Basically, there are exactly three things that Linux (and Windows!) users must always be aware of, and must always do.

If you do these things, then you will remain safe from malware:

(1) Do not install "anti-virus" or "anti-malware" software!
Because these tools are designed to be very invasive ... able to read anything on your system, ostensibly to check to see if it has malware in it ... they are a favorite vector for the installation(!) of malware.

(2) Do not allow your "everyday login account" to be an Administrator.
In Win-doze, that's literally "Administrator." In Linux, that's "a member of the wheel group." Your ordinary, everyday account should be incapable(!) of "becoming Superman." This is a variation of the Principle of Least Privilege. If you "wear many hats," then set up an (ordinary ...) separate user-id for each one of them. Set aside exactly one user-id to be capable of becoming Root.

(3) Regular, thorough backups, running all the time.
Apple made this very easy for Macintosh users with their Time Machine, but Linux solutions (also based on rsync) also exist or can be fairly-readily made. Backups are made automatically and frequently, and stored in a directory on a separate external drive which cannot be directly accessed (at least, not in read/write mode) by anyone.

Windows users actually do have access to a very fine(!) backup utility, although Microsoft has fairly-buried it and has never made it easy to use. Don't ask me why.

- - - - -

Always remember that digital computers are not 'biological!' They cannot "catch" things, or "become infected."

Computer intrusions are almost always a crime of opportunity. "The mischief-maker doesn't know you from Adam/Eve, but their automatic 'bot caught you with your pants down." A classic analogy is the "pizza-box cat burglar," who walked through tony neighborhoods carrying a pizza box. He simply tried the front door ... finding, in a useful number of cases, that it was unlocked! And so on ...

I agree with you. I think that the more important is install packages from official sites/repositories, is very difficult that with a responsable use you have a malware in your computer GNU/linux. Windows is very infected because the users download a lot of programs, cracks, softonic etc...

The above quote is spot on, I agree entirely. I cannot agree with any of your advice. Following it closes one vector, hides others, and ignores the rest. Your machine is only vulnerable when a threat catches it with it's pants down, but your advice is to lose the belt.

Actually, I would (in part ...) disagree with you on this point.

"Windows" would not be "very infected," unless Microsoft Corporation, in devising the "Home Edition" that was deployed in many millions(!) of installations "by default," had positioned their (how in the heck would they have known otherwise?!?!?) users: "precisely in harm's way."

• It would not matter in the slightest(!) "what programs you had downloaded," if your user-id was not "capable of mischief."
• It would not matter if the program that you downloaded "called itself 'a crack,'" if, upon being executed, it found that it was incapable of 'cracking' anything!"

I am very sorry to say that, in my opinion, Microsoft Corporation very early established "a Devil's bargain" with "Peter Norton & Company."

And in so doing, if I might say, they damned(!) their operating system with "a reputation for insecurity" that its architecture most-decidely "did not, and today does not," properly deserve.

Quite frankly (IMHO ...) the Microsoft Windows® operating system has a superlative(!) security structure, policy-based and very-tightly integrated throughout its design "from the kernel outwards." (Shades of the DEC operating-systems that were its acknowledged inspirations.) Too bad that it was stabbed in the heart by its marketing department ... just (IMHO ...) to make Peter Norton a very rich man.

Yeah, I just gotta say it:

1 members found this post helpful.

Yes, but, in the practise, a lot of malware in windows is installed directly by users, only you need open a browser and see 3/4 toolsbar crap. I agree with that MS and antimalware companies are "friends" and that you dont need install malware directly, but is the more normal.

But i see very very very difficult, to have malware in a gnu/linux system if only you use official repositories.

I have seen malware delivered via email (as an attachment, but also NOT as an attachment one had to open, you only had to open the email for reading to activate the threat), via web pages, and vulnerability attacks against web servers, ftp servers, mail servers, and (a long while back) against OpenSSH. Those specific vulnerabilities have long since been closed, but we find new ones every day. Your machine is perfectly secure, as long as it is not on the internet and you never use it. As soon as you DO something, there are risks.

