You have Linux computer but you do not know that your folders can be very dangerous for security. Hackers can put bad virus inside folders like /tmp or /home and they can run it to break your system or steal your secrets. Today I tell you how to lock these folders so no one can run bad programs there. This is call filesystem mount hardening and it is very important for everybody who want to be safe. I am only sixteen but I learn this because my friend get hacked and he cry all day. We will use things like noexec, nosuid, and nodev in a file called /etc/fstab to make our computer security much better. It is not very hard to do if you follow my guide carefully.
Before we do the steps we need to understand what we are doing to our system. If we just type commands without knowing, we can break the booting of Linux and then we get big black screen. First word you must know is noexec. This word means no execute. If you put this on a folder, it means nobody can run any program inside that folder. Even if the program has permission to run, the Linux kernel will say no you cannot run here. This is super good for /tmp because many hackers download their bad scripts into /tmp and then try to run them. With this option they cannot do that anymore.
Second word is nosuid. This is short for no set user identifier. Some programs have special power that lets them run as the root admin even if a normal user is running them. This is very dangerous because hacker can use this to get root power on your machine. When we use nosuid, the system ignores this special power so nobody can do sneaky things to escalate their privilege and control your system.
Third word is nodev. This is short for no device. In Linux, everything is a file, even your hard drives, mouse, and keyboard. These are called device nodes. If a hacker can make a fake device node in a folder, they can bypass security and read your hard drive directly. The nodev option says do not allow fake device files here. This makes your system much more safe.
We need to put these options on specific folders because some folders do not need to run programs at all. Let us talk about /tmp. This folder is for temporary files. Every program uses it to write small files and then delete them. No program should ever run directly from /tmp. So we must put noexec, nosuid, and nodev there.
Then we have /var/tmp. This is just like /tmp but the files stay there even when you restart the computer. It is also a very popular place for hackers to hide their evil tools because it does not clear on reboot. We must lock it with the same flags.
Next is /dev/shm. This is shared memory. It looks like a folder but it is actually in your RAM. Because it is in RAM, it is super fast. Some programs use it to talk to other programs. But hackers also like it because it is fast and hard to track. We must put noexec, nosuid, and nodev on /dev/shm too.
We also have /home. This is where all your personal files are, like your documents, music, and games. Normal users do not need to run system tools from /home, but sometimes you want to run programs you download. If you want maximum security, you can use nodev and nosuid here. But wait, there is a big exception for /home which I will explain later, especially if you like playing games on Steam or using Flatpak apps.
Lastly, /boot. This is where the files for starting your Linux are. Once your computer starts, you do not need to run new things from here, so it is safe to add these flags if /boot is on its own partition on your disk.
Step 1: Backup the fstab file. Before you touch anything, you must make a copy of your configuration file. If you make mistake, your Linux will not boot and you will have very big headache. Open your terminal and type this command:
sudo cp /etc/fstab /etc/fstab.backup
This makes a copy of the file. If things go wrong, you can restore it using live USB. Please do not forget this step, it is very important for safety.
Step 2: Open the fstab file for editing. Now we edit the file. We must use sudo because this is system file. You can use nano editor because it is easy, or vi if you are pro. I use vi because it makes me look cool. Type this:
sudo vi /etc/fstab
You will see many lines with UUID and names of folders. Do not panic, it looks scary but it is easy to understand.
Step 3: Modify the options for each partition. Look at your lines. You need to find the lines for /home, /tmp, /var/tmp, and /boot. For each line, look at the fourth column. Usually it says defaults or some other options. You need to append our new security options to this column. Make sure you separate them with commas and no spaces! If you put space, the file will break. Here is what my file looks like for ext4 partitions:
UUID=abc-123 /home ext4 defaults,nodev,nosuid 1 2
UUID=def-456 /tmp ext4 defaults,nodev,nosuid,noexec 1 2
UUID=ghi-789 /var/tmp ext4 defaults,nodev,nosuid,noexec 1 2
UUID=jkl-012 /boot ext4 defaults,nodev,nosuid,noexec 1 2
For /dev/shm, it is a tmpfs filesystem, so we write it like this:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Be very careful when typing. Double check every letter. One small mistake can make your computer angry and it will not start.
Step 4: The Workstation Exception. If you are using your Linux computer for playing games or normal daily work, you might be using Flatpak or Snap. These are modern packaging formats for apps like Discord, Steam, or Spotify. They run inside a sandbox for safety. But here is the problem: Flatpak and Snap need to run executables inside your /home folder to work properly. If you put noexec on /home, your Flatpak apps will stop working. They will crash and show errors. So, if you are using a workstation computer with these apps, do not add noexec to /home. Only use nodev,nosuid on /home. If you are making a server where nobody runs Flatpak, then you can put noexec on /home safely.
Step 5: Remount without restarting your computer. You do not need to restart your computer to apply these new changes. Linux is very smart and can apply them live. Run this command to remount the filesystems with the new rules:
sudo mount -o remount /tmp /home /var/tmp /dev/shm
This command tells the kernel to read /etc/fstab again and update the active options immediately. If you get no errors, it means you wrote the configuration correctly. If you get error, check your /etc/fstab file for typos.
Step 6: Verify the changes. We must verify that our system is actually using the new security options. We use a tool called findmnt to check. Run this command:
findmnt -o TARGET,OPTIONS | grep -E '/tmp|/home|/var/tmp|/dev/shm'
This command will show you the folders and the active options. You should see nosuid, nodev, and noexec in the list for those folders. If you see them, congratulations! Your filesystem is now much harder for hackers to exploit.
Step 7: Bonus Hardening for process security. There is another very cool trick you can do to make your Linux even safer. It is called hidepid=2 for the /proc filesystem. The /proc folder contains information about all running processes. By default, any user can see what other users are doing on the system. This is bad for privacy and security. If we add hidepid=2 to /proc in our /etc/fstab file, users can only see their own processes. They cannot spy on other users or see what system services are doing. To do this, add this line to your /etc/fstab:
proc /proc proc defaults,hidepid=2 0 0
But beware! This can sometimes break system tools like systemd-logind because it needs to see other processes to manage sessions. You have to add a special group to bypass this, which you can read about on security websites like privacyguides.org. But for a simple secure box, it is a very good tool to have.
Locking your Linux filesystem with mount options is a very easy way to stop many bad hacker attacks. It does not take much time and it makes your system much safer. Just remember to be careful when editing system files, always make backups, and test your changes before you turn off your computer. By following these steps, you have made a very big step in securing your Linux system.