this post was submitted on 22 Nov 2025
9 points (54.9% liked)

Linux

59933 readers
495 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
9
Linux Hardening Guide / Linux is Insecure (madaidans-insecurities.github.io)
submitted 1 week ago by BigHeadMode@lemmy.frozeninferno.xyz to c/linux@lemmy.ml
42 comments fedilink hide all child comments
 

Writeup from 2022 that I assume is mostly still valid. TLDR:

  1. Mainstream Linux is less secure than macOS, Windows, and ChromeOS. (Elsewhere: "[iOS/Android] were designed with security as a foundational component. They were built with sandboxing, verified boot, modern exploit mitigations and more from the start. As such, they are far more locked down than other platforms and significantly more resistant to attacks.")
  2. Move as much activity outside the core maximum privilege OS as possible.
  3. OP doesn't mention immutable OS, but I assume they help a lot.
  4. Create a threat model and use it to guide your time and money investments in secure computing.

Once you have hardened the system as much as you can, you should follow good privacy and security practices:

  1. Disable or remove things you don't need to minimise attack surface.
  2. Stay updated. Configure a cron job or init script to update your system daily.
  3. Don't leak any information about you or your system, no matter how minor it may seem.
  4. Follow general security and privacy advice.
all 43 comments
sorted by: hot top controversial new old
[–] Soot@hexbear.net 30 points 1 week ago (1 children)

These are very subjective arguments, and even the objective points are completely subjective depending on your distro.

I mean one of his arguments is that C++ is just inherently insecure. He just takes Microsoft's claims at face-value that all their pointless shit is the magical security wall that it claims to be. He buys into the same lie that ACE on a Windows, Mac or Android is somehow much much safer than on Linux. Most of his claims that other OSes are more secure are rooted in "well yeah they do exactly the same but at least they knooow they do".

I'm not even acknowledging ChromeOS - it is Linux, except it only runs a browser.

99% of this stuff also applies to Windows/MacOS/Android/iOS, except moreso and far more universally. And 90% of this stuff is only relevant if you're being targeted by some state-funded intelligence like the CIA (cold reading your RAM?? minimum 16-character password?? Keystroke fingerprinting?????)

So whatever, I think the hardening guide looks fairly accurate, but unless you're being spied on by world powers, I wouldn't consider it worth peoples' time to read, never mind implement. 90% of people are still going to be more secure by cluelessly using Linux instead of cluelessly using the others.

[–] Tiempo@lemmy.dbzer0.com 14 points 1 week ago (1 children)

And if the state wants your password they will just ask you using some very persuasive arguments, so, it won't matter your 16 char password

[–] Tenderizer78@lemmy.ml 15 points 1 week ago (1 children)

[–] Tenderizer78@lemmy.ml 7 points 1 week ago

And who TF encrypts their laptop with RSA 4096.

[–] verdare@piefed.blahaj.zone 26 points 1 week ago (2 children)

I’ve had a hot take for a while now that Linux isn’t “more secure” than other operating systems like a lot of evangelists will claim. I think people get this impression because the user base for desktop Linux has been small enough that no one was writing malware targeted at us.

Unix’s security model was developed in a world where the primary concern was protecting the system from users and protecting users from each other. It wasn’t really designed for single-user systems where the main concern is protecting the user from their own applications.

[–] BigHeadMode@lemmy.frozeninferno.xyz 10 points 1 week ago

no one was writing malware targeted at us

Probably not true now. It took some digging but I found e.g. BPFdoor https://attack.mitre.org/software/S1161/ which "does not need root to run" https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis

The silver lining is that a lot of these backdoors are nation-state level so you might not be targeted by them. If I had data on my computer worth a dang, I'd be more concerned.

[–] cassandrafatigue@lemmy.dbzer0.com 0 points 1 week ago

It would be hard to be less secure than windows.

[–] bad_news@lemmy.billiam.net 24 points 1 week ago (2 children)

Mainstream Linux is NOT less secure than MacOS, and if you've ever seen how buggy non-Graphene Android is, tell me this OS is doing secure memory management with a straight face...

[–] BCsven@lemmy.ca 4 points 1 week ago (1 children)

Some distros ship with no firewall enabled, some newbie using public WiFi is going to be less secure.