By the way, there is VERY little overhead to Selinux, and it is turned on normally on most modern distributions. CalmAV and ClamWIN-AV do not slow your machine, as they scan on demand (or on schedule) rather then linking into the storage driver interrupt and scanning every access. Same with the rootkit detection programs, they scan on demand or schedule, not constantly.
There are two kinds of firewall:
#1 the network firewall, a dedicated device that stands between your network and teh rest of the world. There are many good ones, and some of them based upon software that is free. The best in the world (IMOHO) is Astaro Security Gateway from Sophos, clearly overkill for a home network. Check Distrowatch.com for linux or bsd based firewall OS to be installed on nearly any old hardware you have with two or more network (Generally not WIFI) interfaces.
#2 software firewall on each machine in your network. This, like selinux, comes WITH nearly every modern distro, or can be installed with a command or two. It does add a little overhead to every network packet transfer, as it links into the network stack and examines every packet. Using very careful and precise time trials you can almost detect the overhead, but it is generally less than your margin of error in the timing.

Arguing that these will impact performance the way invasive software can on a Windows box is not very valid. Products that act continuously do provide better protection, but also tie into more of your OS and impact system performance more. Find a balance that is appropriate for your personal use pattern, threat level, and risk analysis.

Then get on with enjoying Linux. We load it to USE it, not to over-discuss how secure it is or is not.

Yes, I will flatly repeat my admonition to, if you will, "lose the belt."

It isn't possible to predict what sort of malicious program someone may write tomorrow. Fundamentally, you must see to it that it cannot be installed on your machine; and, particularly, that it cannot get elevated privileges.

The analogy to a biological organism is a tempting one, but false. You can "catch" the flu by walking into an elevator in which someone recently sneezed, and you will "catch it" unless your immune system destroys the virus first. The same is not true of digital computers.

The majority of users, even of Linux machines, are capable of reaching root privileges with a simple sudo su command, and the entry of their own password, which usually can be found in a dictionary. Windows users are most commonly Administrators. (In fact, with Windows Home Edition, it is quite difficult to set up a user who is not. When such a user asks the operating system to do anything, even to destroy itself, it will be done.

Malware is normally installed by tricking such a user into installing something, or simply entering a user-id and password by which it can be done. No amount of software is effective against that.

In my experience, Linux machines on the web are most commonly penetrated through the server management console, such as Plesk, which "conveniently" allows a remote web user to do anything with the VM. They also expose ssh in such a way that anyone on Planet Earth can get to a login: prompt. It's only a matter of time at that point.

The malware detectors give you a false sense of security, while making your system considerably more vulnerable to attack, and I will stand by my admonition that you should not use it.

Mainly, you've got to "think like a bad guy." Then, seal up all means by which someone could even get a toe-hold into the defenses of the system. To the outside world, your servers should present a smooth, featureless wall. Your system management practices should be such that no one can approach.

You should also aggressively run "ad blocker" software, since you have no idea and no control over what some piece of "advertising" might actually be doing.

Yeah, I think the biggest security problem for desktop Linux users is javascript. That is, the most likely problem you'll have is getting your cookies uploaded to the bad guys. However, this is a guess. While I'm "certified" in security, I have no idea how common this actually is using modern browsers and reasonable caution. I have seen at least one exploit attempt on a less-than-reputable site recently. I'd venture that such sites are probably the single biggest danger.

What I do know is that:
- The chance of software installed from one of the main repositories being malicious is extremely unlikely. But it probably WILL happen eventually, and probably with devastating results for users of Gentoo and Sid. If you're using a LTS you're completely safe, except maybe from time bombs, and I'd worry more about getting struck by lightning during a shark attack. See:
https://www.quora.com/Has-malware-ev...e-repositories
- If you have a bunch of Iphones and such with you behind your router, you should still have a local firewall. In fact, if you're concerned about security, you should probably always manage one. I use UFW, and keep a set of scripts for toggling various settings. E.g., I might have sylpheed aliased to to "email-ublock.sh && sylpheed && email-block.sh".
- Netstat is your friend. Also, if you use Chromium, I'm yet to find a way to keep it from phoning home completely. I'm eagerly awaiting a fork that doesn't do this.

