Hi there,
Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.
But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?
From a windows perspective Linux does 2 things differently which makes it more secure to Windows.
- Like MacOS it doesn’t need antivirus software like Norton. Windows needs antivirus because DOS the OS windows is based on, had it where any program had access to anything. This is still sadly true even on Windows 11. Linux is Sandboxed, where instead of giving the program full access to everything, you just give it a sandbox with what it needs.
Unless you deliberately run a program as the admin of Linux (su or sudo), malicious code can just delete system32.
- Linux’s is open source and while the desktop market share is tiny, there are a massive market in servers. As a result since there are a lot of eyes on the project if/when problems are found they are fixed quickly. I remember a time when a malicious actor was trying to add a backdoor into a library as a blob and it was caught.
Windows on the other hand is closed source, meaning if MS can’t find the issue, the only time it is found is when it’s in the field. To avoid downtime MS offers bug bounty programs for those who can find issues, rather than to let them exploit it.
Windows isn’t based on DOS, though. It hasn’t been for a very long time. Linux isn’t sandboxed. Userspace applications can be sandboxed. There’s a difference.
Yes modern Windows is based on the NT Kernal. However to keep with compatibility with older programs, NT needs to be compatible with DOS. For most people they never saw the transition from DOS to NT, since it was quietly done with Win XP.
Dude you really have no idea what you’re talking about.
NT even “back in the day” was very much NOT compatible with DOS.
I don’t know where you got your information from, but your mental model on how and why things work the way they do in both linux and windows seems to be really off.
Since you seem someone that is actually interested in understanding this stuff, I strongly suggest to find some better sources as your base
When I was taking cyber security, Sandboxing and Linux was one of the topics which was brought up.
Not sure when I associated it with the entire OS. It appears that the Host OS can be sandboxed for added security, and some containerized applications like Flatpaks are sandboxed. But not all applications are. Like the OS provided packages in most package managers.
I just want to say that you’re probably worrying too much about it. Of course, there is lots of things one can do to improve security (which the others here are listing dutifully) and it is foolish to just assume that one’s computer is entirely secure, because as a user, you will always have the ability to bypass that.
But there’s a pretty firm consensus in the IT industry that Linux is more secure than Windows. And that the popular Linux distributions are more trustworthy organizations than Microsoft.
So, it’s good to inform yourself, but if you survived on Windows, you at least should not worry about the Linux side of things. It’s more than fine.
Others have said it before but basically : what is YOUR (not me, not your best friend, nor your colleague, etc) threat model?
To clarify that means WHO is actually trying to threaten your security?
Typical for most people it would be :
- scammers trying to get pieces of your identity or your local cryptocurrency wallet or resources they can use to repeat that on to others.
For some people, like activists or political journalists it would be :
- national actors, e.g. governments, with their surveillance apparatus, who might end up on a list with a set of conditions that would trigger some automated scan to get e.g. Signal logs
For very very few people, say Edward Snowden, who within the previous group actually did trigger some action :
- actual team of hackers trying to hack into their devices
So as you can imagine if you are part of group 1, 2 or 3 then way you will protect yourself is totally different. What you will also have to protect is also different, e.g. if you have no cryptowallet but are traveling you might have to protect your phone physical phone and its data.
So… if you are serious about this, take a cybersecurity class. There are plenty available but how a computer works, software and hardware alike, is precisely what makes them simultaneously powerful and also dangerous. There are plenty of ways to break security (e.g. return oriented programing), plenty of ways that practically impossible (e.g. encryption) due to the very nature of computers (i.e. computational complexity) which IMHO makes this one of the most fascinating topic. Ask yourself come the credit card in your pocket (costing few bucks to make) can’t be cracked by the largest super computers (costing billions) on Earth?
TL;DR: no offense but you don’t seem to be ready for the answer without getting the basics first.
To have the most secure machine possible, you might need a hardened kernel but you absolutely need to have SELinux (or equivalent) rules set up.
The easiest way to have a go at this would be to install OpenSuSE (any version will do, they all ship with SELinux ootb) and follow guides on how to setup SELinux permissions.
Or Fedora
Security is a rabbit hole.
You’re going to end up wasting a lot of time and effort on learning about something that in the end will not have a substantial impact on your computing experience.
It will make you look good in front of losers on the internet you’ll never meet, though.
deleted by creator
You’re going to need to be more specific. There are dozens of aspects of security.
But if you want to have the most secure machine, then never turn it on, encase it in lead, and drop it at the bottom of the ocean.
Since I was referring to win10 losing support I thought it was understood that I asked about security updates like windows does. But to specify, how is the ongoing security updates working on Linux? Who does it? Is it even being done? It is an assumption on my side that the security is done in the same manner like win and mac, with continuous updates but that might as well be a wrong assumption.
Removed by mod
Security updates are provided by each package maintainer and released on their own schedule. Microsoft releases updates monthly on Patch Tuesday, unless there’s a severe vulnerability that can’t wait. But since Linux is a bunch of different packages rolled into a distro, there’s no one authority managing updates.
So, this means you might get them faster, or if a maintainer is not engaged, slower. Or, if a package is abandoned, not at all. Distros generally make sure their provided packages are maintained, but updates to third-party packages are not guaranteed.
it’s similar. in a mainstream distribution with a desktop environment, updates can typically be configured to notify you or install automatically. it’s common for those updates to now also include third-party sources like flathub.
upgrades (to a next point release or major version) are different, some can be fairly straightforward–others, not so much. and those upgrades will be more frequent, as the “lifecycle” for most linux distributions is shorter than windows’ 10 years.
