Linux security
Hi there,
Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.
But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?
There's a lot of people with the idea that open source can't be secure because people see the source code.
But imagine this. You have 2 locks, one that is completely viewable of the innerworkings, and another that is covered, both have been unbreakable, but could you imagine the balls on the guy that made the clear lock? Imagine feeling so confident that your lock was clearly the best, that you just expose it to any hacker ever and they still can't get in.
Microsoft can barely get things working with their closed source code.
In reality, anything is exploitable and hackable eventually. With the open source community there are so many eyes on it that when someone notices that the program is running 2 seconds slower than it used to, they discover a vulnerability instead of just accepting it and saying "probably MS doing some BS" and dealing with it.
your analogy doesn't quite work here tbh.
It's not a transparent lock, a transparent lock would be easy to pick. It's more of a usual lock, but everyone can see all the blueprints and changes done to them. You can make changes to the blueprints yourself, and if the locksmiths approve of it, the next iteration of the lock will have them included.
Everyone who's in the set of users of OSS software can contribute, therefore the set of people in control of the software that want it to have no backdoors whatsoever is always larger than the set of people who want to let the backdoors in, unlike in closed source, where corporate can singlehandedly decide to include a backdoor on purpose, not to mention, lots of OSS projects have such a large quantities of different people working on them, corpos won't be able to gather so much humanpower under a single project ever.
I just want to say that you're probably worrying too much about it. Of course, there is lots of things one can do to improve security (which the others here are listing dutifully) and it is foolish to just assume that one's computer is entirely secure, because as a user, you will always have the ability to bypass that.
But there's a pretty firm consensus in the IT industry that Linux is more secure than Windows. And that the popular Linux distributions are more trustworthy organizations than Microsoft.
So, it's good to inform yourself, but if you survived on Windows, you at least should not worry about the Linux side of things. It's more than fine.
To be honest, security in the desktop Linux space has traditionally been a bit shit.
Since you're new, it's important for you to understand that Linux is a kernel. That's the most low-down part of your operating system that handles your OS talking to your hardware and vice versa. Linux is not a full OS; it doesn't provide any userspace tools that an OS provides. That's why people don't install Linux on its own, but they install Linux distributions, which are full OSes using the Linux kernel that come with more or less software to make Linux a complete OS, or at least bootable. That means that there is no one way to do things in Linux. There are some Linux distributions that are security-focused, such as Qubes OS and Alpine Linux. There's also the new immutable distros, which provide security because the entire OS is defined declaratively, meaning you can easily rollback changes, and it's harder to get infected with malware on those systems. There's a lot of variability. Some systems are quite secure by default. A lot of other systems do not set up any security measures by default and expect the user to do that.
If you're interested in hardening your Linux install, I would recommend the Arch wiki's security page which has a lot of good advice.
Security is a really broad topic and the relevant security measures for you are going to vary based on your threat model. General good practices include using some form of MAC, setting up a firewall, don't install random crap you don't need (and if you are getting software from somewhere that isn't vetted, e.g. the AUR, you should vet it yourself—e.g. if you use the AUR, learn to read PKGBUILDs), use full-disk encryption. Anti-virus software is largely not necessary on Linux, especially if you only install software from your package manager and follow other security good practice.
I've used Linux Mint and other distros daily for more than 10 years. Never had a virus or malware issue and don't even run antivirus software.
During that same time I've had to help friends remove viruses and malware from their Windows machines dozens of times. The latest Windows disaster I've assisted with was a few months ago. A retired friend had her Windows 10 machine hijacked and $8K stolen from her savings account. Making sure the malware was removed required hours of work formatting the drive and reinstalling Windows.
IMO you are far safer with a plain vanilla Linux install that you are with Windows, no matter what steps you take to secure your Windows installation.
You sure though? Windows has more viruses because it's more popular (desktop) and monolithic, not because Linux is much better in that regard. IOW Linux is not magically virus resistant. If you run an infected file, it will infect both without much trouble. Also removing infection would be similar. At least that's my understanding.
You sure though?
What do you want? It should go without saying that I am absolutely sure of my own experience.
In probably 15 years total of running Linux I have not had a single problem with malware or viruses. Part of that time was also running Windows regularly and my Windows systems DID become infected with both malware and viruses occasionally, despite my best efforts. And you're not mentioning the fact that Linux runs on 63% of the server market and those systems are under constant attack.
