Security in Ubuntu, Linux Mint and Debian: an explanation and some tips

Back to the homepage

Linux is very secure; much more secure than Windows. But why is that? And how do you maintain its high level of security? That's what I'll try to explain below.

Security summarized

1. First of all: there is no 100 % security. Not in real life and not in the digital world. Not even when your computer is running Linux. You should always use your common sense. And even then it can go wrong. A certain amount of risk, however small, is unavoidable. A Frenchman would say: c'est la vie.

A short summary of the best security practice in Linux is this:
- install updates as soon as they become available;
- only install software from the default software sources of Linux Mint and Ubuntu;
- do not install antivirus (yes, really!)
- don't install Windows emulators like Wine;
- enable the firewall;
- and above all: use your common sense.

Do that, and then: relax, you're running Linux....

A brief explanation about viruses, firewalls and exploits:

Antivirus software and rootkit removers

1.1. You don't need any antivirus software or rootkit removers in your Ubuntu, Linux Mint and Debian. What's more, those applications even decrease your security(!). Below I'll explain why I'm against installing antivirus and rootkit removers.

a. Antivirus is useless
A virus or rootkit can't install itself in Linux. Mainly because of this: in order to install on your computer, a virus or rootkit needs your password. And that it doesn't have.

Furthermore, you generally only install software from the secured "software store" (repositories) of your Linux distribution. This is a very effective barrier against malware.

Therefore there are no Linux viruses or rootkits "in the wild" (with the exception of web servers, but securing web servers is quite a different cup of tea).

b. Antivirus introduces a dangerous vulnerability
Furthermore, antivirus software sometimes even actively endangers your system: AV software itself is currently being attacked more and more. Because it has by definition high permissions on the system and because it's often inadequately protected against hacking.... This makes AV software an ideal target for hackers.

Antivirus applications have been designed to read and open as many file types as possible. Because everything can theoretically contain a virus. Unlike ordinary applications, which can only read and open certain specific file types.

For example: word processors can usually only open document related files, and no mp3 music files. For media players the reverse is true.

Because antivirus can read and open everything, and actually does precisely that during a scan, its potential vulnerability (attack surface) is much bigger. And therefore also its attraction as target for people with malicious intentions. That's not just theory; more about that later....

Even the claim of antivirus companies that their products offer some protection against "zero day" attacks is misleading: the antivirus software itself is just as vulnerable to zero day attacks as the software it claims to protect.

Finally, antivirus software gives you a false sense of security, which might make you less cautious about installing software from external sources.

c. Best protection: a summary
The best protection against malware is this:
- install a well-supported Linux, like Ubuntu or Linux Mint;
- check daily for updates;
- install only software from the official software sources;
- simply use your common sense.

For the full story, read on.


1.2. A firewall is already installed by default. It's called IPtables. IPtables can be managed through the application Uncomplicated Firewall (ufw), which is also installed by default.

By default the firewall isn't activated, because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.

You can turn on the firewall by means of the terminal (yikes!). This is how you do it:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):
sudo ufw enable

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show, which is normal.

Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done!

Check the status of the firewall:
sudo ufw status verbose

Press Enter.

When enabled, the output should be like this:

pjotr@netbook:~$ sudo ufw status verbose
[sudo] password for pjotr:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing) disabled (routed)
New profiles: skip

I've printed the most important message in red: this output basically means that all incoming is denied and all outgoing allowed. There are sensible exceptions in the default settings: for example, with the default profile the use of Samba should be no problem. Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw.

It's easy to disable the firewall (should you wish to do so) with this terminal command:
sudo ufw disable

Press Enter.

If you're interested in the full set of rules, see the output of:
sudo ufw show raw

You can also read the rules files in /etc/ufw (the files whose names end with .rules).

Set the root password

1.3. Starting with Linux Mint 18.2, the root password is unfortunately no longer set by default (if you've upgraded from 18.1 to 18.2, you're not affected).

This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his.

He can then do all kinds of nasty things. Like changing your own password....

