Since 2009 this website is a complete quick guide for Linux, both for beginners and for experienced users!

Ubuntu 14.04 Trusty Tahr has been released!

A star of the Ubuntu family: Xubuntu!

12days until
Ubuntu 14.04.1 (first point release or "Service Pack 1")

Release schedule of Ubuntu 14.04 LTS Trusty Tahr

95days since
end of life for Windows XP: quickly replace it by Linux!

The ideal replacement for Windows XP

Security in Ubuntu, Linux Mint and Debian: an explanation and some tips


Back to the homepage



Security summarized

1. First of all: there is no 100 % security. Not in real life and not in the digital world. Not even when your computer is running Linux. You should always use your common sense. And even then it can go wrong. A certain amount of risk, however small, is unavoidable. A Frenchman would say: c'est la vie.

About viruses, firewalls and exploits I can be brief:

Antivirus software

1.1. You don't need antivirus software in Ubuntu, Linux Mint and Debian. Because a virus can't do anything in Linux.

Mainly because of this: in order to install on your computer, a virus needs your password. And that it doesn't have. Furthermore, you generally only install software from the secured "software store" (repositories) of your Linux distribution.

Therefore there are no Linux viruses "in the wild" (with the exception of web servers, but securing web servers is quite a different cup of tea). For the full story, read on.

Firewall

1.2. A firewall is already installed by default. It's called IPtables. IPtables can be managed through the application Uncomplicated Firewall (ufw), which is also installed by default.

By default the firewall isn't activated, because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.

You can turn on the firewall by means of the terminal (yikes!). This is how you do it:

Click on the grey Ubuntu logo (Dash home). Query: terminal.
Click on Terminal.

type (copy/paste):
sudo ufw enable

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show, which is normal.

Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done!

Check the status of the firewall: 
sudo ufw status verbose

Press Enter.

When enabled, the output should be like this:

pjotr@netbook:~$ sudo ufw status verbose
[sudo] password for pjotr:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
pjotr@netbook:~$


I've printed the most important message in red: this output basically means that all incoming is denied and all outgoing allowed. There are sensible exceptions in the default settings: for example, with the default profile the use of Samba should be no problem. Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw.

It's easy to disable the firewall (should you wish to do so) with this command:
sudo ufw disable

Press Enter.

If you're interested in the full set of rules, see the output of:
sudo ufw show raw
You can also read the rules files in /etc/ufw (the files whose names end with .rules).

Vulnerabilities

1.3. Exploitable security vulnerabilities can appear in any operating system and in every application. Also in Linux. From these you'll be protected by the updates. Ubuntu automatically performs a daily check for available security updates. It's important to install the proposed security updates immediately, if you want to keep your system as safe as possible.

As long as it's discovered quickly and repaired speedily, a vulnerability is no big problem.

The full story

2. The full story is as follows.

Because of the growth of Linux, most antivirus companies want to tap this new market. Many new Linux users think that they need an antivirus solution in Linux, because of the clever marketing of these companies.

The opposite is true, however. Unlike other operating systems, it's almost impossible to write an effective virus for Linux. How can this be, you might wonder. I'll try to explain why.

Linux computers are just as well a target as computers that run on another operating system. Many popular (and therefore valuable) websites run on Linux, so there is no lack of motivation to infect Linux.

Some people suggest that the Linux community is conceited or lagging behind when it comes to viruses or other security issues. This suggestion is not true.

The developers of Linux haven't ignored viruses, they have structured Linux in such a way that it has good resistance to viruses. And because the code is open, there are literally thousands of people who check the code for errors and propose fixes.

Virus scanners mainly work "reactively", which means that they almost only provide protection against viruses that are already known to the creators of the scanner. Antivirus applications can only protect against a new virus after that virus has been created, not before.

More importantly still, the best protection against any virus will consist of repairing those leaks in the software, which the virus attacks. These repairs happen by means of security updates (which in Linux are issued sooner and more often than in Windows and Mac OS).

Few antivirus companies have a faster response time than the Ubuntu security team. The time frame between public disclosure of a security problem and the making of an antivirus solution or a repair, is obviously the most dangerous period.

As I've said before: a vulnerability is no big problem, as long as it's discovered quickly and repaired speedily.

It's difficult to install a virus on a Linux computer, but it's certainly not impossible. The greatest danger lies in unreliable software repositories and in unsafe code that a careless administrator executes. At present there are in any case no Linux viruses "in the wild."

(continued in the column on the right)



This website is being sponsored by Google Ads.

Are you using an ad blocker? Then you're also blocking my earnings from advertisements....

If you wish to support my website, you can configure your ad blocker to make an exception for this website. Thanks in advance....


