Basic security for Linux

Updated 18 May 2021

Table of Contents

...Loading Table of Contents...

    If you use Linux, you may have heard the myth that it is more secure than Windows. This is not necessarily true. Security depends on a combination of how we use our devices, and their own software, which can be found to have vulnerabilities at any time. Complete the following steps to make your device more secure. Get in the habit of checking these settings from time to time, to make sure nothing has changed.

    Use the latest version of your device's operating system (OS)

    Learn why we recommend this

    New vulnerabilities in the code that runs your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. But software developers do regularly release code that fixes those vulnerabilities. That is why it is very important to install updates and use the latest version of the operating system for each device you use. We recommend setting your device to automatically update so you have one less task to remember to do.

    • When updating software, do it from a trusted location like your home or office, not at an internet cafe or coffee shop.
    • Updating to the latest OS may require you to download software and restart a number of times. You will want to set aside time for this where you do not need to do work on your device. Go through the steps of comparing the latest version to your device's current version below, until your device does not give you additional new updates.
    • If the latest version of the OS will not run on your device, try a Linux distribution specially created for older hardware, like LUbuntu. Or, consider buying a new device.
    • Make sure you restart your computer once an update has downloaded, to make sure it is fully installed.
    • See the most updated version of Ubuntu available
    • Compare it to the version your device has installed

    Use apps from trusted sources

    Learn why we recommend this

    Ubuntu Software is the program to use for installing applications and programs in Ubuntu. Install apps only from software repositories managed by these Linux distribution developers. "Mirror" download sites may be untrustworthy, unless you know and trust the people who provide those services. If you decide that the benefit of a particular app outweighs the risk, take additional steps to protect yourself, like planning to keep sensitive or personal information off that device. See why Security in a Box trusts the apps we recommend.

    Remove apps that you do not need and do not use

    Learn why we recommend this

    New vulnerabilities in the code that runs your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. Removing apps you do not use helps limit the number of apps that might be vulnerable. Apps you do not use may also transmit information about you that you may not want to share with others, like your location.

    Check your app permissions

    Learn why we recommend this

    Apps that access sensitive digital details or services--like your location, microphone, camera, or device settings--can also leak that information or be exploited by attackers. So if you do not need an app to use a particular service, turn that permission off.

    Turn off location and wipe history

    Learn why we recommend this

    Many of our devices keep track of where we are, using GPS, cell phone towers, or wifi we use. If your device is keeping a record of your physical location, it makes it possible that someone could find you, or could use that record to demonstrate you have gone to particular places or associated with specific people.

    • Get in the habit of turning off location services overall, or when you are not using them, for your whole device as well as for individual apps.
    • Regularly check and clear your location history if you have it turned on.
    • Turn location services off

    Make separate user accounts on your devices

    Learn why we recommend this

    We strongly recommend not sharing devices you use for sensitive work with anyone else. However, if you must share your devices with co-workers or family, you can better protect sensitive information by setting up separate accounts on your devices in order to keep your sensitive files protected from other people.

    • Make more than one account on your device, with one having "admin" (administrative) privileges and the others with "standard" (non-admin) privileges.
      • Only you should have access to the admin account.
      • Standard accounts should not be allowed to access every app, file, or setting on your device.
    • Consider using a standard account for your day-to-day work:
      • Use the admin account only when you need to make changes that affect your device security, like installing software.
      • Using a standard account daily can limit how much your device is exposed to security threats from malware.
      • When you cross borders, having a standard account open could help hide your more sensitive files. Use your judgment: will these border authorities confiscate your device for a thorough search, or will they just open it and give it a quick review? If you expect they won't look too deeply into your device, using a standard account for work that is not sensitive provides you some plausible deniability.
    • Manage user accounts
    • Manage who has administrative privileges to change sensitive settings

    Remove unneeded accounts associated with your device

    Learn why we recommend this

    When you don't intend for someone else to access your device, it is better to not leave that additional "door" open on your machine (this is called "reducing your attack surface.") Additionally, checking what accounts are associated with your device could reveal accounts that have been put on your device without your knowledge.

    Set your screen to sleep and lock

    Learn why we recommend this

    While it may seem like technical attacks are your biggest concern, it is much more likely that your device will be confiscated or stolen and someone will break into it. For this reason, it is smart to set a passphrase screen lock, so that nobody can access your device just by turning it on. We do not recommend screen lock options other than passphrases. You might easily be forced to unlock your device with your face, voice, eyes, or fingerprint if you are arrested, detained, or searched. Someone who has your device in their possession may use software to guess short passwords or PINs. It is also possible to guess "pattern" locks by looking at finger tracks on the screen. Someone who has dusted for your fingerprints can make a fake version of your finger to unlock your device if you set a fingerprint lock; similar hacks have been demonstrated for face unlock. For these reasons, the safest lock to set is a long passphrase.

