Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does anyone know of any good security programs for linux like there are for windows ? Something that locks-hides files & folders so they can`t be edited or moved deleted ? Any that restricts access to certain features like start menu,control panel,registry and others, Folder Lock as a example.
A standard Linux system will generally not allow a normal user (non-root, non-administrator) to write to any location the /home/user directory but will allow reading to many locations. If a user can't write to a directory, s/he cannot edit anything. Not sure what you want to limit in the Menu but the Control Panel used to configure various settings on the computer should require root privileges. There is no 'registry' in Linux, not sure what would be comparable but I'm sure someone else will post.
There are two frameworks that make background services more secure, AppArmor and SELinux. They are installed and configured by default on several distros. Their working principle is containment of attacks: When a service, for example web server, is compromised, an attacker that has gained root privilege can only cause damage to the files that belong to that service, and not to the system at large.
SELinux can tighten security even more by implementing its Multi-Level Security policy, which can make your system get clearance from the CIA and other spy organizations. May be overkill for you, but only the paranoid survive.
Some distros configure a strict firewall that only opens the ssh port by default. It is not too hard to set up such a firewall on a more permissive system.
Linux includes a command, chattr, that allow you to "lock down" a file, so that even root can't modify it. However, root can use chattr to unlock the file.
There are two frameworks that make background services more secure, AppArmor and SELinux. They are installed and configured by default on several distros. Their working principle is containment of attacks: When a service, for example web server, is compromised, an attacker that has gained root privilege can only cause damage to the files that belong to that service, and not to the system at large.
SELinux can tighten security even more by implementing its Multi-Level Security policy, which can make your system get clearance from the CIA and other spy organizations. May be overkill for you, but only the paranoid survive.
Some distros configure a strict firewall that only opens the ssh port by default. It is not too hard to set up such a firewall on a more permissive system.
Linux includes a command, chattr, that allow you to "lock down" a file, so that even root can't modify it. However, root can use chattr to unlock the file.
Funny SELinux or Security Enhanced Linux was developed by the NSA way back when in the 2000`s sometime i don`t remember exactly, but are you trying we can actually trust anything the Gov. or the NSA,FBI or the rest of them say ? I would not trust any thing by them no matter what it is or what they say.
Funny SELinux or Security Enhanced Linux was developed by the NSA way back when in the 2000`s sometime i don`t remember exactly, but are you trying we can actually trust anything the Gov. or the NSA,FBI or the rest of them say ? I would not trust any thing by them no matter what it is or what they say.
It's open-source. You have to have a high degree of paranoia if you think that everybody competent enough to understand the source code is part of the conspiracy.
Didn`t say it was or was not a conspiracy, just that i would not trust any of them-might be open source but was still developed by the NSA sometime in the 2000`s i do not trust any Gov. rep elected or otherwise & won`t change in the future. I do study history and go by what the facts are so i`m not going to trust them at all no matter what they say-it`s what they do that count`s.
Distrust of governments, people in power and secret services is healthy. My point is that this is not relevant. The software is open-source and has been since 10-15 years; if it contains anything nefarious, it would have been detected by now.
As berndbausch points out the likelyhood of it being a trojan is much less (but perhaps still non-zero) with many eyes reviewing the code.
On the other hand, you still trust those same actors, and more, to have not successfully compromised the kernel code (we know they have tried), and pretty much every other application you depend on... have you actually verified them all?
At some point you have to decide whether and what to expose, and use your best judgment rather than rely on actual trust.
As others have pointed out, by default, security is built into Linux out of the box. Linux was built to Unix standards, and, as Unix was a multi-user system from the get-go, security was always a concern.
The basic element of security with Linux are the same as with any other OS: a good firewall. Firewall capability is built into the Linux kernel--it's called iptables. Linux firewall "programs" are usually frontends for configuring iptables.
Viruses are not a major concern, as most viruses target more popular operating systems, but that doesn't mean you should ignore them. There are AV programs for Linux.
The biggest weakness in Linux is the same as with any other OS: The person sitting behind the keyboard: don't go to dodgy websites, don't click on questionable links, don't get phished. All the security software in the world can't protect against stupid.
The software is open-source and has been since 10-15 years; if it contains anything nefarious, it would have been detected by now.
Not necessarily. On the basis of "nefarious, implanted back doors", you may have a point, but in terms of vulnerabilities which have been discovered and not disclosed it's a different matter altogether - but the same can be said for any "open source" software. The Linux kernel is a very large and bloated code base, so it's not a given that the fabled "eyeballs" have audited ever single line.
I think OpenSSL taught developers and users, quite a lot with respect to "open source" code, in that problems can still lie hidden for years, if the code is not being continually re-examined, reevaluated and developed.
Does anyone know of any good security programs for linux like there are for windows ? Something that locks-hides files & folders so they can`t be edited or moved deleted ? Any that restricts access to certain features like start menu,control panel,registry and others, Folder Lock as a example.
"chattr" can make files immutable, so they can't be edited or deleted.
Distrust of governments, people in power and secret services is healthy. My point is that this is not relevant. The software is open-source and has been since 10-15 years; if it contains anything nefarious, it would have been detected by now.
I can agree to that-But i still don`t trust them ot it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.