A pain with OpenSUSE tumbleweed is firewall and SELinux by default, but it forces you to learn about security if you need to setup SAMBA or other connections to your machine

[–] bad_news@lemmy.billiam.net 4 points 1 week ago (1 children)

Ubuntu, Mint, and Fedora all ship with default firewalls and that's probably 80+% of laptop users. I'm also skeptical that there would even be a specific danger from taking an unfirewalled box that's just running a browser and Steam on public wifi in 2025, which would presumably be most n00b use cases.

[–] BCsven@lemmy.ca 3 points 1 week ago (1 children)

Last time I tried Ubuntu, it had a firewall but it wasn't active by default. Unless something changed in the last few years.

No firewall means your system is going to get scanned to see if anything is open or exploitable

[–] bad_news@lemmy.billiam.net 6 points 1 week ago (1 children)

Yes. And what would be open, much less exploitable, on a default install of a major distro at all, much less on the timeframe on which one would normally be on public wifi?

[–] BCsven@lemmy.ca 2 points 1 week ago* (last edited 1 week ago) (1 children)

People hang out on public WiFi sometimes with packet sniffing and other tools to exploit people. Especially some distros don't have X server remote display locked down.

If you want to know what is open or exploitable CVE you can run a script that discovers all CVE exploits against a machine

[–] bad_news@lemmy.billiam.net 3 points 1 week ago (1 children)

The assertion was literally "Mainstream Linux is less secure than macOS..."

Packet sniffers have nothing to do with OS or firewall, so I don't know what packet sniffers have to do with this. Can you name an arguably "mainstream" distro where it is the case that X is open by default?

Are you aware of an IRL exploitable CVE for even marginally up to date-ish Ubuntu or Fedora without user installed non-default services, exploitable by cold hitting a random port like a windows 98 worm? Maybe I'm just massively misinformed, but I don't believe such a thing has existed since the Debian bad randoms meltdown of the 2000's, but even that would require sshd running, which afaik Fedora and Ubuntu don't have on a default install unless the user turns it on, so despite the Starbucks wifi happening to have a 1337 h4x0r utilizing perfect AI capable of finding all CVEs and chaining them he isn't getting in on a closed port on ANY modern unix.

[–] BCsven@lemmy.ca 2 points 1 week ago* (last edited 1 week ago) (1 children)

To answer all your questions I'd need some time, I'd have to go back to the 100s of hours of 2.5admins and security podcasts. But to clarify an exploit doesn't have to be an open service especially if you aren't running a firewall. Some bombard your network adapter into buffer overun etc, but network traffic is handled by the kernel stack. A good firewall drops packets instead of letting them all into the public interface and kernel TCP stack. Where CVE stuff can happen.

I'm not saying Linux can't be hardened , but because it is user editable and not locked down like Mac, you have a lot of things people can alter (or not alter) by hand or packages that can leave you open.

There's a reason we have AppArmor and SELinux, yet some don't bother to use those tools.

There was something with discord? Discourse? screen sharing that used x11 forwarding, and was on by default. I want to say Ubuntu. When it was news I checked by SUSE install and thankfully its disabled by default. But also the reason Linux distros are moving to Wayland because X11 is a security problem.

Ubuntu ufw off by default https://documentation.ubuntu.com/server/how-to/security/firewalls/index.html

[–] bad_news@lemmy.billiam.net 2 points 1 week ago (1 children)

Wow, this is very confirmed kills copypasta energy... at any rate, while I'm sure hundreds of hours of security podcasts have taught you many things, again, the original point being disputed is "Mainstream Linux is less secure than macOS" and a side point about the risk of not firewalling a modern mainstream Linux distro on public wifi.

As you state, network traffic is handled by the kernel network stack. The firewall (iptable rules, not magic) is network stack software that runs on that same Linux kernel. In what regard is the local firewall itself magic where "CVE stuff can[n't] happen" on public wifi? If macOS is more secure inherently here, how? If that answer is "bSd MaGIc" okay, sure... do you understand what percentage of exploits are "hacks" in the 1990's become root with memory exploit on hardware way in 2025? I challenge you to find a case, even at a hacking event of someone raw banging on a closed port on a modern mainstream Linux distro until they overflow into something. This is also a Starbucks... I don't think anyone is rocking their 0-days at random Starbuckses.

You keep talking about non-default setups on fringe distros. Nobody is arguing Puppy Linux from 2010 with Limewire installed is secure to put on the modern internet at Starbucks, although I would give 99.999999% odds nobody will sidejack your insecure X11 stack at a random Starbucks even on unfirewalled Puppy Linux from 2010, even with Limewire.

