Security in Linux Mint and Ubuntu: an Explanation and Some Tips

Back to the homepage


Latest update for this article: August 18, 2020.

Contents of this page:

Linux Mint and Ubuntu are very secure; much more secure than Windows. But why is that? And how do you maintain and improve their high level of security? That's what I'll try to explain below.

Security Summarized

1. First of all: you'll never be able to achieve 100 % security. Not in real life and not in the digital world. Not even when your computer is running Linux. You should always use your common sense.

And even then it can go wrong. A certain amount of risk, however small, is unavoidable. A Frenchman would say: c'est la vie (In English: that's life, but it sounds so much better in French)...

An extremely short summary of the best security practice in Linux Mint is this:
- Use good passwords.
- Install updates as soon as they become available.
- Only install software from the official software sources of Linux Mint and Ubuntu.
- Don't install antivirus (yes, really!).
- Don't install Windows emulators like Wine.
- Enable the firewall.
- Above all: use your common sense.

Do that, and then: relax, you're running Linux....

Want a bit more information? A brief explanation about viruses, firewalls and exploits:

Antivirus Software and Rootkit Removers: Both Unnecessary and Harmful

1.1. You don't need any antivirus software or rootkit removers (such as chkrootkit and rkhunter) in your Linux Mint or Ubuntu. What's more, those applications even decrease your security(!). Below I'll explain why I'm against installing antivirus and rootkit removers.

a. Antivirus is useless
A virus or rootkit can't install itself in Linux unless you let it. In order to install itself on your computer, a virus or rootkit needs your password. And that it doesn't have.

Or in case it's malware ( a script) that can execute itself in your home directory without password: you'll have to make it executable first. Any script that you download, is not executable: you have to set the executable bit of the script yourself, by hand.

When you double-click such a script file, you'll get to see the following dialog window:

As you can see, "Cancel" has been preselected, in order to prevent accidental execution.

Note: there is an important exception: when you extract a script from an archive (for example with the extension .zip or .tar.gz) it does not require to be made executable first. Which means you could execute it accidentally by double-clicking it, after all. So always beware of what you download....

If you only install software from the secured official "software store" (software repositories) of your Linux distribution, then that's a very effective barrier against malware. More than that, there are no Linux viruses or rootkits "in the wild" for end users like yourself. (The exception is viruses targeted at Linux web servers, but securing web servers is quite a different cup of tea.)

b. Antivirus introduces a dangerous vulnerability
Furthermore, antivirus (AV) software sometimes even actively endangers your system: Because AV has by definition high permissions on the system and because it's often inadequately protected against hacking.... This makes AV software an ideal target for hackers.

Antivirus applications have been designed to read and open as many file types as possible. Because every kind of file can theoretically contain a virus. Unlike ordinary applications, which can only read and open certain specific file types. For example: word processors can usually only open document related files, and no mp3 music files. For media players the reverse is true.

Because antivirus can read and open everything, and actually does precisely that during a scan, its potential vulnerability (attack surface) is much bigger. And therefore also its attraction as target for people with malicious intentions. That's not just theory; more about that at the end of section 2 on this page.

c. No real protection against zero day
Antivirus products can only protect against known threats. The claim of antivirus companies that their products offer some protection against future (as yet unknown) "zero day" attacks is misleading: the antivirus software itself is just as vulnerable to future zero day attacks as the software it claims to protect...

d. False sense of security
Furthermore, antivirus software gives you a false sense of security, which might make you less cautious about installing software from external sources.

e. Windows viruses are harmless in Linux
Virus scanners scan mainly for Windows viruses. These viruses don't work in Linux. So you don't have to worry about them, either.

f. False warnings
Virus scanners often issue false warnings. Possibly intentionally, to make the user feel good about the presence of the scanner. This sometimes induces people to needlessly damage their system, because they remove essential system files incorrectly labeled as malware.

g. Essentially, each and every app is a risk
Installing an application, any application, increases your attack surface. For example: web browsers are indispensable for browsing the web, so you take the “risk” of installing them. You accept their attack surface as the price you have to pay for using the web.

But in desktop Linux, an antivirus application is good for nothing at all. It promises extra security, but in fact it only decreases security. So why would anyone want to have antivirus in desktop Linux in the first place?

Understanding Firewalls

1.2. A firewall is a security tool that monitors and polices network traffic. You can use a firewall to protect your system from malicious incoming traffic.

If your firewall is turned off, then in many cases your system won't be protected. So in this section, you will learn to enable and disable your firewall and check its status.

1.2.1. Firewall: Turning it On, Checking its Status and Disabling it

A firewall is already installed by default. It's called IPtables. IPtables can be managed through the terminal application Uncomplicated Firewall (ufw) and the graphical application Gufw (the G stands for "graphical"), both of which are also installed by default.

