Debian User Forums

[dcihon]

I see a lot of posts asking various questions about security.
I was wondering, Is it even something to worry that much about in Linux or Debian specifically?
I come from a Windows world and actually work in a Windows world and Virus threats , malware etc are definitely something to worry about.
I haven't seen very many stories about Linux systems being compromised and when there is some security issues it is patched rather quickly or only affects servers or maybe advanced users.
I just do my regular updates and leave the security concerns to the experts.

[mike acker]

I think you'll find that the general advice is Linux/Desktop is safe to run "as is" there not being much in the way of effective attacks running out in the wild.

a/v software is not recommended as it actually just creates a possible path of attack for un-authorized programming.

the usual recommendations still apply: keep your software up to date!

it's my impression -- "FWIW" that msft/windows is saddled with a lot of out-of-date baggage -- e.g. the win32 UI -- that wasn't very well done -- back in the day -- before everyting went online

Linux, OTH is derived from Unix -- and is thus based on a better original design.

my personal experience is very positive on this: I've been running various flavors of Linux since 2012. Just following the general advice I've tried to summarize, above. to my knowedge i've not picked up any un-authorized program -- often called a "virus".

[Bulkley]

Security is something everyone should pay attention to. The risk level differs for each of us. Windows is a sieve by design. Linux is safer by design. mike acker is right, you probably don't need to worry too much about viruses. Let me give you a concrete example.

If you download and install a browser for Windows you seriously run the risk that it has been compromised in some way. With Linux, as long as you use the repositories that come with the distribution, the browser you download will be clean. That's a big plus for Linux.

The big security problem for all users today is probably tracking. Vultures try to make money from you. For some it is just data such as which sites you visit. Others are looking for your credit card. Consequently, one needs some Internet street smarts. Stay off of porn sites; the girls are simply bait. I won't use either Facebook or Twitter as the business model is based on spying on you for free. If you do choose to use either then set the security as tightly as they let you. A VPN might be a good idea. A few extensions might be in order: an ad blocker, a cookie remover, etc. There are several threads on it here so do a little searching.

Your router may have a built-in firewall. I set mine to the highest security setting and have never had any problem surfing the Net.

[stevepusser]

Good article for beginners: http://goinglinux.com/articles/BasicLin ... nes_en.htm

[Lysander]

Stay off of porn sites; the girls are simply bait.

I recommend the podcast series The Butterfly Effect for an insight into how these sites make money and how bizarrely and unpredictably they can affect people's lives. Fabian is a very clever businessman. It's little wonder that his Mindgeek empire [which owns all the main streaming porn sites] is all 'in' for credit card verification here in the UK from April. I wouldn't be surprised if the whole thing was an underhand arrangement.

I won't use either Facebook or Twitter as the business model is based on spying on you for free.

This is true but there is no substitute for taking personal responsibility. If you do use these sites, just be mindful about what you put on there. FB will try to coax information out of you in insidious ways.

Your router may have a built-in firewall. I set mine to the highest security setting and have never had any problem surfing the Net.

I don't use any AV software or malware checkers. I only use uBlock origin and Privacy Badger on my browser, as well as ufw for my firewall.

[mike acker]

I've been fussing with Debian 9.30 last week and having a lot of fun.

One of the important keys in the installation is that a root password is not assigned. when you do this: you can't log in as root. neither can anyone else.

instead the first user account is added to the sudo users and will acquire the authority to issue sudo commands, e.g. I can use

Code: Select all

sudo apt install evolution

to install the Evolution e/mail client. I do get prompted for my log-on password in order to use SUDO.

msft/windows has come a long way in adding their "user account control" -- this has a similar effect: you have to "OK" any updates to the software. I don't think that's the main trouble with msft/windows though: I think there are many weaknesses in their "legacy" software. this seems to be conceded in their latest Windows 10s offering -- which is more of a "gated" system: software selections limited to what they have in the pen. like an iPhone.

My guess is: msft will push this HARD. If I remember right their premier package MSFT/Office -- version 2019 -- is going to be available only on Windows 10s systems.

