Basic security for Linux
Posted10 August 2016
Table of Contents...Loading Table of Contents...
GNU Linux is a free and open source computer operating system. Read this guide to learn how to secure your Linux operating system.
What you will get from this guide
GNU Linux is a Unix-like free and open source computer operating system.
The source code of free software is open and free for anyone on the internet to inspect. This enables security experts around the world to audit such software, to check whether it includes malicious code and to evaluate how secure it is. Furthermore, the very fact that the source code of free software can be accessed and reviewed by anyone means that more security experts can potentially work on improving both its functionality and security. Proprietary software, on the other hand, like Microsoft Windows or Mac OS X is not open for review.
While GNU Linux is mostly used on servers, mainframe computers (mostly used by large organizations for bulk data processing, critical applications, etc.) and supercomputers, it can also be used for every-day activities by a wide range of users. If you are currently using Mac OS X or Windows and thinking of switching to Linux, this guide can help you through that process. This guide might also be useful to existing Linux users who are interested in enhancing the security of their operating system.
This guide provides some tips that can help provide basic security for your Linux operating system. What this guide does not provide is an in-depth analysis of all the possible security options available.
Linux includes multiple distributions and Ubuntu was chosen for this guide due to its popularity and ease of use, but you might want to choose a different Linux distribution for your laptop (see section 1.0.). The following sections of this guide include steps on how to securely download and install Ubuntu, encrypt your hard drive and secure your operating systems through updates and various security tips.
1.0. Alternatives to Ubuntu
Alternatively to Ubuntu, you can choose a different Linux distribution. Such distributions include the following:
Otherwise, there are two other major operating system choices: Mac OS X and Microsoft Windows. Mac is a line of computers manufactured exclusively by Apple and running their own operating system called Mac OS X. Microsoft Windows is the world's most used consumer operating system, often installed in computers by default.
2. Download and verify Ubuntu
The following sections of this guide explain how to download and verify Ubuntu's ISO file prior to installing it.
2.1. Download Ubuntu
To download Ubuntu perform the following steps:
Step 1. Navigate to the official Ubuntu download page.
Figure 1: Ubuntu download page
Step 2. Click the Ubuntu download button.
Figure 2: Ubuntu download button
Step 3. Click [Download] from the Ubuntu Desktop Download page.
Figure 3: Clicking Download via the Ubuntu Desktop Download page
Step 4. Scroll-down the next page.
Figure 4: Scrolling-down the next page
Step 5. Click towards the end of the page.
The Ubuntu ISO file should now start downloading automatically.
Figure 5: Ubuntu ISO file downloaded
2.2. Verify Ubuntu's ISO file
Verifying the integrity of the operating system that you are about to install is extremely important. In February 2016, for example, Linux Mint's website was hacked and its ISO file was replaced with a backdoored version.
To verify the integrity of your downloaded Ubuntu ISO file, perform the steps below:
Step 1. Navigate to Ubuntu's latest sums and signatures webpage.
Step 2. Scroll-down to Ubuntu's files.
Figure 1: Ubuntu 16.04.1 sums and signatures
Checksums are designed to verify the integrity of the data in an installation file.
The checksum for Ubuntu 16.04.1 is SHA256SUMS and this has been signed by Ubuntu with the SHA256SUMS.gpg file.
Figure 2: Ubuntu 16.04.1 checksum and signature
Step 3. Download the SHA256SUMS file and select a location to save it.
Figure 3: Downloading SHA256SUMS
Step 4. Download the SHA256SUMS.gpg file and save it in the same location as the SHA256SUMS file.
Figure 4: Downloading SHA256SUMS.gpg
Step 5. Launch Terminal.
Step 6. Type the following in your terminal to import the key used for the signature from the Ubuntu key server.
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092" "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"
Note: If you are not already using a Linux operating system, you might need to first download the GPG tools for this step. You can find such information here. To check if you already have GPG tools installed, type gpg --version in your terminal.
Step 7. Press Enter. This should print the following in your terminal:
Figure 5: Imported public keys from the Ubuntu key server
Step 8. To verify the key fingerprints, type the following in your terminal:
gpg --list-keys --with-fingerprint 0xFBB75451 0xEFE21092
This should print the following:
Figure 6: Verifying key fingerprints
To verify the GPG signature provided to SHA256SUMS (and thus SHA256SUMS itself), you will first need to go to the directory where you have saved the SHA256SUMS and SHA256SUMS.gpg files.
Step 9. Type cd Downloads if you have saved your checksum files in your Downloads directory. If you have saved them in a different directory, type cd and the name of that directory.
