Hi there,
Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.
But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?
Security is an insanely broad topic. As an average desktop user, keep your system up to date, and don’t run random programs from untrusted sources (most of the internet). This will cover almost everyones needs. For laptops, I’d recommend enabling drive encryption during installation, though note that data recovery is harder with it enabled.
That is good advice, however sadly a lot of install scripts are basically: download this script from us, and pipe it to a root shell.
i personally wouldn’t recommend encrypted drive for a beginner though
Why not? You (usually) just click the check box during install, and you have 1 extra password when you boot up your system. Doesn’t seem too hard but I might be missing something.
when you fuck shit up you can’t really easily boot in from a usb drive and learn the recovery process
Better to lose the data than have it stolen.
They should not us LUkS and instead use veracrypt for folders and files. That way if any repartitioning or modification is needed it’s simple in gparted or GNOME disks on mint.
Source is been there and done that. Luks partitions are not easily resized.
I hear don’t run random stuff from the internet alot but back when i was using windows, if i found something interesting on say github i would just download and run it and i expected windows defender to block any viruses. Is there something similar for linux? Like if I go around installing random Aur packages, is there anything stopping viruses from doing virus things?
Is there anything stopping viruses from doing virus things?
Usually that’s called sandboxing. AUR packages do not have any, if you install random AUR packages without reading them, you run the risk of installing malware. Using Flatpaks from Flathub while keeping their permissions in check with a tool like Flatseal can help guard against this.
The main difference is that even with the AUR being completely user submitted content, they’re centralized repositories, unlike random websites. Malware on the AUR is significantly less common, though not impossible. Using packages that have a better reputation will avoid some malware, simply because other people have looked at the same package.
There is no good FOSS Linux antivirus (that also targets Linux). Clamav “is the closest”, though it won’t help much.
There’s a lot of people with the idea that open source can’t be secure because people see the source code.
But imagine this. You have 2 locks, one that is completely viewable of the innerworkings, and another that is covered, both have been unbreakable, but could you imagine the balls on the guy that made the clear lock? Imagine feeling so confident that your lock was clearly the best, that you just expose it to any hacker ever and they still can’t get in.
Microsoft can barely get things working with their closed source code.
In reality, anything is exploitable and hackable eventually. With the open source community there are so many eyes on it that when someone notices that the program is running 2 seconds slower than it used to, they discover a vulnerability instead of just accepting it and saying “probably MS doing some BS” and dealing with it.
your analogy doesn’t quite work here tbh.
It’s not a transparent lock, a transparent lock would be easy to pick. It’s more of a usual lock, but everyone can see all the blueprints and changes done to them. You can make changes to the blueprints yourself, and if the locksmiths approve of it, the next iteration of the lock will have them included.
Everyone who’s in the set of users of OSS software can contribute, therefore the set of people in control of the software that want it to have no backdoors whatsoever is always larger than the set of people who want to let the backdoors in, unlike in closed source, where corporate can singlehandedly decide to include a backdoor on purpose, not to mention, lots of OSS projects have such a large quantities of different people working on them, corpos won’t be able to gather so much humanpower under a single project ever.
Microsoft being closed source hides their bugs and vulnerabilities. Even when security researchers have sent in reports MS has sat on them due to profit being motive not security, and not taking vulners seriously until the researchers say screw that and publish it.
Linux being open can have all eyes on it, and if there is an exploit, there is a community willing to help ASAP.
On many distros you may have weekly or even daily updates or patches coming through with fixes. A distro like OpenSUSE has various patch and list patch commands that show what security patches are avilailable, their status (critical, recommended) and if it’s needed on your system or not depending on what you have installed. You don’t get transparency on closed source systems.
If you are paranoid about security you can use AppArmor tools or SELinux. AppArmor can be set to learn his an app behaves, then you lock it so the app can’t do new things.
SELinux you set rules for files and folders, so even with remote access an attacker can’t access data if rules don’t allow file listing over SSH etc
Can I use it to run pirated games through WINE and Lutris?
I’m sure you could. I personally haven’t tried that, but games work well for me, as do the random windows engineering tools I gathered in the 2000s
To be honest, security in the desktop Linux space has traditionally been a bit shit.