By default the firewall isn't activated, because in a default installation it's not needed. Background information for advanced users: this is because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network in a fastfood restaurant, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.

You can turn on the firewall by means of the terminal (yikes!). This is how you do it:

a. Launch a terminal window.
(You can launch a terminal window like this: *Click*)

b. Copy/paste the following command line into the terminal:

sudo ufw enable

Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even dots will show when you type it, that's normal. In Mint this has changed: you'll see asterisks when you type. Press Enter again.

Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done!

c. With this command line you can check the current status of the firewall:

sudo ufw status verbose

Press Enter.

When it's enabled, the output should resemble this:

pjotr@netbook:~$ sudo ufw status verbose
[sudo] password for pjotr:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing) disabled (routed)
New profiles: skip
pjotr@netbook:~$


I've printed the most important message in red: this output basically means that all incoming traffic is denied and all outgoing traffic allowed.

There are sensible exceptions in the default firewall settings (rules), which should ensure that the firewall is never in the way of normal average use. For example, with the default profile the use of Samba should be no problem. Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw.

d. You'll probably never look at its logs, so it won't hurt to turn off all logging by the firewall. Especially because it can be rather spammy sometimes. Turning off its log can be done with this terminal command:

sudo ufw logging off

Regrets? Turning logging on again with the default amount of activity (low), can be done with the following terminal command:

sudo ufw logging low

e. It's easy to disable the firewall (should you wish to do so) with this terminal command:

sudo ufw disable

Press Enter.

f. If you're interested in the full set of firewall rules, see the output of:

sudo ufw show raw

You can also read the firewall rules files in /etc/ufw (the files whose names end with .rules).

Vulnerabilities: No Big Problem if Fixed Quickly

1.3. Exploitable security vulnerabilities appear in any operating system and in every application. This also holds true for Linux. From these run of the mill problems, you're protected by the updates.

Linux Mint automatically performs a daily check for available security updates. It's important to install the suggested security updates without unnecessary delay, if you want to keep your system as secure as possible. As long as it's discovered quickly and repaired speedily, a vulnerability is no big problem.

That's the end of the short explanation. Want to know more? Then read on.

Background Information: The Full Story about Antivirus

2. If the explanation I gave above doesn't convince you yet (old habits die hard, especially where security is concerned!): the full story about antivirus is as follows:

Because of the growth of desktop Linux, most antivirus companies want to tap this new market. Many new Linux users think that they need an antivirus application in Linux, because of their age-old Windows habits and because of the clever marketing of the antivirus companies.

The opposite is true, however. Unlike other operating systems, it's almost impossible to write an effective virus for Linux. How can this be, you might wonder. I'll try to explain why.

Linux computers are just as well a target as computers that run on other operating systems. Most popular (and therefore valuable) websites run on Linux, so there is no lack of motivation to infect Linux.

Some people suggest that the Linux community is conceited or lagging behind when it comes to viruses or other security issues. This suggestion is not true: the developers of Linux haven't ignored viruses, they have structured Linux in such a way that it has good resistance to viruses. And because the code is open, there are literally thousands of people who check the code for errors and propose fixes.

Virus scanners mainly work "reactively", which means that they almost only provide protection against viruses that are already known to the creators of the scanner. Antivirus applications can only protect against a new virus after that virus has been created, not before. In spite of their misleading "zero day protection" claims.

More importantly still, the best protection against any virus will consist of repairing those flaws in the software, which the virus attacks. These repairs happen by means of security updates, which in Linux are usually issued sooner and more often than in Windows and Mac OS.

Few antivirus companies have a faster response time than the Ubuntu security team. This of course also benefits Linux Mint, which uses Ubuntu as code base, and thereby gets most of its updates straight from the Ubuntu software sources. The time frame between public disclosure of a security problem and the making of an antivirus solution or a repair, is obviously the most dangerous period.

As I've said before: a vulnerability is no big problem, as long as it's discovered quickly and repaired speedily. It's difficult to install a virus on a Linux computer yourself, but it's certainly not impossible. The greatest danger lies in unreliable non-official software repositories and in unsafe code that a careless administrator executes with root permissions.

It's wise to keep that in mind, and to install your software preferably only from the verified official software repositories of Linux Mint and Ubuntu. Be very careful with software from elsewhere, like standalone installation packages (with the extension .deb). Only install those when their source is above all doubt, like the web browsers Google Chrome and Opera.

At present there are in any case no Linux viruses designed for end users "in the wild."

Finally, as outlined in section 1.1 of this page, AV software itself is very vulnerable for malware. The vulnerability of AV software has been researched and proven: In 2014 Joxean Koret, a researcher at Singapore security firm COSEINC, published a revealing research at the SysScan 360 security conference, called “Breaking Antivirus Software”. See this article about that research. It's an old research, but its fundamental criticism is still relevant.

