Linux security myths
Myth busting: Linux security
As the author of Lynis, I have to run several Linux systems for testing Linux security defenses. And if you do something long enough, some get to see you as a Linux security expert. When that happens, you get asked questions. Surprisingly they are often related to some of the myths. Time to share a few I got asked. If you received this link from me directly, then most likely you asked one :)
- Linux systems are not prone to viruses
- A firewall is not required on Linux
- Open source software is more secure than proprietary software
- Software packages from the official repositories are safe
Myth: Linux systems are not prone to viruses
This first myth might actually be true. Viruses are very rare for Linux. This is also true for Windows and macOS, as this type of malicious software (malware) is not often seen. In the past, MS-DOS and Windows systems got affected by viruses a lot. From innocent versions that let characters fell down on the screen, to viruses that quickly wiped your whole hard drive.
If we look for other types of malware, then worms and ransomware are the most active ones. A worm is a type of malware that has the goal of spreading itself as quickly as possible. Ransomware typically makes use of worm-like capabilities to spread, but with the simple goal to find your valuable data. It then encrypts it and then asks you for a ransom. Both types are a threat to most operating systems, including Linux.
Like with so many things, there is power and weakness in numbers. With more users on a particular platform, the chance that it is targeted will increase. The number of systems powered by Linux is only increasing. From small devices in the category Internet of Things up to servers that power the most active websites in the world. Linux is everywhere and therefore becomes a target. Or maybe we should say, already is. Look at Android, the Linux-based mobile operating system. Most of the weaknesses are simply Linux security flaws or vulnerabilities in software.
Myth: A firewall is not required on Linux
Most Linux distributions have definitely improved the baseline security level over the years. Before many unneeded services were installed and activated by default. This means the number of services listening on a network port has also decreased. This still does not warrant the lack of a firewall.
There are actually a few types of firewalls. When we speak about a firewall, it is typically the one that does network traffic filtering (like iptables of nftables). Another type is the application level firewall like OpenSnitch. A tool like this will ask per application what connections are allowed.
Even if your system is not having much running, it is good to filter incoming and outgoing traffic on your systems. This is especially useful to combat worms and other network-based attacks. After all, your system might be a good network citizen, but your network neighbor might be less friendly. Another benefit from adding a firewall is to understand what services need to run on your system. With that knowledge, it becomes easy to define if any incoming UDP or TCP ports need to be opened at all.
Myth: Open source software is more secure than proprietary software
One of the benefits of open source software (OSS) is the availability of the code. Typically this type of software also comes with some level of ‘free’: free as in beer, or free as in speech. Now the general consensus is that when the code of the software is available, more people can look into the code and find bugs and security vulnerabilities. While this is true, it doesn’t make the software more secure. For that to happen, the developer needs to be skilled and security savvy. Also, other skilled people actually have to look in the code and be able to find any programming flaws.
Software development is hard, as a developer needs to have a good amount of creativity and logic. You will need the latter to make the software do what you intended. The creativity component is important to find edge cases, like unintended behavior. It also helps with finding more efficient ways to solve a problem. Like so many things, there are usually more paths to achieve the same goal. Sometimes a shortcut might be a good way to achieve more efficiency, sometimes it results in a terrible security weakness in your software.
Myth: Software packages from the official repositories are safe
If you only install software packages via the default software repositories, you might think you are safe.This myth goes hand in hand with that open source software would be more secure than propriety software. While some packages might be officially maintained by the Linux distribution itself, there is still a risk. Such software repository usually contains thousands of packages. The chance that one or more contain security vulnerabilities is high. That a software package is officially maintained, needs to be clarified. Typically it means that the Linux distribution will patch known flaws.
If you have the chance to install a package, the official repositories are always preferred. This could be the version distributed by your Linux distribution. Another option is the original software developer or company. If they have an official repository, then that is typically also a good and trusted source. Be careful with adding repositories that are maintained by individuals not related to the project. While their efforts are typically well intended, they might lack the time to keep things up-to-date. Worst case you might even end up with software that is altered. Such alteration could be as bad as added backdoor.
Linux security tips
Now that we discussed some of these myths, let’s look at some of the options to improve the security defenses of Linux systems.
- Only install what you really need
- Software patch management
- Implement a firewall
- Perform regular security scans
Only install what you really need
Most humans are hoarders, especially when it comes to digitally goods. We collect more and more files and applications. If you want to increase your security, it is time to decrease the number of applications you have installed. So are you testing something and done with it? Remove it. Got some applications installed a while ago and didn’t touch them in the last months? Consider removing them as well.
Software patch management
We can be short about this one: patch, patch, and patch. Every package that is installed, might contain a software bug. Keep them up-to-date and do it automatically when possible. See the additional resources for some links and tools to do so.
Implement a firewall
Filter out as much network traffic as possible. If your system needs to get a dynamic IP address, then allow DHCP requests to be sent and responses to be received. Allow outgoing network protocols that are required, like DNS for name resolving and NTP for time synchronization. Typically you also want to allow outgoing HTTP and HTTPS connections, to be able to browse the web. Most incoming connections can be safely rejected. Usually you will directly see what traffic is really needed. The rest of the traffic can stay out.
Perform regular security scans
If we only had to give one tip, then this one would be it. With a security scanning tool like Lynis, you can measure possible improvements. Such Linux security scanner is like an umbrella. It contains many different security aspects and defenses that are available on Linux systems. From the earlier mentioned ones, up to the more advanced options available.
Security advice from Linux distributions
All Linux distributions had to learn over time on how to deal with security related issues. Most of them created a security guide, which could be a good way to learn more about security. Some of these mentioned Linux security myths are discussed in more detail. Sometimes even with additional steps on what you can do to improve your security level. So invest a little bit of time and read the security related documentation of your distribution.
Our guides and tips
Over the years we have written about many topics related to Linux security. Here are some suggested reads that help with securing Linux systems.
- Linux generic
- How much system hardening should you do?
- Livepatch: Linux kernel updates without rebooting
- Linux kernel security and how to improve it
- Optimize SSL/TLS for Maximum Security and Speed
- Postfix Hardening Guide for Security and Privacy
- In-depth Linux Guide to Achieve PCI DSS Compliance and Certification
- GDPR Compliance: Technical Requirements for Linux Systems
Did we miss some Linux security myth, or got a good tip? We love to hear in the comments below!