Step 10. Now that you are inside the directory where you have saved your checksum files, type the following in your terminal:
gpg --verify SHA256SUMS.gpg SHA256SUMS
This should print the following (verifying the GPG signature):
Figure 7: Verification of GPG signature
Step 11. To check the integrity of your Ubuntu ISO file with sha256sum, you will need to compare it with the downloaded checksums. Depending on your current operating system, type the following in your terminal:
sha256sum -c SHA256SUMS 2>&1 | grep OK
Mac OS X
shasum -a 256 -c SHA256SUMS 2>&1 | grep OK
sha256sum.exe -c SHA256SUMS
In all cases, this should print the following:
Figure 8: Verification of Ubuntu ISO data integrity
This verifies the data integrity of the Ubuntu ISO file that you have downloaded. You can now safely install it through the steps of the following section.
3. Install Ubuntu with full-disk encryption
We recommend the use of full-disk encryption to increase the protection of data stored in your laptop. Full disk encryption allows you to encrypt, and therefore hide and protect, all of the data that is stored in your laptop. If third parties gain physical access to your laptop which is protected with full-disk encryption, they will not be able to access any of the data that is inside it.
Note: You can only configure full-disk encryption at the initial stages of installing Ubuntu on your laptop.
Prior to installing Ubuntu:
Back-up all of your data. Once Ubuntu is installed, it will replace all data stored on your previous operating system.
Plug your computer into a power source so that it does not switch off during the installation process.
Stay connected to the internet so that you can get the latest updates while you install Ubuntu. If you are not connected to the internet you will be asked to select a wireless network, if available.
To install Ubuntu with full disk encryption, perform the steps below:
Step 1. Create a bootable USB stick. Depending on your current operating system, view Ubuntu's relevant guides:
Step 2. Boot your laptop with a USB stick containing your downloaded and verified Ubuntu ISO file.
Figure 1: Booting a laptop with an Ubuntu ISO file
Step 3. Select the language with which you would like to proceed with the installation (e.g. English).
Step 4. Click .
Figure 2: Preparing to install Ubuntu
Step 5. Select [Download updates while installing Ubuntu].
Step 6. Click [Continue].
Figure 3: Installation type
Step 7. Select [Encrypt the new Ubuntu installation for security] to configure full-disk encryption for your operating system.
Step 8. Click [Install Now].
Figure 4: Choosing a passphrase for full-disk encryption
Step 9. Choose a strong passphrase to secure your drive and type it.
Figure 5: Typing a passphrase for full-disk encryption
Note: Ensure that your passphrase is as strong as possible! The protection of your encrypted drive is only as strong as your passphrase. You can find information on how to create strong passphrases here.
Step 10. Re-type your passphrase for full-disk encryption.
Figure 6: Confirming a passphrase for full-disk encryption
Important: Try not to forget or lose your passphrase! You will need to type it in every time you switch on your laptop and without it, you will be unable to access your system.
[Optional] Step 11. For more security, select [Ovewrite empty disk space]. However, the installation might take longer.
Step 12. Click [Install Now] to configure full-disk encryption with your selected passphrase.
Figure 7: Writing the changes to disk
Step 13. Click [Continue].
Figure 8: Selecting location
Step 14. Select your location and click [Continue].
Figure 9: Keyboard layout
Step 15. Select a language for your keyboard layout and click [Continue].
Figure 10: User information
Step 16. Type your name.
Step 17. Type your computer's name. This is the name that your computer will use when talking to other computers, so you probably don't want this name to be personally identifying.
Step 18. Type a username for your computer. Consider selecting a random name for your username, which is different to your official name. This can help reduce the possibility of your system being linked to your real identity when it communicates with other computers and servers on the internet.
Figure 11: Selecting a name, username and computer name
Step 19. Choose a strong passphrase for your system and type it. This passphrase is different to the passphrase used for full-disk encryption.
Figure 12: Typing a system password
Note: Ensure that your system's password is as strong as possible! The protection of your system is as strong as its password. You can find detailed information on how to create strong passwords here.
Step 20. Re-type your password.
Figure 13: Confirming a system password
Note: Try not to forget or lose your passphrase! You will need to type it in every time you switch on your laptop and without it, you will be unable to access your system.
Step 21. Select [Encrypt my home folder].
Figure 14: Encrypting the home folder
Step 22. Click [Continue] to install Ubuntu.
Figure 15: Installation of Ubuntu
Step 23. Click [Restart Now] once the installation process is complete.
Figure 16: Installation complete
Once your computer has restarted, you will be asked to unlock your encrypted drive with your passphrase for full-disk encryption.