The presentation slides of the complete COSEINC research are no longer to be found on syscan360.org, but you can download a copy of those presentation slides from my own Google Drive.

Misconception: Protection of Windows Users

2.1. Occasionally somebody proclaims the following misconception: "I use antivirus in Linux, so that I can't accidentally pass on a Windows virus to a Windows user. For example by e-mail attachments or by sharing a USB memory stick".

This is a misconception because of the following reasons:

a. One of the advantages of running Linux is not having to weigh down your system with antivirus, nor having to import the security problems that antivirus creates. It would be rather counterproductive to move to a virus-free operating system, if we end up running all of the antivirus crud anyway...

And it adds insult to injury, to do so for the sake of an operating system whose owner actually chooses to let it be security-deficient.

If a Windows user can't be bothered to guard his own system against threats that are the result of shortcomings in his own operating system, then the efforts of the comparatively small base of Linux users aren't going to make a shred of difference. Such a Windows user will unavoidably get infected from somewhere else.

In fact, I believe that Windows users have to lie in the bed they make for themselves. I'm not trying to be harsh here: it's more the principle that consequences must fall to the appropriate party, or else there is no incentive for change.

Therefore, unless a Linux user is running a public web/mail/file server (clearly not your average user), I strongly discourage the installation of antivirus, because doing so continues to silently endorse one of the worst aspects of operating system design.

In fact, you'll find that the "protection of Windows users" fallacy is sometimes used as an excuse, by people who irrationally can't believe that Linux really doesn't need antivirus for itself....
(With thanks to DuckHook from Ubuntuforums.org, for kindly allowing the use of this text)

b. If you want to reduce the chance of passing on a Windows virus by e-mail, then you can achieve that by sending e-mails with attachments by means of Gmail.

Then Google automatically scans the attachments for viruses, trojans and other malware. With a professional up to date virus scanner, on the servers of Gmail itself. A Gmail account is free, so you need to have no worries about costs....

When you enable POP3 support in Gmail, you can even use the applications Thunderbird or Evolution for it.

Note: nowadays every good e-mail service (so not only Gmail) scans automatically for Windows viruses, on the servers of the e-mail provider.

c. Concerned about a particular file? You can make use of a free web service, which is the property of Google: VirusTotal.com. It uses a whole bunch of antivirus engines (over 50!) simultaneously, to scan every file that you feed to it, for viruses and other malicious software. Which makes it fifty times more effective than any locally installed AV.

Don't install Wine or Mono in your Linux

3. The security overview above, applies to a "clean" Linux without Windows emulators like Wine, PlayOnLinux and CrossOver.

Those emulators are used to run Windows software in Linux. It's better not to install such Windows emulators, because they make your Linux partially vulnerable to Windows malware.

If you need to use Windows applications, then you could use a free legal Virtual Machine with Windows for that, or (if you have a dual boot computer) an ordinary Windows.

The same objection is valid for the Mono infrastructure, albeit to a lesser degree. Mono also makes your system partially vulnerable to malware that targets Windows, because it's cross-platform (like Java).

In Linux Mint and Ubuntu, Mono will be installed automatically whenever you install an application that needs the Mono infrastructure, like media player Banshee and notes app Tomboy. I advise to avoid those and install non-Mono based alternatives instead.

Here's how to make sure you don't have Mono in your system:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):

sudo apt-get remove mono-runtime-common

Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even dots will show when you type it, that's normal. In Mint this has changed: you'll see asterisks when you type. Press Enter again.

This command completely removes both the Mono infrastructure and the applications that depend on it, which you'll see happening in the terminal output when it's being executed.

Be Careful with Unofficial Repositories and .deb Files

4. Software from unofficial third-party repositories (like PPA's) and external .deb installers, is untested and unverified. Therefore it may damage the stability, the reliability and even the security of your system. It might even contain malware....

Furthermore, you make yourself dependent on the owner of the unofficial repository, often only one person, who isn't being checked at all. By adding a PPA to your sources list, you give the owner of that PPA in principle full power over your system!

Therefore only use a PPA when you really (really!) have no acceptable alternative. Or when you're testing a particular piece of software (which you should only be doing on a non-essential test computer or in a virtual machine).

PPA's are a mixed blessing, to say the least. If used wisely and very restrictively, PPA's can occasionally be of great help. But used carelessly, they're for Linux what the bubonic plague was for the Middle Ages....

Have you already enabled PPA's or other unofficial third-party repo's and do you want to get rid of them? Then you can recreate a clean software sources list like this.