Reports of Linux system infections are truly rare, and considering the nature of the user community would be widely and loudly reported if they were happening.
Do you have any experience in this matter? Have you had your own Linux installations infected, or are you a Windows user questioning what you're reading? (Perfectly reasonable if the 2nd one's the case.) Please fill us in on the details.
It's hard enough getting legit software in general to work on Linux. Even if a virus was written for Ubuntu, it is likely not going to run on Fedora, or Arch, or even downstream/upstream versions of Ubuntu.
Edit: Although thinking about it, Linux terminal commands are pretty universal, so if you manage to execute a script or terminal command as root or sudo then I guess it could apply to multiple distros.
The Linux kernel is monolithic too. This and the slow adoption of Rust are the two major security complaints of the GrapheneOS regarding Linux. I might change to COSMIC when it's ready just to spite the luddites that oppose Rust.
Nothin, just install your favourite distro and don't run random command/scripts/binaries you found on the internet
Like those 'curl | sudo bash' abominations that have become strangely popular lately.
So how can I as a new user make sure to have the most secure machine as possible?
That's not what you want. You want a reasonable level of confidence that your system is secure.
The process is similar to Windows - keep it up-to-date, use good passwords, don't run things as root (admin), and don't install things that are questionable.
The package manager under linux is where you should start, and that varys by distro some. But generally speaking things installed from there are "safe" and will be updated by the package manager when you do updates.
As others have said, Linux Security is a very broad topic. But the main thing is keeping your system updated, only install packages from your distro’s repositories, install a firewall and don’t install anything you don’t need should go a long way :)
For example, i use Alpine Linux as a desktop OS. This means i only install packages through apk, from the Alpine repositories. I run apk update and apk upgrade commands every friday. I use Flathub for most desktop software which i also update weekly. (To be even more secure, only install verified flatpak’s). my firewall has no incoming ports open (really not needed on my desktop). And i keep myself updated with the latest news regarding Alpine Linux, and Linux in general. So i am aware of most vulnerabilities as they are published. This is a pretty secure system.
Later on if you want even more security you can start following the CIS guidelines for your favorite distro, but the above should be a good start.
But good security is not just jeeping your system updated, it also means you have good backups in place, in case randsomware hits your system. And then there’s also the monitoring of your system for suspicious behaviour :) But these are far more advanced topics!
the most secure possible? you'll need to learn a ton. you'll get there, but it'll take a while.
decently secure? install Linux Mint, install your updates, don't run sketchy commands with URLs in them unless you know what you're doing, maybe follow a hardening guide. you'll be okay.
if you need to be extremely secure and private, install Tails on a USB stick. it will be slow and frustrating, and you'll need to save files to a second USB drive, but it will probably keep you pretty safe, and it's decently user-friendly. just make sure you keep Tails updated! you'll have to do that by flashing the new Tails onto a new USB drive, there's no easy way around that.
those are your two most user-friendly, safe approaches.
Linux is always more secure than win10, so whatever your need, Linux is more secure. The biggest threat is almost always yourself, and what you open up, give away, and how easy you make the codes you use and so forth.
So how can I as a new user make sure to have the most secure machine as possible?
Shut the computer down. That's it; computer as secure as possible.
Otherwise, if you actually want to use your computer, google for "threat model" first.
But generally: use an adblocker in your webbrowser, don't execute random commands/tools from the internet before you know for sure what you're doing, update stuff now and then and make backups.
Currently my favorite passwords are song lyrics from my favorite songs. You can easily hit 60 characters, and they're easy to remember!
Great to hear you're willing to move to Linux!
Like other comments pointed, there is no such thing as "most secure". It's a deep rabbit hole and it's better in general to assume that any device connected to the internet is at risk. Hell, any storage can be compromised if the entity interested put enough effort into it.
I recommande reading the page on Privacy Guides, it gives a good overview. In general, you should consider your thread model: what is you situation and why do you want security or privacy for?
But anyway, if your question is "Is a Linux distro at least as secure as my previous Windows", the answer is definitely YES imo. And if you want MOAR, it's gonna be a fun ride!
[edit: and yes, updates! Update you system plz.]
