New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Advice for linux security
Hey guys.
I've started using linux mint and searching around the web I see mixed opinions regarding the security. Some folks strongly discourage the use of any kind of antivirus, etc. On windows I used to have malwarebytes anti-malware which was enough for my needs; it scanned files on execution, blocked most of the incoming traffic; blocked malicious websites which were reported to their network, etc. Is there a similar program for linux?
Also I need some advice in general on how to make it secure for everyday use?
Thanks in advance!
Comments
There is no need for antivirus on linux
Did you verify the gpg signature of the ISO image before you installed from it?Mint's site has been hacked before you know?
Don't download and install software from anywhere other than your distro's repos.
I would expect mint to have a secure firewall config by default so you don't need to touch that unless you know what you're doing.
@Abdussamad Thanks for your input.
Yes I did verify the signature before installing.
Well the thing about downloading is that I do need some software which are not in the official repos. So I have no choice other than to add those repos. Although I am careful not to install anything random off the net, but still there is always a risk. That's why I need advice.
I haven't touched the default firewall config because I am not that good with linux.
@scorcher9 it's fine if you're careful about what you install.
@scorcher9 if you don't trust those repos don't add them. It's as simple as that. Also if you are using linux and find yourself to regularly (seriously that should be an extremely rare one time thing) install software outside the official repositories you are doing it wrong.
I was talking about things like keepass, slack, etc. Have to add external repos but you can say it's a one time thing and most of these are trusted I believe.
Anyway so if I am careful about what I install, there is nothing else that I need to do?
You really should try to avoid proprietary software. Installing non-free closed source stuff pretty much defeats the purpose (and security) of using linux.
I'd start looking for alternatives to said tools. Installing binary blobs from somewhere on the web is a bad habit of windows users and the sooner you lose it the better. Might sound harsh now but you'll thank me later.
I disagree with @mksh
Running linux may have different reasons and purposes. Running only open source software may or may not be one of them.
Let's face it: The vast majority of linux users rarely ever look at the source of linux or the software they run. In fact, even users just doing the check hash, unpack, ./configure, make, make install dance rather than something like apt-get install [some_package] are a small minority.
If there is closed source program you like the right thing to do is to inform yourself about it; e.g. does it have a history of reliability or not? After all, it's the quality of the program that's important and not whether it's open source or not.
Moreover much of the open source crowd "wisdom" is but shallow talking and a belief system rather than facts. Proof: There is plenty open source software out there and much of it is poor. Plus most open source software users do not have the knowledge and/or the time to actually inspect it; most of the few who actually look at the source code hardly have more than a quick glance.
Regarding your initial question @mksh is right insofar as you should strongly prefer a package of your distro but getting the software from its authors is also OK. What you should not do though is to download it from just about anywhere.
Responding more generally, security is a complex matter and it will take quite some time to reach at least a good level and the necessary experience. Installing one of the more well known and respectable distros is a good start for a newcomer and should provide a reasonable minimal level of security. Another important step is to keep your system up to date and to make small steps and only once you have learned enough about any given matter.
Man, jgp, you do remind me someone who was banned on LET.
@deank
You must be a pretty lonely human being if you've never made the experience that different people do occasionally have some views in common.
Btw, how about contributing something related to OPs question?
Yes, I am very lonely... sniff
It wasn't view I was thinking tho. It was the writing style.
OP's question? If I am to use closed source software on, like say, Fedroa, I am just gonna run Windows 10 if it's a desktop unit.
Wait, I am confused... So if I search for let's say something like "open source alternative for xxx" I'll end up with stuff that I don't trust or know where it's coming from. Unless I first learn the code and check what's going on.
Sorry if I sound ignorant
@jsg Thanks for your input. I don't have the knowledge so yeah closed or open it's the same for me at this time.
I thought mint was respectable. Is it not? What else would you suggest?
I'm for example using some banking software on linux. In fact I'm grateful that that software is available on linux too because running some software of quality X on linux rather than on Windows still gives me considerably more security in total.
Btw. the closed vs open source thing was just one point that came up and both @mksh and myself voiced our views without any attack on each other. Maybe it'll be of use for OP no matter to which side he leans.
Pardon my wording. I did not intend to doubt that Mint is respectable; my remark was of a general nature.
So to make it clear, I think that Mint is a fine distro for someone just switching to linux. Plus you'll profit from Debians package system (Debian is the "base" of Mint).
>
Oh, i don't even disagree with you here. The reason i am being hardline pro open source here is more that while the quality of those applications might still be poor the chance of them being outright malicious is way smaller. I am quite sure you know how to make an informed choice and i can do it too but would you assume the same from an average Windows user who has been subjected to the philosophy of just download it somewhere quick? There is some reeducation needed. I don't care if this comes off as ideological.
You are totally right here. The common response would be to point at how the code is of course is checked by other people who have the needed skills which in a lot of cases is just one thing: Bullshit. The thing with open source software is that being free (as in beer - shit i sound like one of those guys...) most of the time actually means free and not just that you are the product but getting people to choose something other than the path of least resistance is hard. Still being prepared to put in some extra effort if needed is what imo forms the absolute minimal requirement for security and Windows teaches people some very bad habits in that regard which must be reversed.