We are definitely getting better at security though. For example, the Debian 9.30 software provides SHA256SUM check data and PGP signatures for the reference pages.

I like to talk about this. IMHO all software needs to be signed. IMHO "Zero Defects" -- is something we do -- not something we get. When Debian provides the SHA256SUM and PGP signature for the reference page -- what I do: is check these, per procedures.

suggested reading
Global Cybercrime Costs Top $600 Billion

[Thorny]

One of the important keys in the installation is that a root password is not assigned. when you do this: you can't log in as root. neither can anyone else.

instead the first user account is added to the sudo users and will acquire the authority to issue sudo

Mike, have you considered the case where someone obtains your password?

If there is a sufficiently secured root and you run as an unprivileged user, then they can only mess up your files. If you only have sudo user, then anyone who obtains your password can trash the whole system.

[Lysander]

One of the important keys in the installation is that a root password is not assigned.

More accurately, it doesn't have to be assigned.

https://wiki.debian.org/Root

It is better to choose a root password at install, and then add yourself to the sudoer's file later.

EDIT: vis-à-vis Thorny.

This is, incidentially, how a Slackware installation work. At install you will be prompted for a root password and later you can add yourself to the wheel group. Slackware does not encourage use of sudo, though it is possible to add oneself to the sudoer's file.

I will impart some personal communication from dasein as to why sudo is frowned upon and why it's advisable to have more than one password:

(1) Very much like systemd-vs-userspace, sudo doesn't actually bring
anything new to the table, and is less functional than the thing it's
meant to "replace."

sudo foo
su -c foo

(2) Across multiple scenarios, there's a lot to like about su's
built-in requirement that two passwords (not just one) must be
compromised in order for someone to gain God-like powers.

(3) The whole point of sudo (and by extension, the wheel group) is to
provide a mechanism by which a *selected subset* of root-like powers
can be granted to *specific* individuals who aren't root and don't need
to be root. But on a single-user system, no such user exists and no
such use-case exists.

4) It's bad pedagogy. It's way too easy for some newb to develop the
impression that every shell command must be prefaced with sudo. The
*nix security model isn't hard to learn, and learning it correctly
presents considerable benefit.

[Thorny]

It is better to choose a root password at install, and then add yourself to the sudoer's file later.

Yes, with the proviso that is suggested in your edit. Give sudo user limited access to things like dmesg but not to things like install.

Security and convenience do not go hand-in-hand, they fight each other.

[mike acker]

--snip
Mike, have you considered the case where someone obtains your password?
--snip

well, there's always that...
which brings us to the question of Physical Security

we generally recognize that if physical security is compromised so too are any computers to which the attacker gains physical access. that, of course brings us to the subject of whole disc encryption. and goons of various stripes.

just as a note though -- I do use an alternate, standard user logon for sensitive work.

[n_hologram]

Part of what makes Debian very secure is that they name things after Toy Story characters. This hardened nomenclature offers additional layers of protection not offered by other distros, and not even OpenBSD. For example "Debian Potato" (ie Mr. Potato Head) offers a cryptographic cipher that's otherwise unavailable, solely due to it's naming after Pixar's anti-hero of the same name. Debian is lucky for this.

Joking aside, consider the following:

Did you look at the other post that's been floating around in the same general area?

It's an extension of a similar post of the same content with additional information.

It sounds like everyone beat me to the browser caveats and warnings.

Heck, the same guy who gave you advice started an entire conversation about best practice for web browsing!

Not like the NSA cares which operating system or browser you use, anyway.

Dasein knows all about that.

And who knows what kind of vulnerabilities are just out there waiting to be exploited!

Debian has a CVE list for a reason.
Forum search (along with the first three pages in offtopic/general discussion) are replete with information. Most of these were found within the first three pages. I suggest reading.

[Head_on_a_Stick]

I prefer a locked root account and no sudo command at all

I also restrict `su` to my user and forbid everybody else:

https://wiki.debian.org/WHEEL/PAM#Restr ... tion_of_su

It's the only way to be sure.

Of course then we have this problem:

https://xkcd.com/1200/

[Bulkley]

Head_on_a_Stick, that cartoon displays the problem well.