So how can I as a new user make sure to have the most secure machine as possible?
⚜︎ arscyni.cc: modernity ∝ nature.
One of the tips I'd give is the same for Windows, the best anti-virus is the user to know what he/she is doing. Linux is a better in that regard because it obfuscates very little, unlike Windows.
Also in line with viruses, given how many variants of a base system there can be, unless the virus is compiled in your machine, to my knowledge chances are higher for a virus to fail to function properly, or even at all. A way for a coder to circumvent it would be to bloat the code with system-specific instructions, which would be harder to create and optimize, but if a big enough group in resources take on the challenge, it could potentially be achieved.
On another point, something I expect to become a problem in Linux is that you need the admin's password, which is pretty much the master key of the system, for way too many things, even to install a web browser or the equivalent of 7-Zip. With scams usually involving social engineering, having the user hand a key from a system that depends mainly on it makes the system far more vulnerable.
Now, given Windows is still the bigger desktop system, scammers and virus distribution still focus on it, but as Linux grows, more ill-intended people may focus on it.
But still, Windows has far less variants, barely anything there uses passwords or more adninistration-oriented safelocks, and is much worse for troubleshooting (and having used most systems from 98FE onward, I also think it's getting worse), so I'd say Linux still has the advantages in those points I could think of.
Just make sure everything's updated.
Microsoft do a good job of updating drivers and their applications, but Windows application updates vary so much.
For Linux - mostly - the distro maintainers handle all updates and just updating is usually enough.
After that it's down to you... if you disable all the built-in protection and visit dodgy websites then any OS is going to struggle.
You can improve the out-of-box security by removing software you don't use, improving default configurations (one size doesn't fit all) and considering if you want additional security software - this applies to any OS.
So, to return to your question, choose a Linux distro which has regular updates and only contains applications that you use.
Visiting dodgy websites in itself isn't as risky as you make it out to be. There are very few exploits in an updated version of Chrome or Firefox that would compromise your machine.
I think you're agreeing with me then.
My first point is keeping everything updated - which would include the browser(s)
My later point was visiting dodgy sites with protections disabled.
Keep your user account in user space.
Avoid unnecessary root access.
To have the most secure machine possible, you might need a hardened kernel but you absolutely need to have SELinux (or equivalent) rules set up.
The easiest way to have a go at this would be to install OpenSuSE (any version will do, they all ship with SELinux ootb) and follow guides on how to setup SELinux permissions.
Or Fedora
Most of the security is in the kernel so you can make sure you have the latest kernel. Also secureblue is a security focused distro that makes use of GrapeneOS's hardened malloc so that's the most secure one that I'm aware of.
You don't actually need "perfect" security in the future, any more than you did in the past. Windows was not perfect, right? So stop looking for perfection. Instead, look for "good enough for 99.9% of the world". And you can get that with many of the popular Linux distributions.
Basically, install a popular distro, and keep your software to whatever is in the package manager. Don't install random shit manually. Don't download random software from random websites. Don't fuck with security settings unless you read up on the topic very thoroughly. Then you'll be fine.
Security is a rabbit hole.
You're going to end up wasting a lot of time and effort on learning about something that in the end will not have a substantial impact on your computing experience.
It will make you look good in front of losers on the internet you'll never meet, though.
if you mean the most secure desktop? then linux is not. not by a long shot. use windows.
https://madaidans-insecurities.github.io/security-privacy-advice.html#desktop-os
https://madaidans-insecurities.github.io/linux.html
if you mean most most free, linux it is. personally I use linux.
I think this article is a great analysis of what deep rooted flaws linux desktop distros have, but I think it is a bit disconnected from the average user (obligatory xkcd).
If the average linux user needs a programm they google what they need land on stack overflow telling them to use their package manager to install it.
If the average windows user needs a program/feature, they google it. They klick on the first link and install the first .exe they find. Has anyone you know used the microsoft store?
Or take gaming as another example. The default expirience for online multiplayer games requires kernel level anticheat on windows. This effectively circumvents windows carefully crafted security model for most tripple A online games.
So yes the average linux machine is probably not as secure as a MacOs or windows machine. But the way they are commonly used I highly doubt windows machines are more secure.
Security on Linux is lackluster.