[–] BCsven@lemmy.ca 2 points 1 week ago* (last edited 1 week ago)

Best thing would be for you to just search what exploits a firewall protects against because its not just open ports. I would link stuff but you are discounting what I linked earlier that Ubuntu ships with firewall off; by nature the most popular distro is less secure because of that.

So no point me wasting time if you aren't interested in it.

Edit: sorry if tone seems bad, its not intentionally that way.

[–] Jumuta@sh.itjust.works 21 points 1 week ago (1 children)

security you don't understand is security you don't have. windows' exploit mitigations don't work because the average user doesn't understand them and can easily be guided into disabling them.

the weakest attack surface is the stupidity of the user and that's not gonna change however much you try to make your os secure

[–] verdare@piefed.blahaj.zone 4 points 1 week ago (2 children)

A secure OS should account for dumb/malicious users and mitigate the damage they can do. If a user can be convinced to disable protections on Windows or Android, that same user could easily be convinced to download a script and run it with sudo.

[–] Jumuta@sh.itjust.works 5 points 1 week ago

that might be true, but no one learns calculus in a ball pit

[–] cassandrafatigue@lemmy.dbzer0.com 1 points 1 week ago

Youre not going to improve security beyond the already plucked low hanging fruit except by developing usees into users.

[–] non_burglar@lemmy.world 21 points 1 week ago (1 children)

This is a Qubes ad.

And that's fine, but why Qubes insists it's not Linux while booting the Linux kernel, running xen, using xfce as the primary desktop, and being listed on disteowatch seems like a weird marketing choice to me. Your primary audience knows what Linux is, so what is the motivation behind claiming "Qubes is not Linux"?

[–] Neptr@lemmy.blahaj.zone 2 points 1 week ago (1 children)

Freebsd is also on distrowatch. Qubes is not desktop Linux because it doesnt function like normal linux. It uses the Linux kernel, but in a similar way to how Android isn't Linux, neither is Qubes.

[–] non_burglar@lemmy.world 8 points 1 week ago* (last edited 1 week ago) (2 children)

Fair enough. I guess I didn't distill my comment before writing it down.

The problem I see with op's "Linux isn't secure" comment (without getting all territorial about it) is that the solution touted by Qubes is already a solution in wide use in several Linux distros, meaning the compartmentalization of apps in constrained environments is already a mechanic used in flatpack, snap, even docker.

The fact that Qubes is a secure approach should be the focus, not the "our potassium is superior to all other countries" vibe from this post.

[–] Neptr@lemmy.blahaj.zone 2 points 1 week ago

Understandable. Though the security difference between Flatpak and Xen VMs, or even between Flatpak and Snap, is pretty big. Flatpak is mostly sandboxed to provide a consistent run environment to apps across distros, and id say 50% or more of the Flathub apps seem to have weak default sandbox security settings. Snap does a better job security-wise of reducing sandbox escape potential, but is still a far cry away from the containerization of Qubes.

[–] BigHeadMode@lemmy.frozeninferno.xyz -2 points 1 week ago (1 children)

a solution in wide use in several Linux distros, meaning the compartmentalization of apps in constrained environments is already a mechanic used in flatpack, snap, even docker

Not a good argument. Several distros use it, but most mainstream distros are not focused on sandboxed apps. If you look up "should I use Snap on Ubuntu" the responses are around 80% no.

[–] non_burglar@lemmy.world 6 points 1 week ago

Sandboxing apps is great and all, but it it's not the entire picture of security.

[–] HaraVier@discuss.online 11 points 1 week ago* (last edited 1 week ago) (1 children)

I highly value Madaidan's input on the matter and also their work on projects such as Kicksecure and Whonix. Furthermore, it's clear that Desktop Linux hasn't been able to combat all the pain points that were mentioned in the article. However, we've definitely come a long way since and there's lot to be optimistic about; secureblue to name a thriving project.

But, while I appreciate how the article continues to draw awareness to the fact that Desktop Linux isn't as secure as some like to think, the write-up is ultimately bound to be (severely) outdated at some point. And, perhaps, we might already be past the point in which it does more harm than good...