Figure 17: Unlocking full-disk encryption
Step 24. Type your passphrase to unlock full-disk encryption.
Figure 18: Typing a passphrase to unlock full-disk encryption
If you have typed in your passphrase correctly, then you have unlocked full-disk encryption, as illustrated below:
Figure 19: Full-disk encryption unlocked
You will then need to access your user system.
Figure 20: User system
Step 25. Type your system passphrase.
Figure 21: Typing the system passphrase
You have now accessed your new Ubuntu operating system, which is configured with full-disk encryption.
Figure 22: Ubuntu 16.04.1
4. Update software on Ubuntu
Software updates might seem trivial, but they are really important as they can offer protection against a variety of vulnerabilities.
Software developers create updates to improve upon their software and to address vulnerabilities. In some cases, software vulnerabilities can leave their users vulnerable to a variety of malware attacks. It's therefore important to update all of the software on your computer on a regular basis.
You can easily update all of your software via Ubuntu's Software ( previously called "Ubuntu Software Centre"). To do so, perform the steps below:
Step 1. Click the Ubuntu Software icon via Ubuntu's menu.
Figure 1: Ubuntu Software icon
You will now be presented with Ubuntu Software.
Figure 2: Ubuntu Software
Step 2. Click [Updates] to view all the available updates for the software on your computer.
Figure 3: Updates available via Ubuntu Software
Step 3. Click [Install] on the top-right corner to install all of the updates.
Figure 4: Installing all updates via Ubuntu Software
Note: On other Linux distributions you can update your software via GNOME Software.
You can also update your software via Ubuntu's built-in Software Updater tool. To use this tool, perform the steps below:
Step 1. Click on Ubuntu's Dashboard icon and type [Software Updater].
Figure 5: Searching for the Software Updater via Ubuntu's Dashboard
Step 2. Click on Software Updater. This will prompt the tool to search for updates.
Figure 6: Software Updater searching for updates
Step 3. Software Updater will present you with all the updates that are available for the software on your computer. Click [Install Now] to install all of the software updates.
Figure 7: Software updates detected by Software Updater
Step 4. Type your system password to authenticate the installation of the updates.
Figure 8: Authenticating the installation of software updates
The tool will now start installing all of the software updates.
Figure 9: Installing software updates
Step 5. To complete the installation of updates, click [Restart Now...] to restart your computer.
Figure 10: Restarting the computer to complete installation updates
Ubuntu's Software Updater will regularly notify you of any new software updates.
Computers can be lost, stolen, or destroyed, and there are many ways that data can be corrupted or wiped out by a hardware problem. It's therefore important to regularly back-up all of your data to protect it from getting lost.
Ubuntu has a built-in tool called Déjà Dup which allows you to back-up and encrypt your files. You can learn how to use this tool through the following steps:
Step 1. Click on Ubuntu's Dashboard icon and type Deja Dup.
Figure 1: Searching for Déjà Dup via Ubuntu's Dashboard
Step 2. Click on Déjà Dup to open the tool.
Figure 2: Déjà Dup
Step 3. Click [Folders to save] to select the folders that you want to back-up.
Figure 3: Selecting folders to back-up
Step 4. Click to open your folders.
Figure 4: Choosing folders
Step 5. Select the files that you want to back-up.
Figure 5: Selecting Documents
Figure 6: Selecting Files
Step 6. Click [Add] to add the files that you want to back-up.
Figure 7: Files added to Deja Dup
Step 7. Click [Storage Location].
Figure 8: Deja Dup storage location
Step 8. Click the storage location drop-down menu and select a location to back-up your files.
Figure 9: Selecting a USB disk as a location to back-up files to
In this example, we have connected a USB and back-up files on an external drive.
Figure 10: USB DISK selected as back-up location
Step 9. Type a name for the folder that you want to back-up.
Figure 11: Typing a name for the back-up folder
Step 10. Click [Scheduling] to arrange how regularly your files will be backed-up.
Figure 12: Backup scheduling
Step 11. Click [OFF] to turn Deja Dup on (if it's not already on). This will allow you to select how frequently you would like to back-up your data via the drop-down menus.
Figure 13: Backup scheduling activated
Step 12. Once you have scheduled your backups, click [Overview].
Figure 14: Backup overview
Step 13. To back-up your selected files, click [Back Up Now...].
Figure 15: Backup pasword
Step 14. To encrypt your backup, you will need to select a strong passphrase which you will use to encrypt and decrypt it. Type an encryption password for your backup.
Figure 16: Entering an encryption password for backups
Important: Your backup is only as secure as the password that you use for it! Learn how to create strong passwords here. Also, try not to forget or lose your password, as that would prevent you from accessing your backed up files.