There are also rolling release distros that never need upgrades. You install the system once and normal updates are all it needs.
what i did after install mint, enable firewall, disable vnc, ssh ,rdp ports. install opensnitch, install pihole
So how can I as a new user make sure to have the most secure machine as possible?
That’s not what you want. You want a reasonable level of confidence that your system is secure.
The process is similar to Windows - keep it up-to-date, use good passwords, don’t run things as root (admin), and don’t install things that are questionable.
The package manager under linux is where you should start, and that varys by distro some. But generally speaking things installed from there are “safe” and will be updated by the package manager when you do updates.
Linux is always more secure than win10, so whatever your need, Linux is more secure. The biggest threat is almost always yourself, and what you open up, give away, and how easy you make the codes you use and so forth.
Just make sure everything’s updated.
Microsoft do a good job of updating drivers and their applications, but Windows application updates vary so much.
For Linux - mostly - the distro maintainers handle all updates and just updating is usually enough.
After that it’s down to you… if you disable all the built-in protection and visit dodgy websites then any OS is going to struggle.
You can improve the out-of-box security by removing software you don’t use, improving default configurations (one size doesn’t fit all) and considering if you want additional security software - this applies to any OS.
So, to return to your question, choose a Linux distro which has regular updates and only contains applications that you use.
Visiting dodgy websites in itself isn’t as risky as you make it out to be. There are very few exploits in an updated version of Chrome or Firefox that would compromise your machine.
I think you’re agreeing with me then.
My first point is keeping everything updated - which would include the browser(s)
My later point was visiting dodgy sites with protections disabled.
Nothin, just install your favourite distro and don’t run random command/scripts/binaries you found on the internet
Like those ‘curl | sudo bash’ abominations that have become strangely popular lately.
I used to use ClamAV, but not sure I noticed much of a difference, so haven’t really used any antivirus software for a while now. Curious what people in this thread think of clam.
ClamAV looks for signatures of known viruses, most of which target Windows and not Linux. So it’s debatable how much more secure you really are by running ClamAV
Security is an insanely broad topic. As an average desktop user, keep your system up to date, and don’t run random programs from untrusted sources (most of the internet). This will cover almost everyones needs. For laptops, I’d recommend enabling drive encryption during installation, though note that data recovery is harder with it enabled.
That is good advice, however sadly a lot of install scripts are basically: download this script from us, and pipe it to a root shell.
Install scripts for what exactly?
Majority of software is packaged natively.
i personally wouldn’t recommend encrypted drive for a beginner though
Why not? You (usually) just click the check box during install, and you have 1 extra password when you boot up your system. Doesn’t seem too hard but I might be missing something.
when you fuck shit up you can’t really easily boot in from a usb drive and learn the recovery process
Better to lose the data than have it stolen.
So long as you know that is the trade off, I would tend to agree with you, but knowing the standard desktop user, most will opt for the opposite of your statement.
deleted by creator
It’s surprisingly annoying trying to configure LUKS full disk encryption. I had to look up instructions many times over on Mint.
Wait what? I don’t use mint, but with every other distro you just check the box at install and that is it.
Are you saying its hard to configure after you have already installed? I could imagine it might be, but why not export a list of programs you use and back up the home directory. Reinstall and check the box, restore home, and import your package list?
Firstly, LUKS is under “physical disk for encryption” which is a stupid and confusing name.
Secondly, if you want to dual-boot with LUKS you need to manually configure the partitions.
Thirdly, you need to seperately assign root to be installed on the “physical disk for encryption”, and they have multiple volumes for that in the list.
Fourthly, as with all LUKS encrypted Linux distros you need a seperate EFI, boot, and root partition.
Fifthly, all of this partitioning is on a really small window that can’t be resized.
I don’t dual boot, so I guess there is that. But everything else seems very confusing. All other installers say, do you want this encrypted? You click yes. And that’s it.
TBH I’ve installed Mint, Kubuntu, and OpenSUSE and I don’t remember which ones had which issues. I think they’re all Mint but maybe not.
They should not us LUkS and instead use veracrypt for folders and files. That way if any repartitioning or modification is needed it’s simple in gparted or GNOME disks on mint.
Source is been there and done that. Luks partitions are not easily resized.
I hear don’t run random stuff from the internet alot but back when i was using windows, if i found something interesting on say github i would just download and run it and i expected windows defender to block any viruses. Is there something similar for linux? Like if I go around installing random Aur packages, is there anything stopping viruses from doing virus things?
Is there anything stopping viruses from doing virus things?
Usually that’s called sandboxing. AUR packages do not have any, if you install random AUR packages without reading them, you run the risk of installing malware. Using Flatpaks from Flathub while keeping their permissions in check with a tool like Flatseal can help guard against this.
The main difference is that even with the AUR being completely user submitted content, they’re centralized repositories, unlike random websites. Malware on the AUR is significantly less common, though not impossible. Using packages that have a better reputation will avoid some malware, simply because other people have looked at the same package.
There is no good FOSS Linux antivirus (that also targets Linux). Clamav “is the closest”, though it won’t help much.