My advice: do NOT install antivirus software

3. My advice is therefore not to install a virus scanner if you run Linux on your computer.

A summary of the reasons:

a. In Linux, the executability of a file is not determined by an extension (like for example .exe in Windows), but by the permissions adhering to this file. Each newly created file is by default not executable under Linux, and the user will first need to make this file executable by an explicit action.

b. In Linux a normal user has but very limited permissions. For example, a normal user can't perform administrative tasks. And so the scope of this user is actually limited to his own home folder. For installing software you always need to be root (or to have temporary root rights, which is the way of Ubuntu and Linux Mint).

In Ubuntu and Linux Mint, by default, even the administrator logs in with limited user permissions. Should he wish to perform an administrative task, then he has to type his password again, to obtain temporary root permissions. This will give him 15 minutes of root authority.

c. Many Linux users tweak their system according to their own taste. Because of the variety of Linux distributions, applications and kernel versions, it's difficult to write an exploit by which enough systems can be exploited to make the effort of creating an exploit worthwhile.

d. Virus scanners scan mainly for Windows viruses. These viruses don't work in Linux, most of them not even in a Windows emulator like Wine.

e. Virus scanners often issue false warnings. Possibly intentionally, to make the user feel good about the presence of the scanner.

f. There are currently no known active Linux viruses.

Misconception: protection of Windows users

4. Occasionally somebody proclaims the following misconception: "I use antivirus in Linux, so that I can't accidentally pass on a Windows virus to a Windows user. For example by e-mail attachments".

This is a misconception because of the following reasons:

a. Running antivirus in Linux is a useless waste of system resources. Resources that can be put to better use, for example making your system more responsive.

One of the advantages of running Linux is not having to weigh down your system with antivirus. It would be rather counterproductive to move to a virus-free operating system, if we end up running all of the antivirus crud anyway.

And it adds insult to injury, to do so for the sake of an operating system that actually chooses to be security-deficient. If a Windows user can't be bothered to guard his own system against threats that are the result of shortcomings in his own operating system, then the efforts of the comparatively small base of Linux users isn't going to make a shred of difference. Such Windows users will unavoidably get infected from somewhere else.

In fact, I believe that Windows has to lie in the bed it makes for itself. I'm not trying to be harsh here: it's more the principle that consequences must fall to the appropriate party, or else there is no incentive for change.

Therefore, unless a Linux user is running a public web/mail/file server (clearly not your average user), I strongly discourage the installation of antivirus, because doing so continues to silently endorse one of the worst aspects of operating system design.

(With thanks to DuckHook from Ubuntuforums.org, for kindly allowing the use of this text)

b. If you want to reduce the chance of passing on a Windows virus by e-mail, than you can achieve that by sending e-mails with attachments by means of Gmail. Then Google automatically scans the attachments for viruses, trojans and other malware. With a professional up to date virus scanner, on the servers of Gmail itself. A Gmail account is free, so you need to have no worries about costs....

When you enable POP3 support in Gmail, you can even use Thunderbird or Evolution for it.

Note: nowadays every good e-mail service (so not only Gmail) scans automatically for Windows viruses, on the servers of the e-mail provider.

You'll find that the "protection of Windows users" fallacy is often used as an excuse, by people who irrationally can't believe that Linux really needs no antivirus....

The things that are dangerous

5. These are the things that do endanger Linux, which you therefore will want to avoid: 10 fatal mistakes.

Wireless security

6. The security of your wireless network isn't operating system specific, but it's an important issue. Read here how to secure your wireless network properly.

Disable Universal Plug and Play (UPnP) in your router

7. Not related to your operating system, but important nevertheless: disable Universal Plug and Play (UPnP) in your router. UPnP in your router, enables network devices to communicate with each other, both in your personal network and by means of the internet.

Easy, but dangerous: UPnP opens a huge security hole, which is not really manageable. It's better to disable it permanently, because UPnP is inherently insecure.

First, find the user manual of your router; if you no longer have it, then you'll probably be able to download a copy from the website of the router manufacturer.

Then access the configuration of your router and disable the UPnP feature, and also the accompanying feature, usually called something like "Allow user to configure".

Note: this might require you to take some extra measures for enabling VPN, P2P file sharing and the like (namely opening some ports manually). This isn't always necessary though, and depends on how your router manufacturer has configured the firmware defaults.

Handle with care: Java and openJDK

8. Java (both Oracle Java and openJDK) are frequently under attack. That's why it's best, to disable Java by default in your web browser (if you have installed it at all). Then you can enable Java only for a short while whenever you need it.

This advice is not only for Windows, but also for Linux. Because on this aspect, Linux is vulnerable too! Java is namely platform independent, which means that it works independently from the underlying operating system.

In Firefox you can disable Java like this, and in Google Chrome or Chromium you can do it as described here.

Note: this only applies to Java. There's also Javascript, which is much more secure than Java. So there's usually no need to disable Javascript as well.

Create and remember a secure password easily

9. Contrary to what many people think, creating and remembering a secure password is not hard.

Want more?

Do you want more tips and tweaks for Ubuntu? There's a lot more of them on this website! Like this one: replace Windows XP by an easy free Linux.


To the content of this website applies a Creative Commons license.

Comments