LinuxMint 22.2

Date: 5th Jan 2026
  1. Download Linux Mint XFEC 22.2 "Zara"
  2. Download sha256sum.txt
  3. Download sha256sum.txt.gpg
  4. Follow Verification Steps:
    • shasum -a 256 linuxmint-22.2-xfce-64bit.iso
      dea13e523dca28e3aa48d90167a6368c63e1b3251492115417fdbf648551558f *linuxmint-22.2-xfce-64bit.iso
    • cat sha256sum.txt
      759c9b5a2ad26eb9844b24f7da1696c705ff5fe07924a749f385f435176c2306 *linuxmint-22.2-cinnamon-64bit.iso
      21f5a5f7be652c60b20ba7996328098b14e979b1ef8bf7f6c9d4a2a579504a65 *linuxmint-22.2-mate-64bit.iso
      dea13e523dca28e3aa48d90167a6368c63e1b3251492115417fdbf648551558f *linuxmint-22.2-xfce-64bit.iso
    • Confirmed our checksum matches
    • Import GBG key:
      gpg --keyserver hkp://keys.openpgp.org:80 --recv-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
      gpg: directory '/c/Users/MyUser/.gnupg' created
      gpg: /c/Users/mdkze/.gnupg/trustdb.gpg: trustdb created
      gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key " imported
      gpg: Total number processed: 1
      gpg: imported: 1
    • Confirm key was import:
      $ gpg --list-key --with-fingerprint A25BAE09
pub   rsa4096 2016-06-07 [SC]
      27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
uid           [ unknown] Linux Mint ISO Signing Key
    • Verify the authenticity of sha256sum.txt:
      $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Tue Sep  2 10:40:21 2025 GMTDT
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: Good signature from "Linux Mint ISO Signing Key " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
  5. Install rufus (currently version 4.11.2285) for the burning ISO
  6. Write in ISO image mode, not DD image mode
  7. Pop up-window "Download required:"
    This image uses Syslinux 6.04/20240408 but this application only
    includes the installation files for Syslinux 6.04/pre1. As new versions of Syslinux are not compatible with one another,
    and it wouldn't be possible for Rufus to include them all, two
    additional files must be downloaded from the Internet
    ('ldlinux.sys' and 'ldlinux.bss'):
    - Select 'Yes' to connect to the Internet and download these files
    - Select 'No' to cancel the operation
    Note: The files will be downloaded in the current application
    directory and will be reused automatically if present.
    Click [Yes]
  8. Next pop-up:
    WARNING: ALL DATA ON DEVICE 'NO_LABEL (D:) [32 GB]' WILL BE DESTROYED.
    To continue with this operation, click OK. To quit click CANCEL.
    Click [OK]
  9. If on windows, explorer may open the USB drive, as it is writting files onto it.
  10. Plug USB stick into laptop, power on, F12/Boot Menu:Legacy Boot: USB Storage Device
  11. Installation Menu: Start Linux Mint
  12. Once LM desktop is displayed,click: Install Linux Mint
  13. welcome screen - select language: eg englidh [continue]
  14. keyboard layout: eg. select english (UK),
  15. install multimedia codecs (or leave till later)
  16. erase disk and install Linux Mint [Install Now]
  17. Advanced Features:
    For home machines, and/or, low spec select: none - default
    For security if taking the machine out, then select:
    Encrypt the new Linux Mint installation for security
    Click: [install now]
  18. Select Timezone - click location on the world map
  19. Who are you?
    • Your name:
    • Your computer's name:
    • Pick a Username:
    • Choose a password
    • Confirm your password
    • select: Require my password to log in
  20. Pop-up slide show info displays while installing
  21. Installation Complete
    Click [Restart now] , no need to [Continue Testing]
  22. remove the usb stick, [Next] to reboot
  23. if older machine, might need to set BIOS to legacy boot
  24. Login to desktop, start xfce terminal
  25. sudo su - (no need to sudo for every future command)
  26. apt install zram-config
  27. systemctl disable bluetooth.service
  28. systemctl disable ModemManager.service
  29. apt install earlyoom
    systemctl enable --now earlyoom
    earlyoom is a lightweight userspace daemon (Early Out-Of-Memory killer) for Linux that monitors your system's available RAM and swap space.
  30. # Enable firewall
    sudo ufw enable
    sudo ufw default deny incoming
    sudo ufw default allow outgoing
  31. Install fail2ban for SSH protection:
    sudo apt install fail2ban
    Fail2ban is an open-source intrusion prevention tool written in Python that protects Linux servers from brute-force attacks and other malicious activity by automatically banning suspicious IP addresses.
  32. Enable automatic security updates:
    sudo apt install unattended-upgrades
    sudo dpkg-reconfigure --priority=low unattended-upgrades
  33. IF Brightness control not working:
    sudo nano /etc/default/grub
    # Change GRUB_CMDLINE_LINUX_DEFAULT to:
    GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi_backlight=vendor"
    sudo update-grub
  34. Configure Timeshift for system backups:
    sudo apt install timeshift
Fail2Ban - Core Mechanism
  1. Monitors log files in real-time:
    Fail2ban watches service logs (e.g., /var/log/auth.log for SSH, Apache access logs) using backends like polling, inotify, or systemd-journal.
  2. Uses filters to detect failures
    Each service has a "jail" with a filter (regular expressions in /etc/fail2ban/filter.d/) that identifies failure patterns, like "Failed password" lines, and extracts the offending IP.
  3. Tracks attempts per IP
    When a match occurs (and not ignored via ignoreregex or whitelist), it increments a counter for that IP with a timestamp.
  4. Triggers ban on threshold
    If failures exceed maxretry (default often 5) within findtime (e.g., 10 minutes), Fail2ban executes "actions" (scripts in /etc/fail2ban/action.d/).
  5. Bans the IP
    Common action: Update firewall (iptables, nftables, firewalld) to drop/reject connections from the IP. It can also add to hosts.deny, send emails, or custom scripts.
  6. Automatic unban
    Bans expire after bantime (default 10 minutes; can be longer for repeat offenders or permanent). This prevents locking out legitimate users.
  7. Key Concepts: Jails
    A jail is a configuration section (in /etc/fail2ban/jail.conf or .local overrides) for a specific service (e.g., [sshd] for SSH).
    Pre-built jails exist for SSH, Apache, Postfix, etc.; you enable them and customize thresholds. Multiple jails run independently.
  8. Strengths and Limitations
    Effective against single-source brute-force (e.g., SSH password guessing).
    Supports IPv4/IPv6, email alerts, recidivist escalation (longer bans for repeat offenders).
    Not effective against distributed attacks (DDoS from many IPs) or services without logs.
    Relies on proper logging; doesn't replace strong passwords/keys or firewalls.