This is how to fix it, by setting a password for root (preferably identical to your own password):

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following line into the terminal:

sudo passwd

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show when you type it, which is normal.

Note: I advise to make the root password ("UNIX password") identical to your own, in order to prevent problems later on.

That's it! Problem solved.

For good measure: a bad guy with physical access to your computer, also has other means to acquire root authority on your computer. So this fix certainly doesn't make your computer completely safe: physical access always remains a risk.

What this fix does, is blocking one much too easy way to get such unauthorized root access. Which increases security somewhat.


1.4. Exploitable security vulnerabilities appear in any operating system and in every application. Also in Linux. From these you're protected by the updates.

Linux Mint and Ubuntu automatically perform a daily check for available security updates. It's important to install the proposed security updates immediately, if you want to keep your system as secure as possible.

As long as it's discovered quickly and repaired speedily, a vulnerability is no big problem.

The full story about antivirus

2. The full story about antivirus is as follows.

Because of the growth of Linux, most antivirus companies want to tap this new market. Many new Linux users think that they need an antivirus solution in Linux, because of the clever marketing of these companies.

The opposite is true, however. Unlike other operating systems, it's almost impossible to write an effective virus for Linux. How can this be, you might wonder. I'll try to explain why.

Linux computers are just as well a target as computers that run on another operating system. Many popular (and therefore valuable) websites run on Linux, so there is no lack of motivation to infect Linux.

Some people suggest that the Linux community is conceited or lagging behind when it comes to viruses or other security issues. This suggestion is not true.

The developers of Linux haven't ignored viruses, they have structured Linux in such a way that it has good resistance to viruses. And because the code is open, there are literally thousands of people who check the code for errors and propose fixes.

Virus scanners mainly work "reactively", which means that they almost only provide protection against viruses that are already known to the creators of the scanner. Antivirus applications can only protect against a new virus after that virus has been created, not before.

More importantly still, the best protection against any virus will consist of repairing those leaks in the software, which the virus attacks. These repairs happen by means of security updates (which in Linux are issued sooner and more often than in Windows and Mac OS).

Few antivirus companies have a faster response time than the Ubuntu security team. The time frame between public disclosure of a security problem and the making of an antivirus solution or a repair, is obviously the most dangerous period.

As I've said before: a vulnerability is no big problem, as long as it's discovered quickly and repaired speedily.

It's difficult to install a virus on a Linux computer, but it's certainly not impossible. The greatest danger lies in unreliable software repositories and in unsafe code that a careless administrator executes.

It's wise to keep that in mind, and install your software preferably only from the verified default software repositories of your Linux. Be very careful with software from elsewhere, like standalone installation packages (with the extension .deb). Only install those when the source is above all doubt, like Google Chrome and Oracle (Sun) Java JRE.

At present there are in any case no Linux viruses "in the wild."

(continued in the column on the right)
This website is being sponsored by Google Ads.

Are you using an ad blocker? Then you're also blocking my earnings from advertisements....

If you wish to support my website, you can configure your ad blocker to make an exception for this website. Or you can make a donation (and get free goodies).

Thanks in advance....

My advice: do NOT install antivirus software

3. My advice is therefore not to install a virus scanner if you run Linux on your computer.

A summary of the reasons:

a. In Linux, the executability of a file is not determined by an extension (like for example .exe in Windows), but by the permissions adhering to this file. Each newly created file is by default not executable under Linux, and the user will first need to make this file executable by an explicit action.

b. In Linux a normal user has but very limited permissions. For example, a normal user can't perform administrative tasks. And so the scope of this user is actually limited to his own home folder. For installing software you always need to be root (or to have temporary root rights, which is the way of Ubuntu and Linux Mint).