Step 15. Re-type your encryption password to confirm it.
Step 16. Click [Continue] to save your password for encrypting your back-up.
If you navigate to the location where you backed up your files, you should view them encrypted.
Figure 17: Encrypted backed up files
Step 17. To access your backed up files, open Déjà Dup and click [Restore...].
Figure 18: Déjà Dup
Step 18. Select the backup location from which you would like to restore files from. In this example, we are restoring files from USB DISK.
Figure 19: Selecting the backup location to restore files
Step 19. Type the name of the folder that you want to restore. In this example, we are restoring the file named "backup".
Step 20. Click [Forward].
Step 21. Select the date of the backup that you would like to restore.
Figure 20: Selecting the date of the backup
Step 22. Click [Forward].
Step 23. Select the location that you would like to restore your backups to. If you want to restore files to their original location, then click [Forward].
Figure 21: Restoring files to their original location
Step 24. Click [Restore] to restore your backup.
Figure 22: Summary of restoration information
Step 25. Type your encryption password to access your files.
Figure 23: Restoring encrypted files
Step 26. Click [Continue].
Figure 24: Restoring encrypted files
Step 27. Click [Close] to complete the restoration of your files.
Figure 25: Restoration complete
Alternatively to Déjà Dup, you can use Duplicati for backing-up and encrypting your files.
6. Basic security tips
Security is a process and as such, it requires a variety of techniques, tactics and strategies which can change from time to time depending on your threat model.
Below we include a few tips for some basic digital security:
1. Immediately install all software updates on a regular basis. As mentioned in section 4, software updates can offer protection against a variety of vulnerabilities. If you have outdated software on your computer, you are more vulnerable to malware.
2. Install software from Ubuntu Software. In various cases, websites are hacked and their download files are replaced with infected versions. This, for example, happened in early 2016 when Linux Mint's website was hacked and its ISO file was replaced with a backdoored version. To reduce the possibility of installing infected software, install software via Ubuntu Software (when possible) which not only provides software that has been checked for vulnerabilities, but which also informs you of any recent updates to such software.
3. Don't click on links or open email attachments if you're unsure about who sent them to you and what's in them. One of the most common ways of getting infected with malware is via links or email attachments sent to users. It's therefore important to avoid clicking on links or opening email attachments when sent from unknown sources and/or when you are not expecting them. Below we include an example of an infected link:
Figure 1: Infected site that looks like YouTube
While the website above looks like YouTube, if you notice its URL you will see that it is not actually youtube.com. By installing the Adobe Flash Player Update, you will most likely be installing malware instead. Similarly, the website below looks like Facebook.
Figure 2: Infected site that looks like Facebook
However, if you pay attention to its URL you will notice that it is not actually facebook.com, but an infected site. By entering your login information, the owner of this site will be able to acquire your Facebook login information. Learn more about how to avoid malware via email attachments and links here.
4. Keep Java (both openJDK and Oracle Java) and the Adobe Shockwave Flash browser plugins disabled by default. These plugins are often found to contain security vulnerabilities that could allow a remote user to assume control of your computer or to install malware. Learn how to disable these plugins in your browser here.
5. Always use strong passwords. Your system and everything on it is pretty much as secure as the passwords that you use. It's therefore important to ensure that you use strong passwords and that they are different for each account (if someone gets hold of one password that is linked to multiple accounts, then that individual might get access to all those accounts). Learn how to create and maintain strong passwords here. Also, learn how to manage your passwords via the KeePassX password manager.
6. Always lock your screen when you're away from your laptop (and it's switched on). It's important to lock your screen every time you leave your computer to prevent third parties from accessing and using your laptop while you're not around. You can lock your screen on Ubuntu by pressing the following:
Figure 3: Locking Ubuntu screen with windows key and the L key
For more advanced security, see the following Linux guides:
Q: I've heard that you can't get a virus on Linux because most malware is designed for Windows. Is this true?
A: No. While most malware does target Windows, you can still get malware as a Linux user if, for example, you click on an infected link or open a malicious attachment. Learn more about malware and how to avoid it here.
Q: Is Ubuntu harder to exploit than Windows or Mac OS X?
A: Not necessarily. The process of discovering vulnerabilities and exploiting is pretty much the same, regardless of your operating system.
Q: Why do I need to encrypt my files stored in my laptop if I'm using full-disk encryption?
A: Full-disk encryption can prevent third-parties from gaining physical access to the data stored in your laptop. When you are using your laptop, third-parties can potentially exploit vulnerabilities to gain remote access to your files, which is why it's important to also encrypt them with VeraCrypt, for example.