Anyhow, I'd like to take this opportunity to promote a platform that actually continues to deliver up-to-date articles about security on Linux: https://privsec.dev/posts/linux/

[–] Tenderizer78@lemmy.ml 1 points 1 week ago (1 children)

Time to distrohop again. Kubuntu's been irking me for a while and that guide says it's insecure and CachyOS (though I don't like the default software suite) has been nice. Though I need to find an alternative distro (don't trust Red Hat, had a bad experience with OpenSUSE, don't have the patience to learn Arch).

[–] HaraVier@discuss.online 2 points 1 week ago (1 children)

Accompanied with your input, if we look at the distros that are mentioned between Privacy Guides and PrivSec.dev; then Arch Linux, NixOS or a derivative of either of the two seem to be most suitable for you at first glance. As NixOS is rather infamous for its learning curve and you seem to have gotten a liking to CachyOS, I'd recommend a distro under the umbrella of Arch Linux. I suppose it's rather unfortunate that I'm unaware of a well-maintained Arch-derivative that's properly hardened; somewhat akin to what secureblue/Kicksecure/nix-mineral offer for Fedora Atomic/Debian/NixOS respectively. Though..., perhaps that's actually what's to be expected with Arch Linux 😅; I hope you may find solace at the fact that the ever-so-reliable ArchWiki got your back: https://wiki.archlinux.org/title/Security. Wish ya good luck 😉!

[–] Tenderizer78@lemmy.ml 1 points 1 week ago

I'm probably gonna go for Fedora or OpenSUSE. I like CachyOS because it's just plug and play, but the article says that Arch derivatives tend to be insecure because they're behind the curve on updates.

I'd rather not use an American distro but all the instructions for installing software are usually for Ubuntu/Debian, Fedora, or Arch.

[–] Digit@lemmy.wtf 9 points 1 week ago (2 children)

OpenBSD?

[–] HaraVier@discuss.online 1 points 1 week ago

Thoughts on the info here: https://isopenbsdsecu.re/?

[–] tux0r@feddit.org 1 points 1 week ago

Seconded

[–] monovergent@lemmy.ml 8 points 1 week ago* (last edited 1 week ago)

As someone who did use this guide as an exercise in making my setup as secure as it could be without changing distros or hampering productivity, a few words of advice:

  • Make a threat model for yourself before diving in and apply the mitigations judiciously. It's not exactly a checklist, just use something secureblue or Qubes if you are really paranoid about your computer.
  • The majority of the mitigations 'just work' and have no noticeable impact on performance, battery life, or compatibility.
  • If your CPU/Memory performance widget breaks, dial back on the ptrace options
  • If Flatpaks fail to launch, dial back on the namespace options
  • Check back every so often because some of the options end up having unwanted side-effects with updates. See the preamble in boot parameters, where a change in Linux made in 2021 (which finally made it into Debian Stable this year) made the slub_debug mitigation actually worsen security.
[–] primalmotion@lemmy.ml 6 points 1 week ago

And that is why all traffic facing servers are running windows and macos.

[–] furrowsofar@beehaw.org 4 points 1 week ago* (last edited 1 week ago) (2 children)

The thing about most default configs of any OS is that user storage is largely accessable to all apps. True of Linux, Android. Windows, ...

Graphene has options to restrict that but you have to set it up that way. Android also has App sandboxing for app data.

Thinking through the threat model of course is always good as is hardening. All security is porous. Linux is fine generally. If one is exposing services on the public net it is not clear that any OS or software is sufficiently secure, that takes constant effort in terms of monitoring and management.

[–] BigHeadMode@lemmy.frozeninferno.xyz 3 points 1 week ago

Graphene has options to restrict that [user storage availability] but you have to set it up that way.

It's also a bit of a pain to manage as an end user. I wish it shipped with a toggle that was a step up from stock Android but also not in the way constantly. Like "we went through the top 50 apps on Play Store and FDroid, we classified them as media player, social media, etc., and we made rules for each category that reasonably isolates it while still allowing core functionality."

[–] Neptr@lemmy.blahaj.zone 2 points 1 week ago (1 children)

Android doesn't expose any app data and requires a permission for accessing storage (unlike Linux).

[–] furrowsofar@beehaw.org 3 points 1 week ago (1 children)

However when many apps have a permission it becomes meaningless.

[–] Neptr@lemmy.blahaj.zone 4 points 1 week ago

Yes, which is why i very much like what GrapheneOS does with Storage and Contacts Scopes.

[–] ISolox@lemmy.world 1 points 1 week ago

Sorry man, your going to get down voted like crazy just because you posted something bad about Linux.

Good info thoughm