1️⃣ Create a Locked Daily User
This will be your main working account.
It does NOT have admin/sudo privileges, so it cannot uninstall protections.
To create a new user, run the following command and follow the prompts:
sudo adduser daily

The system will ask you to set a password for the new user. After that, it will ask for other details (like Full Name, etc.). You can skip them by pressing Enter.
Do NOT give this user sudo privileges because you want it to be restricted.

2️⃣ Install AppArmor Utilities
AppArmor is a built-in Linux security tool that controls what programs can do.
We install its tools so we can manage security profiles.

To install AppArmor and the utilities to manage its security profiles, run the following commands:
sudo apt update
sudo apt install apparmor apparmor-utils -y

The first command (sudo apt update) updates your package list. The second command installs AppArmor and the necessary utilities to control security profiles.

3️⃣ Create AppArmor Profile to Block Tor/VPN/DNS
This profile tells the system to prevent certain apps from running and prevents editing critical files like hosts and DNS.

Create the AppArmor profile by running the following command:

sudo tee /etc/apparmor.d/lock_apps > /dev/null <<'EOF'

profile lock_apps flags=(complain) {
deny /usr/bin/tor ix,
deny /usr/bin/torbrowser ix,
deny /usr/local/bin/torbrowser ix,
deny /opt//tor-browser/ ix,
deny /usr/bin/openvpn ix,
deny /usr/bin/wireguard ix,
deny /usr/bin/strongswan ix,
deny /etc/hosts w,
deny /etc/resolv.conf w,
deny /run/systemd/resolve/stub-resolv.conf w,
deny /etc/resolvconf/ w,
deny /home//tor-browser/** ix,
}
EOF

Explanation:

  • This profile is designed to block the execution of Tor, VPN apps, and prevent modification of DNS/hosts files.
  • The deny directives prevent the execution of the listed binaries (like tor, openvpn, etc.), and the w blocks write access to critical files (/etc/hosts, /etc/resolv.conf).

4️⃣ Load and Enforce AppArmor Profile
Apply the profile so it starts actively enforcing restrictions.

To load and activate the newly created AppArmor profile, run these commands:

sudo apparmor_parser -r /etc/apparmor.d/lock_apps
sudo aa-enforce lock_apps

  • The apparmor_parser -r command reloads the profile so any changes you made will take effect.
  • The aa-enforce command ensures that the profile is enforced, making the rules active.

Now, the system will block execution of the listed Tor and VPN binaries, and prevent modification of critical files like DNS settings.

5️⃣ Lock Hosts & DNS Files (Immutable)
Using chattr +i, you can lock important files (like DNS configurations and /etc/hosts) to make them immutable. This means even root cannot modify them unless the lock is removed.

Run these commands to lock these files:

sudo chattr +i /etc/hosts
sudo chattr +i /etc/resolv.conf
sudo chattr +i /run/systemd/resolve/stub-resolv.conf

  • The +i flag makes the files immutable. No user (not even the root user) can modify or delete these files until the immutable flag is removed.
  • These files store DNS settings and hostnames, so locking them ensures that malware or unauthorized users can't tamper with them.

6️⃣ Optional: Lock Firewall to Only Use Your DNS
You can set up a firewall rule to block all outgoing connections except to your DNS server. This is an additional step to prevent bypassing the locked DNS.

Run the following commands to configure the firewall:

sudo ufw default deny outgoing
sudo ufw allow out to <YOUR_DNS_SERVER> port 53
sudo ufw enable

Explanation:

  • The first command (sudo ufw default deny outgoing) blocks all outgoing network connections.
  • The second command (sudo ufw allow out to <YOUR_DNS_SERVER> port 53) allows only DNS requests to your selected DNS server (like 8.8.8.8 or 1.1.1.1).
  • The third command (sudo ufw enable) activates the firewall rules.

Replace <YOUR_DNS_SERVER> with your DNS server address, for example, 1.1.1.1 (Cloudflare DNS) or 8.8.8.8 (Google DNS).

7️⃣ Lock GRUB / Prevent Recovery Mode
Adding a password to the GRUB bootloader will prevent unauthorized access to recovery or single-user mode. This means that no one can bypass security by booting into recovery mode.

First, generate a password hash for GRUB:

sudo grub-mkpasswd-pbkdf2

  • Follow the prompts and choose a strong password. Afterward, the system will generate a hash. Copy this hash.

Next, add the password hash to GRUB configuration:

sudo tee -a /etc/grub.d/40_custom > /dev/null <<'EOF'
set superusers="admin"
password_pbkdf2 admin <HASH_FROM_PREVIOUS_STEP>
EOF

  • Replace <HASH_FROM_PREVIOUS_STEP> with the hash you copied earlier.
  • This will prevent anyone from accessing recovery mode without the password.

Finally, update the GRUB configuration:

sudo update-grub

This step makes sure that the password is applied to the GRUB bootloader, securing recovery and single-user mode.

✅ Daily Workflow

  1. Always log in as 'daily' for work and browsing. This account is the non-privileged one and has restricted access.
  2. Admin account is only for system updates. The admin user is only used for administrative tasks like installing updates or modifying security configurations.
  3. Tor, VPN apps, and DNS/hosts changes are blocked. Your profile will ensure that these programs cannot run or tamper with system files.
  4. Recovery mode cannot be used without admin password. The GRUB password prevents bypassing security through recovery mode.
  5. AppArmor + immutable files + firewall keep the system locked. These protections ensure that your system is secured from unauthorized modifications and bypass attempts.

Warning

LINK

You are about to visit a link which has been flagged with the above content warnings. Do you wish to continue?

Cancel
Edit
Raw PDF PNG WebP JPG

Pub: 06 Apr 2026 15:46 UTC

Edit: 11 Apr 2026 13:08 UTC

Views: 17

Auto Theme: Dark

new· what· how· langs· contacts· login