Generally as long as you don't install any untrustworthy programs you'll be safe ... but there's a problem. Linux is an amalgamation of thousands of separate programs and most of them are maintained by one guy in Nebraska thanklessly. XZ Utils is a prime example of how vulnerable the Linux software stack is to malware.
My advice: Keep your daily driver separate from your gaming machine, use a debian-based distro like Ubuntu or Mint for your daily driver, and always have a disaster recovery plan. My advice would basically be the same for a Windows user.
EDIT: Also full-disk encryption. Both on Windows and Linux you can just read the contents of a hard drive no questions asked. Windows is going to address this with TPM's but you can just use a password. Secure-boot is good because it can help guard against rootkits.
What do you mean most secure? Because that is a very broad thing.
Since I was referring to win10 losing support I thought it was understood that I asked about security updates like windows does. Pardon me. But to specify, how is the ongoing security updates working on Linux? Who does it? Is it even being done? It is an assumption on my side that the security is done in the same manner like win and mac, with continuous updates but that might as well be a wrong assumption.
It depends on how you installed it.
If you installed something via apt on a Debian based system then Debian will track the projects and push updates when the are available. If you are doing things with Snap or Flatpack then the developers of those specific applications will have some form of update plan.
From a windows perspective Linux does 2 things differently which makes it more secure to Windows.
Unless you deliberately run a program as the admin of Linux (su or sudo), malicious code can just delete system32.
Windows on the other hand is closed source, meaning if MS can’t find the issue, the only time it is found is when it’s in the field. To avoid downtime MS offers bug bounty programs for those who can find issues, rather than to let them exploit it.
I don't know where you got your information from, but your mental model on how and why things work the way they do in both linux and windows seems to be really off.
Since you seem someone that is actually interested in understanding this stuff, I strongly suggest to find some better sources as your base
When I was taking cyber security, Sandboxing and Linux was one of the topics which was brought up.
Not sure when I associated it with the entire OS. It appears that the Host OS can be sandboxed for added security, and some containerized applications like Flatpaks are sandboxed. But not all applications are. Like the OS provided packages in most package managers.
Windows isn't based on DOS, though. It hasn't been for a very long time. Linux isn't sandboxed. Userspace applications can be sandboxed. There's a difference.
Windows has a lot of shit to second guess the user. Linux doesn’t. Linux doesn’t babysit you. It has some guardrails but the general idea with Linux is it’s your computer, it will do what you tell it do, even if it’s a bad idea. This makes things lighter, faster, more private, but it has also led to security incidents.
Windows and Mac will watch what you are doing. If they see something suspicious, the security software can jump in and telemetry means they can notice patterns as new malware appears on their users machines. This makes the machines slower and heavier and less private, but also easier for users to deal with because they doesn’t have to actually know anything. They can just buy their way out of a problem with superdupertotallaylegitantivirus2025pro.
Anyone who says Linux doesn’t get viruses is lying to you. It does. They all do. But it’s not that common because Linux is a smaller market share so most nefarious people won’t waste their time on a smaller target unless there is something that specific target has they want. So old people using fedora kinoite to access email and facebook are fine, but Pete Hegseth watching ignoring security practices and visiting shady sites is probably a worthwhile target and could be vulnerable.
Linux has major advantageous over the industry approach of “we know best” but it also has disadvantageous. If you are the kind of person who wants to learn and improve and grow, Linux could work for you. If you are more the irresponsible buy-someone-else’s-solution-to-my-problems type, it’s not.
I would argue that Linux is inherently much more secure than windoze, simply because of how it handles user space vs. System (root access vs. User access). Also by how transparent its configuration is and how much information is readily accessible detailing how it works and how to adjust things.
However, when talking security for anything above the average user’s browsing needs, it can get very complicated depending on what you are trying to achieve.
Think of it like building something to keep out honest people vs. to keep out hardened, knowledgeable, clever thieves. Obviously the latter is going to take more time and resources to achieve, while the need to keep out more sophisticated bad actors would probably only be needed if you have something they might want.
Here are some suggestions for searching if actual security is your goal. Others can chime in with more things if they want. This is just some topics/programs you can read about to dip your toes in.
Best of luck!
what i did after install mint, enable firewall, disable vnc, ssh ,rdp ports. install opensnitch, install pihole
Others have said it before but basically : what is YOUR (not me, not your best friend, nor your colleague, etc) threat model?
