Back to the homepage
Linux is very secure; much more secure than Windows. But why is that? And how do you maintain its high level of security? That's what I'll try to explain below.
A short summary of the best security practice in Linux is this:
- install updates as soon as they become available;
- only install software from the default software sources of Linux Mint and Ubuntu;
- do not install antivirus (yes, really!)
- don't install Windows emulators like Wine;
- enable the firewall;
- and above all: use your common sense.
Do that, and then: relax, you're running Linux....
A brief explanation about viruses, firewalls and exploits:
a. Antivirus is useless
A virus or rootkit can't install itself in Linux. Mainly because of this: in order to install on your computer, a virus or rootkit needs your password. And that it doesn't have.
Furthermore, you generally only install software from the secured "software store" (repositories) of your Linux distribution. This is a very effective barrier against malware.
Therefore there are no Linux viruses or rootkits "in the wild" (with the exception of web servers, but securing web servers is quite a different cup of tea).
b. Antivirus introduces a dangerous vulnerability
Furthermore, antivirus software sometimes even actively endangers your system: AV software itself is currently being attacked more and more. Because it has by definition high permissions on the system and because it's often inadequately protected against hacking.... This makes AV software an ideal target for hackers.
Antivirus applications have been designed to read and open as many file types as possible. Because everything can theoretically contain a virus. Unlike ordinary applications, which can only read and open certain specific file types.
For example: word processors can usually only open document related files, and no mp3 music files. For media players the reverse is true.
Because antivirus can read and open everything, and actually does precisely that during a scan, its potential vulnerability (attack surface) is much bigger. And therefore also its attraction as target for people with malicious intentions. That's not just theory; more about that later....
Even the claim of antivirus companies that their products offer some protection against "zero day" attacks is misleading: the antivirus software itself is just as vulnerable to zero day attacks as the software it claims to protect.
Finally, antivirus software gives you a false sense of security, which might make you less cautious about installing software from external sources.
c. Best protection: a summary
The best protection against malware is this:
- install a well-supported Linux, like Ubuntu or Linux Mint;
- check daily for updates;
- install only software from the official software sources;
- simply use your common sense.
For the full story, read on.
By default the firewall isn't activated, because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.
However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.
You can turn on the firewall by means of the terminal (yikes!). This is how you do it:
Launch a terminal window.
(You can launch a terminal window like this: *Click*)
Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show, which is normal.
Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done!
Check the status of the firewall:
When enabled, the output should be like this:
pjotr@netbook:~$ sudo ufw status verbose
[sudo] password for pjotr:
Logging: on (low)
Default: deny (incoming), allow (outgoing) disabled (routed)
New profiles: skip
I've printed the most important message in red: this output basically means that all incoming is denied and all outgoing allowed. There are sensible exceptions in the default settings: for example, with the default profile the use of Samba should be no problem. Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw.
It's easy to disable the firewall (should you wish to do so) with this terminal command:
If you're interested in the full set of rules, see the output of:
You can also read the rules files in /etc/ufw (the files whose names end with .rules).
Linux Mint and Ubuntu automatically perform a daily check for available security updates. It's important to install the proposed security updates immediately, if you want to keep your system as secure as possible.
As long as it's discovered quickly and repaired speedily, a vulnerability is no big problem.
Because of the growth of Linux, most antivirus companies want to tap this new market. Many new Linux users think that they need an antivirus solution in Linux, because of the clever marketing of these companies.
The opposite is true, however. Unlike other operating systems, it's almost impossible to write an effective virus for Linux. How can this be, you might wonder. I'll try to explain why.
Linux computers are just as well a target as computers that run on another operating system. Many popular (and therefore valuable) websites run on Linux, so there is no lack of motivation to infect Linux.
Some people suggest that the Linux community is conceited or lagging behind when it comes to viruses or other security issues. This suggestion is not true.
The developers of Linux haven't ignored viruses, they have structured Linux in such a way that it has good resistance to viruses. And because the code is open, there are literally thousands of people who check the code for errors and propose fixes.
