automated or versioned using chezmoi where applicable.

---

🔒 Security Practices in Use

Here’s a list of tools and practices currently in place or under consideration:

✅ System Updates

• Regular updates are essential.
• I manually keep the system up-to-date using the package manager.

yay -Syyu  # [I use Arch, btw](https://wiki.archlinux.org/title/Arch_Linux)

[!TIP] Consider automating this process with a cron job or alias.

🛡️ Malware Scanning

• ClamAV:
  • Run manual or scheduled scans
  • Keep virus database updated

sudo freshclam  # Update database
clamscan -r /home/youruser

🔥 Firewall

• ufw: Simple firewall setup and management

sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow out

🚫 IP Banning

• fail2ban: Blocks IPs that show malicious behavior

sudo systemctl enable --now fail2ban

Check logs:

sudo fail2ban-client status

🔐 Password Management

• Currently using: LastPass
• Considering switching to: Bitwarden

If self-hosting or CLI usage is preferred, Bitwarden offers Bitwarden CLI.

🧬 Optional Hardening

• Hardened Linux Kernel (optional):
  • A stricter kernel for additional protections
  • Great for advanced users but may break things unexpectedly

[!WARNING] Only recommended if you know your use cases won't be impacted.

🔎 Network & Port Scanning

• nmap: Comprehensive network scanner
• rustscan: Faster, modern alternative

sudo nmap -sS -p- 192.168.1.1
rustscan -a 192.168.1.1

Use for auditing your local network or spotting unknown open ports.

---

🔍 Automated Security Auditing

• dots security-audit: Built-in comprehensive security audit tool
  • Scans applied configurations for exposed secrets
  • Checks file permissions across the system
  • Validates system security settings
  • Generates detailed security reports

# Run complete security audit
dots security-audit

# Run specific checks
dots security-audit --permissions  # Check file permissions only
dots security-audit --secrets      # Scan for exposed secrets only

# Apply automatic security fixes
dots security-audit --fix

# Generate detailed security report
dots security-audit --report

What it checks:

• SSH key and config permissions
• Credential file security
• World-readable sensitive files
• Applied configuration files for secrets
• Environment variables and shell history
• Firewall status and SSH configuration
• Security tools (fail2ban, AppArmor/SELinux)
• System integrity and updates

[!TIP] Run dots security-audit monthly or after major configuration changes to maintain good security hygiene.

---

🧪 Tips for Staying Secure

• Use strong, unique passwords + 2FA where possible
• Don’t run random scripts without reading them first
• Use aliases to simplify safe commands (e.g., update-all)
• Consider using a VPN and encrypted DNS (like DoH or DoT)
• Keep regular backups in case of compromise

---

🆘 Need Help?

• Arch Wiki on Security
• ClamAV Guide
• fail2ban GitHub

Security is an ongoing practice — start with the basics, stay informed, and evolve over time 🔐