To clarify that means WHO is actually trying to threaten your security?
Typical for most people it would be :
For some people, like activists or political journalists it would be :
For very very few people, say Edward Snowden, who within the previous group actually did trigger some action :
So as you can imagine if you are part of group 1, 2 or 3 then way you will protect yourself is totally different. What you will also have to protect is also different, e.g. if you have no cryptowallet but are traveling you might have to protect your phone physical phone and its data.
So... if you are serious about this, take a cybersecurity class. There are plenty available but how a computer works, software and hardware alike, is precisely what makes them simultaneously powerful and also dangerous. There are plenty of ways to break security (e.g. return oriented programing), plenty of ways that practically impossible (e.g. encryption) due to the very nature of computers (i.e. computational complexity) which IMHO makes this one of the most fascinating topic. Ask yourself come the credit card in your pocket (costing few bucks to make) can't be cracked by the largest super computers (costing billions) on Earth?
TL;DR: no offense but you don't seem to be ready for the answer without getting the basics first.
I used to use ClamAV, but not sure I noticed much of a difference, so haven't really used any antivirus software for a while now. Curious what people in this thread think of clam.
ClamAV looks for signatures of known viruses, most of which target Windows and not Linux. So it's debatable how much more secure you really are by running ClamAV
You're going to need to be more specific. There are dozens of aspects of security.
But if you want to have the most secure machine, then never turn it on, encase it in lead, and drop it at the bottom of the ocean.
Since I was referring to win10 losing support I thought it was understood that I asked about security updates like windows does. But to specify, how is the ongoing security updates working on Linux? Who does it? Is it even being done? It is an assumption on my side that the security is done in the same manner like win and mac, with continuous updates but that might as well be a wrong assumption.
Security updates are provided by each package maintainer and released on their own schedule. Microsoft releases updates monthly on Patch Tuesday, unless there's a severe vulnerability that can't wait. But since Linux is a bunch of different packages rolled into a distro, there's no one authority managing updates.
So, this means you might get them faster, or if a maintainer is not engaged, slower. Or, if a package is abandoned, not at all. Distros generally make sure their provided packages are maintained, but updates to third-party packages are not guaranteed.
it's similar. in a mainstream distribution with a desktop environment, updates can typically be configured to notify you or install automatically. it's common for those updates to now also include third-party sources like flathub.
upgrades (to a next point release or major version) are different, some can be fairly straightforward--others, not so much. and those upgrades will be more frequent, as the "lifecycle" for most linux distributions is shorter than windows' 10 years.
Security is an insanely broad topic. As an average desktop user, keep your system up to date, and don't run random programs from untrusted sources (most of the internet). This will cover almost everyones needs. For laptops, I'd recommend enabling drive encryption during installation, though note that data recovery is harder with it enabled.
I hear don't run random stuff from the internet alot but back when i was using windows, if i found something interesting on say github i would just download and run it and i expected windows defender to block any viruses. Is there something similar for linux? Like if I go around installing random Aur packages, is there anything stopping viruses from doing virus things?
Usually that's called sandboxing. AUR packages do not have any, if you install random AUR packages without reading them, you run the risk of installing malware. Using Flatpaks from Flathub while keeping their permissions in check with a tool like Flatseal can help guard against this.
The main difference is that even with the AUR being completely user submitted content, they're centralized repositories, unlike random websites. Malware on the AUR is significantly less common, though not impossible. Using packages that have a better reputation will avoid some malware, simply because other people have looked at the same package.
There is no good FOSS Linux antivirus (that also targets Linux). Clamav "is the closest", though it won't help much.
That is good advice, however sadly a lot of install scripts are basically: download this script from us, and pipe it to a root shell.
Install scripts for what exactly?
Majority of software is packaged natively.
i personally wouldn't recommend encrypted drive for a beginner though
Why not? You (usually) just click the check box during install, and you have 1 extra password when you boot up your system. Doesn't seem too hard but I might be missing something.
They should not us LUkS and instead use veracrypt for folders and files. That way if any repartitioning or modification is needed it's simple in gparted or GNOME disks on mint.
Source is been there and done that. Luks partitions are not easily resized.