Since you’re new, it’s important for you to understand that Linux is a kernel. That’s the most low-down part of your operating system that handles your OS talking to your hardware and vice versa. Linux is not a full OS; it doesn’t provide any userspace tools that an OS provides. That’s why people don’t install Linux on its own, but they install Linux distributions, which are full OSes using the Linux kernel that come with more or less software to make Linux a complete OS, or at least bootable. That means that there is no one way to do things in Linux. There are some Linux distributions that are security-focused, such as Qubes OS and Alpine Linux. There’s also the new immutable distros, which provide security because the entire OS is defined declaratively, meaning you can easily rollback changes, and it’s harder to get infected with malware on those systems. There’s a lot of variability. Some systems are quite secure by default. A lot of other systems do not set up any security measures by default and expect the user to do that.
If you’re interested in hardening your Linux install, I would recommend the Arch wiki’s security page which has a lot of good advice.
Security is a really broad topic and the relevant security measures for you are going to vary based on your threat model. General good practices include using some form of MAC, setting up a firewall, don’t install random crap you don’t need (and if you are getting software from somewhere that isn’t vetted, e.g. the AUR, you should vet it yourself—e.g. if you use the AUR, learn to read PKGBUILDs), use full-disk encryption. Anti-virus software is largely not necessary on Linux, especially if you only install software from your package manager and follow other security good practice.
I just want to say that you’re probably worrying too much about it. Of course, there is lots of things one can do to improve security (which the others here are listing dutifully) and it is foolish to just assume that one’s computer is entirely secure, because as a user, you will always have the ability to bypass that.
But there’s a pretty firm consensus in the IT industry that Linux is more secure than Windows. And that the popular Linux distributions are more trustworthy organizations than Microsoft.
So, it’s good to inform yourself, but if you survived on Windows, you at least should not worry about the Linux side of things. It’s more than fine.
So how can I as a new user make sure to have the most secure machine as possible?
That’s not what you want. You want a reasonable level of confidence that your system is secure.
The process is similar to Windows - keep it up-to-date, use good passwords, don’t run things as root (admin), and don’t install things that are questionable.
The package manager under linux is where you should start, and that varys by distro some. But generally speaking things installed from there are “safe” and will be updated by the package manager when you do updates.
Nothin, just install your favourite distro and don’t run random command/scripts/binaries you found on the internet
Like those ‘curl | sudo bash’ abominations that have become strangely popular lately.
As others have said, Linux Security is a very broad topic. But the main thing is keeping your system updated, only install packages from your distro’s repositories, install a firewall and don’t install anything you don’t need should go a long way :)
For example, i use Alpine Linux as a desktop OS. This means i only install packages through apk, from the Alpine repositories. I run apk update and apk upgrade commands every friday. I use Flathub for most desktop software which i also update weekly. (To be even more secure, only install verified flatpak’s). my firewall has no incoming ports open (really not needed on my desktop). And i keep myself updated with the latest news regarding Alpine Linux, and Linux in general. So i am aware of most vulnerabilities as they are published. This is a pretty secure system.
Later on if you want even more security you can start following the CIS guidelines for your favorite distro, but the above should be a good start.
But good security is not just jeeping your system updated, it also means you have good backups in place, in case randsomware hits your system. And then there’s also the monitoring of your system for suspicious behaviour :) But these are far more advanced topics!
Linux is always more secure than win10, so whatever your need, Linux is more secure. The biggest threat is almost always yourself, and what you open up, give away, and how easy you make the codes you use and so forth.
When my kids were in their teens they had windows machines.
They had windows machines, because all their friends had windows machines.
you know what kids are like, click on every thing. oblivious to danger.
malware, viruses, the lot. of course, good old idiot dad had to sort it out. spending hours running anti-virus programs and malwarebytes etc
I got really annoyed one day and while they were at school. I totally removed windows and installed linux mint xfce on both their machines.
Set everything up for them exactly how I used my linux machine.
Once they were online, had their web browser open, found they could login in to all the things they liked and still enage with their friends.