Virus scanners mainly work "reactively", which means that they almost only provide protection against viruses that are already known to the creators of the scanner. Antivirus applications can only protect against a new virus after that virus has been created, not before.
More importantly still, the best protection against any virus will consist of repairing those leaks in the software, which the virus attacks. These repairs happen by means of security updates (which in Linux are issued sooner and more often than in Windows and Mac OS).
Few antivirus companies have a faster response time than the Ubuntu security team. The time frame between public disclosure of a security problem and the making of an antivirus solution or a repair, is obviously the most dangerous period.
As I've said before: a vulnerability is no big problem, as long as it's discovered quickly and repaired speedily.
It's difficult to install a virus on a Linux computer, but it's certainly not impossible. The greatest danger lies in unreliable software repositories and in unsafe code that a careless administrator executes.
It's wise to keep that in mind, and install your software preferably only from the verified default software repositories of your Linux. Be very careful with software from elsewhere, like standalone installation packages (with the extension .deb). Only install those when the source is above all doubt, like Google Chrome and Oracle (Sun) Java JRE.
At present there are in any case no Linux viruses "in the wild."
(continued in the column on the right)
This website is being sponsored by Google Ads.
Are you using an ad blocker? Then you're also blocking my earnings from advertisements....
If you wish to support my website, you can configure your ad blocker to make an exception for this website. Or you can make a donation (and get free goodies).
Thanks in advance....
A summary of the reasons:
a. In Linux, the executability of a file is not determined by an extension (like for example .exe in Windows), but by the permissions adhering to this file. Each newly created file is by default not executable under Linux, and the user will first need to make this file executable by an explicit action.
b. In Linux a normal user has but very limited permissions. For example, a normal user can't perform administrative tasks. And so the scope of this user is actually limited to his own home folder. For installing software you always need to be root (or to have temporary root rights, which is the way of Ubuntu and Linux Mint).
In Ubuntu and Linux Mint, by default, even the administrator logs in with limited user permissions. Should he wish to perform an administrative task, then he has to type his password again, to obtain temporary root permissions. This will give him 15 minutes of root authority.
c. Many Linux users tweak their system according to their own taste. Because of the variety of Linux distributions, applications and kernel versions, it's difficult to write an exploit by which enough systems can be taken over to make the effort of creating that exploit worthwhile.
d. Virus scanners scan mainly for Windows viruses. These viruses don't work in Linux.
e. Virus scanners often issue false warnings. Possibly intentionally, to make the user feel good about the presence of the scanner. This induces people to needlessly damage their system.
f. Installing antivirus might lead people to mistakenly suppose that it's safe now to install software from other sources than the official software sources of their Linux.
g. Antivirus software itself is currently being attacked more and more, because it has by definition high permissions on the system and is often inadequately protected against hacking. This makes AV software an ideal target for hackers.
See this article about a research from 2014. The presentation slides of the complete research can be found here. Link dead? Then get a copy of the presentation slides from my own Google Drive.
h. The claim of antivirus companies that their products offer some protection against "zero day" attacks is misleading: the antivirus software itself is just as vulnerable for zero day attacks as the software it claims to protect.
i. There are currently no known active Linux viruses.
In short: antivirus in Linux is not only superfluous, but even harmful, because it induces people to dangerous behaviour and because it's often vulnerable itself.
This is a misconception because of the following reasons:
a. One of the advantages of running Linux is not having to weigh down your system with antivirus, nor having to import the security problems that antivirus creates. It would be rather counterproductive to move to a virus-free operating system, if we end up running all of the antivirus crud anyway...
And it adds insult to injury, to do so for the sake of an operating system whose owner actually chooses to let it be security-deficient.
If a Windows user can't be bothered to guard his own system against threats that are the result of shortcomings in his own operating system, then the efforts of the comparatively small base of Linux users aren't going to make a shred of difference. Such a Windows user will unavoidably get infected from somewhere else.
In fact, I believe that Windows has to lie in the bed it makes for itself. I'm not trying to be harsh here: it's more the principle that consequences must fall to the appropriate party, or else there is no incentive for change.