So, I basically agree with others in this thread. The best security is to use the normal best practices, possibly maintaining a separate computer for downloading games from PPAs and such. You can read through the objectives of a certification like Security+ to get a better idea about best practices, as a starting point. However, I'm not a big fan of that cert, take it with a grain of salt.

SELinux has been mentioned. grsec and apparmor have not, but have been now:

https://grsecurity.net/
http://apparmor.net/

1 members found this post helpful.

The more I think and read about security, the more I feel insecure. It seems that we can't be secure enough. Or perhaps, my skills in security is not up to scratch.

Sadly Torvalds has made it clear on numerous occasions that security is not a priority.

http://marc.info/?l=linux-kernel&m=121617056910384&w=2

Not much has changed since then and the de facto system of "grey areas", i.e. covering up vulnerabilities until they can be fixed from 'behind the scenes' still endures today. We can speculate forever on this, but in a nutshell, Spengler/Grsec are right and have been right all along and Torvalds is quite simply wrong. Either way it probably doesn't matter in the grand scheme of things - Linux is now 'mainstream' and MS got away with far worse for much longer.

1 members found this post helpful.

I disagree with you and your plan that only protects against malware that the user must intentionaly install, but will respect your opinion.
I still advise taking some precautions as listed.
Perhaps the OP will report on what they decide.

My key points are threefold:

(1) Computer system security is primarily a system management issue. You must prevent access to the machine itself (using safeguards far stronger than passwords), never allowing a login: prompt to be seen. Never enter an administrative password when you are not logged-on as that user. You must prevent access to elevated privileges (even at "inconvenience" to you), because, if anyone can sudo, they can and just might sudo rm /*!!

(Go ahead. Click it. C'mon. I double-dog dare 'ya ... Prince Mabuji of Hammurabi is waiting with a check, surely.)

(2) "Anti-virus" software is pervasive ... pervasive enough to become a favored attack vector ... and it gives a false sense of security. It encourages poor practices by implying, falsely, that it is protecting you from them. In fact, the best that it can do is to tell you that someone stole your prize race-horse ... again. The proper thing to do is to lock the door to the barn, and maybe to hire an armed-guard service. Online advertisements are also a favored attack vector, so you should run every possible ad-blocker that you can find, and who cares what web site owners think about it. (Sorry.)

(3) Backups. Running all the time, storing the data in a place where no mortal program can touch. (Every now and again, duplicate the backup volume, too, and put it at least in a gun-safe.) You need this, of course, not only for protection against deliberate malfeasance, but because you make screw-ups, too.

In my experience, computer sabotage is almost always simply a crime of opportunity, and, with millions of Windows Home Edition computers out there waiting to be violated, these people really don't care if one of their targets happens to be you. By taking even the slightest of precautions -- "lock your car," "lock your windows and doors when you go off to work" -- the pizza-box cat burglar simply walks on down the street to your neighbor's house, and wiggles his doorknob.

It is useless to run software that merely tells you that malicious software has been installed, because by then it is too late. The true issue is: how did such a thing happen in the first place? You must safeguard your machine from making it reasonably impossible for such an event to have occurred at all.

Well 'javascript abuse' is probably a better term. Like many things, I don't think JS was ever designed to be used for what it is today (the adware/spyware "nexus" of the WWW). Richard Stallman wrote an article which, while loaded with the usual agenda driven rhetoric, does point out many of the issues.

Is it a security/convenience trade off? Disable it and enjoy 95% of sites not working? Manage it, contain it, work around it and ensure that you're only allowing certain trusted sites to run scripts, not just everything by default? A tiny minority will do this, the majority, including the multitudes of computer illiterate smartphone users (most of which probably don't think of their little portable computers as computers anyway) will carry on doing the same, reporting their every move to google, microsoft, the 'social networks' and anyone else who might be interested.

Security is an afterthought for most. When thieves have stolen their identity and drained their accounts, when they are calling the banks and all the utility companies, etc sitting there on hold waiting for "the next available operator" and changing all of their passwords and setting up new email, security becomes far more important to them - for a time at least.

I completely agree with you at that point.