I never heard a peep from them. no more anti-virus scans or malware.
It was heaven.
Ive used Linux for 20 years and never had a virus.
I would argue that Linux is inherently much more secure than windoze, simply because of how it handles user space vs. System (root access vs. User access). Also by how transparent its configuration is and how much information is readily accessible detailing how it works and how to adjust things.
However, when talking security for anything above the average user’s browsing needs, it can get very complicated depending on what you are trying to achieve.
Think of it like building something to keep out honest people vs. to keep out hardened, knowledgeable, clever thieves. Obviously the latter is going to take more time and resources to achieve, while the need to keep out more sophisticated bad actors would probably only be needed if you have something they might want.
Here are some suggestions for searching if actual security is your goal. Others can chime in with more things if they want. This is just some topics/programs you can read about to dip your toes in.
- nftables/Firewalld (common firewalls)
- wireguard/openvpn (vpn protocols)
- rootless containers (podman)
Best of luck!
I’ve used Linux Mint and other distros daily for more than 10 years. Never had a virus or malware issue and don’t even run antivirus software.
During that same time I’ve had to help friends remove viruses and malware from their Windows machines dozens of times. The latest Windows disaster I’ve assisted with was a few months ago. A retired friend had her Windows 10 machine hijacked and $8K stolen from her savings account. Making sure the malware was removed required hours of work formatting the drive and reinstalling Windows.
IMO you are far safer with a plain vanilla Linux install that you are with Windows, no matter what steps you take to secure your Windows installation.
You sure though? Windows has more viruses because it’s more popular (desktop) and monolithic, not because Linux is much better in that regard. IOW Linux is not magically virus resistant. If you run an infected file, it will infect both without much trouble. Also removing infection would be similar. At least that’s my understanding.
You sure though?
What do you want? It should go without saying that I am absolutely sure of my own experience.
In probably 15 years total of running Linux I have not had a single problem with malware or viruses. Part of that time was also running Windows regularly and my Windows systems DID become infected with both malware and viruses occasionally, despite my best efforts. And you’re not mentioning the fact that Linux runs on 63% of the server market and those systems are under constant attack.
Reports of Linux system infections are truly rare, and considering the nature of the user community would be widely and loudly reported if they were happening.
Do you have any experience in this matter? Have you had your own Linux installations infected? Please fill us in on the details.
Servers are a different story. I’m both Windows and Linux user, meaning more towards the later recently. I’m still wondering why do you think Linux is more resistant to malware - besides the incompatibility (mentioned in other reply here). Your experience doesn’t tell much about why and I wrote my theory.
Do you have any experience with Linux viruses? Have you had your own Linux installations infected with viruses or malware?
I think I’m cautious enough to not have the experience, luckily. But why does that matter? I’m still waiting from you for rationale why is Linux experiencing less infections. And you keep asking unimportant questions…
Glad you haven’t had any issues. You think it’s only because you’re cautious? It doesn’t anything to do with anything else?
The Linux kernel is monolithic too. This and the slow adoption of Rust are the two major security complaints of the GrapheneOS regarding Linux. I might change to COSMIC when it’s ready just to spite the luddites that oppose Rust.
It’s hard enough getting legit software in general to work on Linux. Even if a virus was written for Ubuntu, it is likely not going to run on Fedora, or Arch, or even downstream/upstream versions of Ubuntu.
Edit: Although thinking about it, Linux terminal commands are pretty universal, so if you manage to execute a script or terminal command as root or sudo then I guess it could apply to multiple distros.
Ha, yes, incompatibility is the secret defense of linux 🫣. But even without root access, malware can create a lot of damage.
You don’t actually need “perfect” security in the future, any more than you did in the past. Windows was not perfect, right? So stop looking for perfection. Instead, look for “good enough for 99.9% of the world”. And you can get that with many of the popular Linux distributions.
Basically, install a popular distro, and keep your software to whatever is in the package manager. Don’t install random shit manually. Don’t download random software from random websites. Don’t fuck with security settings unless you read up on the topic very thoroughly. Then you’ll be fine.
Keep your user account in user space.
Avoid unnecessary root access.