Therefore, unless a Linux user is running a public web/mail/file server (clearly not your average user), I strongly discourage the installation of antivirus, because doing so continues to silently endorse one of the worst aspects of operating system design.
In fact, you'll find that the "protection of Windows users" fallacy is sometimes used as an excuse, by people who irrationally can't believe that Linux really doesn't need antivirus for itself....
(With thanks to DuckHook from Ubuntuforums.org, for kindly allowing the use of this text)
b. If you want to reduce the chance of passing on a Windows virus by e-mail, than you can achieve that by sending e-mails with attachments by means of Gmail.
Then Google automatically scans the attachments for viruses, trojans and other malware. With a professional up to date virus scanner, on the servers of Gmail itself. A Gmail account is free, so you need to have no worries about costs....
When you enable POP3 support in Gmail, you can even use Thunderbird or Evolution for it.
Note: nowadays every good e-mail service (so not only Gmail) scans automatically for Windows viruses, on the servers of the e-mail provider.
c. Another possibility is the use of this free web service, which is the property of Google: VirusTotal.com. It uses a whole bunch of antivirus engines to scan every file that you feed to it, for viruses and other malicious software.
Those emulators are used to run Windows software in Linux. It's better not to install such Windows emulators, because they make your Linux partially vulnerable to Windows malware.
If you need to use Windows applications, then you could use a free legal Virtual Machine with Windows 7 for that, or (if you have a dual boot computer) an ordinary Windows.
The same objection is valid for the Mono infrastructure, albeit to a lesser degree. Mono also makes your system partially vulnerable to Windows malware, because it's cross-platform (like Java).
Mono is present by default in Linux Mint. In Ubuntu and Debian, Mono will be installed automatically whenever you install an application that needs the Mono infrastructure, like media player Banshee and notes app Tomboy. I advise to avoid those and install non-Mono based alternatives instead.
Make sure you don't have Mono in your system:
Launch a terminal window.
(You can launch a terminal window like this: *Click*)
Press Enter. Type your password when prompted; this will remain entirely invisible when you type it, not even asterisks will show, which is normal.
Furthermore, you make yourself dependent on the owner of the external repository, often only one person, who isn't being checked at all. By adding a PPA to your sources list, you give the owner of that PPA in principle full power over your system!
Therefore only use a PPA when you really (really!) have no acceptable alternative. Or when you're a tester for a particular piece of software (which you should only be doing on a non-essential test computer).
PPA's are a mixed blessing, to say the least. If used wisely and very restrictively, PPA's can occasionally be of great help. But used carelessly, they're for Linux what the bubonic plague was for the Middle Ages....
Have you already enabled PPA's or other third-party repo's and do you want to get rid of them? Then you can recreate a clean software sources list like this.
applying this how-to.
Furthermore, beware of installing shady or rogue add-ons and extensions in your web browser. They might harm your security.
Do you have already have polluted settings in Firefox, Chrome or Chromium (often caused by shady add-ons), and do you wish to start anew with a clean browser? Then proceed like this (item 7, right column).
10 fatal mistakes.
Read here how to secure your wireless network properly.
Easy, but dangerous: UPnP opens a huge security hole, which is not really manageable. It's better to disable it permanently, because UPnP is inherently insecure.
First, find the user manual of your router; if you no longer have it, then you'll probably be able to download a copy from the website of the router manufacturer.
Then access the configuration of your router and disable the UPnP feature, and also the accompanying feature, usually called something like "Allow user to configure".
Note: this might require you to take some extra measures for enabling VPN, P2P file sharing and the like (namely opening some ports manually). This isn't always necessary though, and depends on how your router manufacturer has configured the firmware defaults.
This advice is not only for Windows, but also for Linux. Because on this aspect, Linux is vulnerable too! Java is namely platform independent, which means that it works independently from the underlying operating system.
In Firefox you can disable Java like this.
creating and remembering a secure password is not hard.
a lot more of them on this website! Like this one: replace Windows XP by an easy free Linux.
To the content of this website applies a Creative Commons license.