In Ubuntu and Linux Mint, by default, even the administrator logs in with limited user permissions. Should he wish to perform an administrative task, then he has to type his password again, to obtain temporary root permissions. This will give him 15 minutes of root authority.

c. Many Linux users tweak their system according to their own taste. Because of the variety of Linux distributions, applications and kernel versions, it's difficult to write an exploit by which enough systems can be taken over to make the effort of creating that exploit worthwhile.

d. Virus scanners scan mainly for Windows viruses. These viruses don't work in Linux.

e. Virus scanners often issue false warnings. Possibly intentionally, to make the user feel good about the presence of the scanner. This induces people to needlessly damage their system.

f. Installing antivirus might lead people to mistakenly suppose that it's safe now to install software from other sources than the official software sources of their Linux.

g. Antivirus software itself is currently being attacked more and more, because it has by definition high permissions on the system and is often inadequately protected against hacking. This makes AV software an ideal target for hackers.

See this article about a research from 2014. The presentation slides of the complete research can be found here. Link dead? Then get a copy of the presentation slides from my own Google Drive.

h. The claim of antivirus companies that their products offer some protection against "zero day" attacks is misleading: the antivirus software itself is just as vulnerable for zero day attacks as the software it claims to protect.

i. There are currently no known active Linux viruses.

In short: antivirus in Linux is not only superfluous, but even harmful, because it induces people to dangerous behaviour and because it's often vulnerable itself.

Misconception: protection of Windows users

4. Occasionally somebody proclaims the following misconception: "I use antivirus in Linux, so that I can't accidentally pass on a Windows virus to a Windows user. For example by e-mail attachments".

This is a misconception because of the following reasons:

a. One of the advantages of running Linux is not having to weigh down your system with antivirus, nor having to import the security problems that antivirus creates. It would be rather counterproductive to move to a virus-free operating system, if we end up running all of the antivirus crud anyway...

And it adds insult to injury, to do so for the sake of an operating system whose owner actually chooses to let it be security-deficient.

If a Windows user can't be bothered to guard his own system against threats that are the result of shortcomings in his own operating system, then the efforts of the comparatively small base of Linux users aren't going to make a shred of difference. Such a Windows user will unavoidably get infected from somewhere else.

In fact, I believe that Windows has to lie in the bed it makes for itself. I'm not trying to be harsh here: it's more the principle that consequences must fall to the appropriate party, or else there is no incentive for change.

Therefore, unless a Linux user is running a public web/mail/file server (clearly not your average user), I strongly discourage the installation of antivirus, because doing so continues to silently endorse one of the worst aspects of operating system design.

In fact, you'll find that the "protection of Windows users" fallacy is sometimes used as an excuse, by people who irrationally can't believe that Linux really doesn't need antivirus for itself....

(With thanks to DuckHook from, for kindly allowing the use of this text)

b. If you want to reduce the chance of passing on a Windows virus by e-mail, than you can achieve that by sending e-mails with attachments by means of Gmail.

Then Google automatically scans the attachments for viruses, trojans and other malware. With a professional up to date virus scanner, on the servers of Gmail itself. A Gmail account is free, so you need to have no worries about costs....

When you enable POP3 support in Gmail, you can even use Thunderbird or Evolution for it.

Note: nowadays every good e-mail service (so not only Gmail) scans automatically for Windows viruses, on the servers of the e-mail provider.

c. Another possibility is the use of this free web service, which is the property of Google: It uses a whole bunch of antivirus engines to scan every file that you feed to it, for viruses and other malicious software.

Don't install Wine or Mono in your Linux

5. The security overview above, applies to a "clean" Linux without Windows emulators like Wine, PlayOnLinux and CrossOver.

Those emulators are used to run Windows software in Linux. It's better not to install such Windows emulators, because they make your Linux partially vulnerable to Windows malware.

If you need to use Windows applications, then you could use a free legal Virtual Machine with Windows 7 for that, or (if you have a dual boot computer) an ordinary Windows.

The same objection is valid for the Mono infrastructure, albeit to a lesser degree. Mono also makes your system partially vulnerable to Windows malware, because it's cross-platform (like Java).

Mono is present by default in Linux Mint. In Ubuntu and Debian, Mono will be installed automatically whenever you install an application that needs the Mono infrastructure, like media player Banshee and notes app Tomboy. I advise to avoid those and install non-Mono based alternatives instead.