Blobs are fine. If you trust your security to a single guy maintaining widespread critical code (hello openssl), you can trust a 5 billion dollar company like Slack.
Hehe, i think everyone could see from a mile away that OpenSSL would get a mention here
Thanks for stopping by. The end isn't nigh yet?
Been using windows since 3.1 but I have to use linux for a project I am working on. Can't go into too much detail but let's just say I have to work around it.
I have a neutral stance on the whole open vs closed source in general, so I don't think I am going to lean on either side.
The end is nigh only if you make it so. The end is free for all. You simply have to choose it and the method.
Having said that, open/close source argument is something I don't deeply care. It's a matter of choice. But the only reason I am keeping my Fedora unit and keep updating the rig is because I intent to run only open source software on it.
Ditching MS office for LibreOffice and ditching Photoshop for GIMP was my step. Both work on both OS.
Well, ideally it would come from the repositories of your distro. Beyond that you'd probably would be more concerned with finding something that suits your needs. If you manage that you can go on about researching it's quality. Even without being able to read the code that's not impossible. You can check if it's widely used and if there have been any incidents. You can dig up information on the authors and see if they have some kind of track record. You could ask people what they think of it (actually LET wouldn't be the worst place for that) and so on. Sooner or later you'll get a feeling for what to look for.
@mksh
Let me elaborate a bit. I AM a software developer; that's how I earn my living and I have to earn it.
I do both, closed source for my clients and open source. And here's the truth: My closed source work is considerably better quality than my open source except for relatively rare cases where I am allowed to open source some part of my work (typ.a library); funnily a typical request of clients is to strip the code before open sourcing it (take out e.g. the static analysis and sometimes the unit tests).
My open source code, e.g. vpsbench usually comes to life because I have an itch to scratch and the quality is not bad but still considerably lower than my professional work. The quality of my open source code is largely defined by my experience thanks to which I rarely make certain dumb errors. But I wouldn't PROFESSIONALLY check it, after all, it's just a tool I created to scratch an itch. If it works OK that's good enough.
I just mentioned that because I thought it might be interesting to see things from another angle too.
Btw, what I consider the single most important factor in closed source software is the question whether it was created in a hurry under pressure and with a "features sell!" mindset. If yes, it's almost bound to be poor quality. I personally try hard to avoid that kind of clients (and software) but unfortunately they are the majority. It's not that my colleagues are poor developers, it's just that they aren't given the time and resources to work properly. Hint: Look at the marketing material, the release frequency and most importantly at the question wether they often throw out releases with ever more and new features; if yes, avoid that product.
@mksh that makes so much more sense now. Thank you.
I agree with @mksh's advice. That said there shouldn't be much need for software outside Mint's package system because it's quite rich.
I use a lot of proprietary software on Linux - both on servers and desktops.
l wouldn't say there's anything wrong with it, as long as the company who created it maintains it.
Stuff like Slack, Chrome, Nessus, Virtualizor etc is closed source and will remain that way. Do I feel bothered by that? Not in the slightest.
I highly doubt that you could find open source alternative for everything.
I might be wrong but I mean I can't even get my graphics card to work properly without using the proprietary driver. It's an old machine but still. It defeats the purpose right from the start you know.
That's one way of looking at it and it really depends on where you're coming from. I would say that "I highly doubt that you could find a closed source alternative for everything."
I'm trying to remember if it actually did or not out of the box (18.3 i've not installed 19.x yet)
That's an interesting way of looking at it
You are right there isn't. Graphics drivers (at least when it comes to 3D acceleration) being a sad chapter. Still it somewhat depends on the hardware.
Having said that there is enough closed source (of actually very questionable quality) directly on your mainboard. It's a whole tiny system running in the background with access to everything on your PC and network and noone really knows what it does (https://libreboot.org/faq.html#intel). While there are options to at least neuter this in some cases i can see how the average person can't be expected to go to such lengths.
TL;DR: Yeah, you'll run into cases where it's impossible to avoid. Just try to do your best and not just go with the first or most convenient option.
You could at least use chromium. It still phones home to google but is way less invasive. Not to mention other forks actually decent forks. Using chrome itself is easy to avoid with little to no drawbacks.
Yeah you are right, for me that's like going too far.
Got it, thanks
True words. It's quite frustrating when you can literally tell clients exactly that and they couldn't care less. All they care for is if you can deliver something fast.
Well, there is projects one should just reject but then who am i to say that? I've personally handed in code where one of the main conditions was that i would never - under no circumstances - be named as the author (well, in fact i wasn't but even the thought of someone knowing i had touched this mess was beyond humiliating) and i would take zero responsibility if the turd i was asked to produce would mutate into godzilla and march off towards tokyo. Needless to say the client didn't even blink twice before agreeing... I am not sure if the rather big retail chain he wanted to sell the abomination to got wise to the fact they were being offered the single worst codebase i had seen in my whole life but in the end that wasn't my problem.