    Control what can be seen when your device is locked

    Learn why we recommend this

    A strong screen lock will give you some protection if your device is stolen or seized--but if you don't turn off notifications that show up on your lock screen, whoever has your device can see information that might leak when your contacts send you messages or you get new email.

    Use a physical privacy filter that prevents others from seeing your screen

    Learn why we recommend this

    While we often think of attacks on our digital security as highly technical, you might be surprised to learn that some human rights defenders have had their information stolen or their accounts compromised when someone looked over their shoulder at their screen, or used a security camera to do so. A privacy filter makes it less likely someone doing this will succeed. You should be able to find this wherever you find device accessories.

    Use a camera cover

    Learn why we recommend this

    Some malicious software will turn on the camera on your device in order to see you, the people around you, or where you are without you knowing it.

    • First of all, figure out whether and where your device has cameras. Your computer might have more than one if you use a plug-in camera as well as one built into your device.
    • Low-tech camera cover: use a small adhesive bandage over your camera, and peel it off when you need to use the camera. A bandage works better than a sticker because the middle part has no adhesive, so it does not get sticky stuff on your camera lens.
    • Or search your preferred store for "webcam cover thin slide." "Thin" is important because some covers are too thick, and your laptop may not close.

    Turn off connectivity you're not using

    Learn why we recommend this

    Wifi is a data connection that lets our devices reach other devices on the internet, using radio waves to connect to a router which usually has a wired connection to the broader internet. Cell phone connections also help us access other computers and phones around the world, via a cellular network of towers and repeaters. NFC and Bluetooth connect our devices to other devices near them, also using radio waves. All these connections are vital to communicating with others. But because our devices are connecting to other devices, there is a chance that someone will use this connection maliciously to get to our devices and sensitive information. For this reason, it is a good idea to turn off these connections when you are not using them, particularly wifi and Bluetooth. This limits the time an attacker might have to access your valuables without you noticing that something strange is happening on your device (like it running slowly or overheating when you are not using it heavily).

    Clear your remembered wifi networks

    Learn why we recommend this

    When you turn your device's wifi connectivity on, it tries to look for any wifi network it remembers you have connected to before. Essentially, it "shouts" the names of every network on its list to see if they are available to connect to. Someone snooping nearby can use this "shout" to identify your device, because your list is usually unique: you have probably at least connected to your home network and your office network, not to mention networks at friends' houses, favorite cafes, et cetera. This fingerprint-like identification makes it easy for someone snooping in your area to target your device or identify where you have been. To protect yourself from this identification, erase wifi networks your device has saved and tell your device not to remember networks. This will make it harder to connect quickly, but saving that information in your password manager instead will keep it available to you when you need it.

    Turn off sharing you're not using

    Learn why we recommend this

    Many devices give us the option to easily share files or services with others around us--a useful feature. However, if this feature is left on when we are not using it, malicious people may exploit it to get at files on your device.

    • Ubuntu may not automatically make sharing possible. If you know sharing is available on your device, check and see if you need to turn the following settings off. If you cannot find the settings using the instructions described here, you probably do not have these sharing options installed.

    Use a firewall

    Learn why we recommend this

    Firewalls are a security option that stops unwanted connections to your device. Like a security guard posted at the door of a building to decide who can enter and who can leave, a firewall receives, inspects and makes decisions about communications going in and out of your device. We recommend turning yours on to prevent malicious code from trying to access your device. The default firewall configuration should be enough protection for most people.

    Not all devices come with a firewall turned on. This does not mean these systems are wide open to all network connections. It just means they trust their software not to be listening when it shouldn't. They are like building owners that do not bother with guards and cameras because they are confident about which doors are unlocked, which are barricaded and which will open only for people with certain keys.

    Firewalls help us protect our devices in situations where a piece of software starts listening to information we weren't expecting it to. Where a door gets left open, in other words, either by accident or by a malicious person within the building. Firewalls that monitor outgoing connections are sometimes able to let us know when malicious software is trying to steal data or "phone home" for instructions. If you install a firewall that is specifically designed to limit outgoing connections, or if you configure your built-in firewall to work this way, you should be prepared to spend some time "training" it so that it only alerts you when it observes something unusual.

    • Use Gufw
      • As a default, set "Incoming" to "Deny" and "Outgoing" to "Allow."

    More resources

    Frequently Asked Questions

    Q: I've heard that you can't get a virus on Linux because most malware is designed for Windows. Is this true?

    A: No. While most malware does target Windows, you can still get malware as a Linux user if, for example, you click on an infected link or open a malicious attachment. Learn more about malware and how to avoid it here.

    Q: Is Ubuntu harder to exploit than Windows or Mac OS X?

    A: Not necessarily. The process of discovering vulnerabilities and exploiting is pretty much the same, regardless of your operating system.