Securing your Web Browser by Sandboxing It

5. You can run Firefox and Google Chrome from within a secured sandbox called Firejail, which enhances the security of those web browsers greatly. You can achieve that by applying this how-to.

Furthermore, beware of installing shady or rogue add-ons and extensions in your web browser. They might harm your security.

Do you have already have polluted settings in Firefox or Chrome (often caused by shady add-ons), and do you wish to start anew with a clean browser? Then proceed like this (item 13).

Disabling Secure Boot

6. In order to make your Linux function properly, I advise to disable Secure Boot in the BIOS. Disabling Secure Boot is no loss: it adds no meaningful security anyway. It's primarily a means for Microsoft to enforce its vendor lock-in on your computer...

Proceed as follows:

a. Launch a terminal window.
(You can launch a terminal window like this: *Click*)

b. Copy/paste the following command line into the terminal:

mokutil --sb-state

Press Enter. If it reports that Secure Boot is enabled: reboot and disable Secure Boot in the settings of the BIOS. In order to do this, you might need to set an administrator password in the BIOS first.

Libre Office: Improving Macro Security

7. Macro's can be useful in Libre Office, but they're also risky. You can improve the macro security of Libre Office like this:

From the menu, launch LibreOffice Writer - panel: Tools - Options...
If necessary, click on the small triangle before the word LibreOffice, in order to expand this section - click on Security
button Macro Security... - set the Security Level to Very high.

Close Writer.

Note: user preference, so repeat this in each user account.

Red Herring Alert: False Alarm by systemd

8. When you run the following command in the terminal:

systemd-analyze security

.... you'll get to see a long list of UNSAFE warnings. However, it's a false alarm; you can safely ignore these UNSAFE reports. That's because systemd-analyze security looks at the disabled sandbox features built into systemd. It does not check the services itself.

What's more: it's a very bad idea to start sandboxing systemd all over the place. You don't know what you might disrupt, whereas the practical security benefit of such hardening is questionable to say the least.

This is another case in which the old wisdom holds true: "trust the defaults." Or rather: trust the upstream Ubuntu Security Team, which keeps systemd secure for both Ubuntu and Linux Mint.

Consider to Remove Java (openJDK)

9. Java (both Oracle Java and openJDK) is frequently under attack. That's why it's best to consider whether you can do without it. If that's the case, you can simply remove it from your system.

This advice is not only valid for Windows, but also for Linux. Because in this aspect, Linux is vulnerable too! Java is namely platform independent, which means that it works independently from the underlying operating system.

One case in which Java (or openJDK) is needed, is for using LibreOffice Base (creating and editing databases). If you don't use Base, chances are high that you have no need for Java or openJDK at all.

By default, Linux Mint contains openJDK (not Oracle Java). You can remove it like this:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following command line into the terminal:

sudo apt-get remove "openjdk*"

Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even dots will show when you type it, that's normal. In Mint this has changed: you'll see asterisks when you type. Press Enter again.

Note: this only applies to Java. There's also Javascript, which is much more secure than Java. So there's usually no need to disable Javascript as well. Furthermore, many websites don't function well when you've disabled Javascript in your web browser.

Regrets? You can re-install openJDK and its support for LibreOffice Base with this magical terminal incantation:

sudo apt-get install default-jre libreoffice-sdbc-hsqldb

.... and all should be as it was again.

The Things That Are Dangerous

10. These are the things that do endanger Linux, which you therefore will want to avoid: 10 fatal mistakes.

Securing your Wireless Network in the Right Way

11. The security of your wireless network isn't operating system specific, but it's an important issue. Read here how to secure your wireless network properly.

Disable Universal Plug and Play (UPnP) in Your Router

12. Not related to your operating system, but important nevertheless: disable Universal Plug and Play (UPnP) in your router. UPnP in your router, enables network devices to communicate with each other, both in your personal network and by means of the internet.

Easy, but dangerous: UPnP opens a huge security hole, which is not really manageable. It's better to disable it permanently, because UPnP is inherently insecure.

First, find the user manual of your router; if you no longer have it, then you'll probably be able to download a copy from the website of the router manufacturer.

Then access the configuration of your router and disable the UPnP feature, and also the accompanying feature, usually called something like "Allow user to configure".

Note: this might require you to take some extra measures for enabling VPN, P2P file sharing and the like (namely opening some ports manually). This isn't always necessary though, and depends on how your router manufacturer has configured the firmware defaults.

Create and Remember a Secure Password Easily

13. Contrary to what many people think, creating and remembering a secure password is not hard.

Want more tips?

Do you want more tips and tweaks? There's a lot more of them on this website!

For example:

Speed up your Linux Mint!

Clean your Linux Mint safely

Avoid 10 fatal mistakes


To the content of this website applies a Creative Commons license.

Back to the home page

Disclaimer