Make sure you don't have Mono in your system:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):
sudo apt-get remove mono-runtime-common

Press Enter. Type your password when prompted; this will remain entirely invisible when you type it, not even asterisks will show, which is normal.

Be very careful with external repositories (like PPA's) and with external .deb files

6. Software from third-party repositories (like PPA's) and external .deb installers, is untested and unverified. Therefore it may damage the stability, the reliability and even the security of your system. It might even contain malware....

Furthermore, you make yourself dependent on the owner of the external repository, often only one person, who isn't being checked at all. By adding a PPA to your sources list, you give the owner of that PPA in principle full power over your system!

Therefore only use a PPA when you really (really!) have no acceptable alternative. Or when you're a tester for a particular piece of software (which you should only be doing on a non-essential test computer).

PPA's are a mixed blessing, to say the least. If used wisely and very restrictively, PPA's can occasionally be of great help. But used carelessly, they're for Linux what the bubonic plague was for the Middle Ages....

Have you already enabled PPA's or other third-party repo's and do you want to get rid of them? Then you can recreate a clean software sources list like this.

Secure your web browser

7. You can run Firefox, Google Chrome and Chromium from within a secured sandbox called Firejail, which enhances the security of those web browsers greatly. You can achieve that by applying this how-to.

Furthermore, beware of installing shady or rogue add-ons and extensions in your web browser. They might harm your security.

Do you have already have polluted settings in Firefox, Chrome or Chromium (often caused by shady add-ons), and do you wish to start anew with a clean browser? Then proceed like this (item 7, right column).

Libre Office: improve macro security

8. Macro's can be useful in Libre Office, but they're also risky. You can improve the macro security of Libre Office like this:

From the menu, launch LibreOffice Writer - panel: Tools - Options...
If necessary, click on the small triangle before the word LibreOffice, in order to expand this section - click on Security
button Macro Security... - set the Security Level to Very high.

Close Writer.

Note: user preference, so repeat this in each user account.

The things that are dangerous

9. These are the things that do endanger Linux, which you therefore will want to avoid: 10 fatal mistakes.

Wireless security

10. The security of your wireless network isn't operating system specific, but it's an important issue. Read here how to secure your wireless network properly.

Disable Universal Plug and Play (UPnP) in your router

11. Not related to your operating system, but important nevertheless: disable Universal Plug and Play (UPnP) in your router. UPnP in your router, enables network devices to communicate with each other, both in your personal network and by means of the internet.

Easy, but dangerous: UPnP opens a huge security hole, which is not really manageable. It's better to disable it permanently, because UPnP is inherently insecure.

First, find the user manual of your router; if you no longer have it, then you'll probably be able to download a copy from the website of the router manufacturer.

Then access the configuration of your router and disable the UPnP feature, and also the accompanying feature, usually called something like "Allow user to configure".

Note: this might require you to take some extra measures for enabling VPN, P2P file sharing and the like (namely opening some ports manually). This isn't always necessary though, and depends on how your router manufacturer has configured the firmware defaults.

Handle with care: Java and openJDK

12. Java (both Oracle Java and openJDK) are frequently under attack. That's why it's best, to disable Java by default in your web browser (if you have installed it at all). Then you can enable Java only for a short while whenever you need it.

This advice is not only for Windows, but also for Linux. Because on this aspect, Linux is vulnerable too! Java is namely platform independent, which means that it works independently from the underlying operating system.

In Firefox you can disable Java like this.

Note: this only applies to Java. There's also Javascript, which is much more secure than Java. So there's usually no need to disable Javascript as well.

Create and remember a secure password easily

13. Contrary to what many people think, creating and remembering a secure password is not hard.

Want more tips?

14. Do you want more tips and tweaks for Ubuntu or Linux Mint? There's a lot more of them on this website! Like this one: replace Windows XP by an easy free Linux.

To the content of this website applies a Creative Commons license.