Hi guys, getting familiar / used to the new laptop Librem 13 v4. It connects to the internet but quick question- how safe is it to do so? I’ve had so much trouble and hassle with hackers this year with nearly all computers (hence moving to purism OS) that I’m weary of connecting.
How immune is the OS from external hackers? Are various anti virus steps needed? If so can you recommend something? Wld be grateful for any pearls of wisdom and suggestions etc
Thanks so much!
My opinion: Antivirus software is not needed.
Common sense basic security practice is needed on all mainstream operating systems e.g. don’t download and run random stuff.
After that, it gets more complicated.
No computer is 100% secure. I scrutinise all the Linux security updates that come through - and there are enough of them to see that a sophisticated and motivated attacker could use a lot of them to pwn me. The good news: I’ve been using Linux full time for well more than a decade and I have never knowingly been pwned.
The other side of the coin is that attacking Linux does not reap as good rewards as attacking Windows, so most of the widespread attacks are against Windows.
If you have had a lot of trouble with hackers, you may look into getting a dedicated firewall box with good functionality for monitoring and controlling.
I would turn it around the other way - what is the point of having a computer if it is not connected to the internet?
I’m assuming you’re coming from the windows world; if not, it will hopefully still make sense. Windows Defender, or Norton, or insert your favourite product here, does 3 things for you. You can pick and choose which of them you want on Linux, and which you need depends on your use case.
From least needed to most:
Activity monitor
This watches and restricts what files are being read, written, or executed on the computer, looking for suspicious activity. Linux phones and routers often include SELinux, since it’s fairly normal to run un-trusted stuff on them, to try to identify misbehaving ‘apps’. You almost certainly don’t need this, there’s performance and usability implications, and it’s not usually worth the setup, given that the goal is to keep bad things out, rather than limiting their damage once they get in.
Virus Scanner
This can be automated, or not. It looks at files either directly at the user’s request, or automatically when files are downloaded from the browser or via email. Thanks to the package manager, and a good ecosystem of trusted program delivery, you probably don’t need this. The rule to follow is don’t download and run things from random people on the internet. PureOS is debian based, anything you get from their repos will either be safe, or at least have the sharp edges documented. The major reason you might want this is if you are interacting with Windows users, being able to scan email attachments for known viruses can be useful, but only if you care to let someone know about them.
Firewall
A firewall is a system that lets you control what connections can be made via the network. This is the system you probably want. Generally, Linux won’t have anything listening on the network out of the box, so it isn’t a big deal, also if you’re on most networks, home or otherwise, your computer won’t be exposed to the raw internet (it’ll be behind either your home router’s firewall, or a corporate firewall). That said, if you use coffee shop hotspots or similar, a firewall is a good way too keep from accidentally letting someone snoop. Basic firewall functionality is pretty easy to set up. If you want the computer accessible from the internet (SSH for remote access, FTP for file transfers, HTTP for web stuff), I recommend setting up fail2ban to watch for people trying to break in and adjust the firewall rules to block the origin subnet for at least a week.
Hey, thanks v much! Believe it or not I’m coming from a Mac OSX world and the machines have been grotesquely violated / screen sharing and all sorts. I don’t know how this is even possible but it is. So fail2ban for purism / linux? Is this downloaded and then executed / run etc? Thanks again - much appreciated!
I hawked this more than once, but look into firejail. It’ll sandbox your browser and save you some heartache.
Hey- thanks! Two great suggestions. Like the sandboxing approach. V new to linux so pls excuse the basic question- how do you install this? Download and execute? Are there any step by step how-to download and install? Is it similar to OS X - click on the download and run the app?
If you have debian or redhat based they have precompiled packages you can run to install. If not there’s a tar you download and unpack with an install script. The instructions are there in the tar. Look over the documentation on the website too, firejaip uses profiles to dictate how a program is sandboxed and it’s very much worth familiarizing yourself with it.
To use it with say firefox you’ll have to edit its launch command in the menu, but that’s something you should learn how to do yourself. Not because I can’t be bothered to explain it, but you live in Linux land now. Editing things to suit your needs is what makes Linux is great.
No! Don’t download and install or execute anything until you know what you’re doing! fail2ban is provided by the fail2ban package on debian based distros. Try
sudo apt-get install fail2ban
. Firejail is neat, it auto configures control groups (cgroups) for you to limit programs to only what they need. Note that it’s assumed the user account running firejail itself is trustworthy, it may actually decrease security if that is not the case. It’s well worth using for appropriate things (like sandboxing a browser), but takes some careful setup and a decent understanding of what’s going on.
And finally, let me reiterated: Don’t Download And Run Anything you get from the internet! Debian/PureOS has some 30k packages available, almost anything you might want to do with a computer is freely available in those packages. Until you know what you’re doing, don’t go looking elsewhere for programs (not even deb packages).
This extends to don’t run things people tell you to run without knowing what they do. Yes, that does include the apt-get line I typed up above. There are people who will post malicious commands, and with something like bash it won’t be obvious even if you do read it. It’ll just be something like (){ :|: & }; (not complete, but close), and crash your system. That one is tame, deleting files or remote access stuff is also possible.
StackOverflow.com can help you figure out what commands do, as can the programs man and apropos. Also you can ask here if you get stuck.
hello ! i see this is not your first time here on the Purism forums but - nonetheless - welcome !
in case you haven’t already this could prove to be worth your while :
many questions you have or have already asked MIGHT have already been asked by people here on the forums or elsewhere so it’s a good habit to make best friends with the SEARCH on the top-right corner and use it frequently when you are interested in finding something. the CTRL+F shortcut is useful when you are already in a thread or have been greeted with a TLDR.
well all this assumes you already know what you want to get answers for (not an easy task in itself) but practice makes perfect …
You say “trust no one, including in here” and then advise that they go to stackoverflow or here to seek help. Can we offer suggestions or not? Saying such things undermines the purpose of this forum, which is to offer help and suggestions. Besides, due diligence was already advised. I don’t see what your big deal is.
I said to understand what the commands you run do. If someone just gives you a “run this command” answer, with no explanation of what it does, don’t just run it without figuring out what it does. This is advice being given to someone who is here specifically because they’ve had security issues in the past. Right after saying the general rule is “don’t download and run things from random people on the internet”, they asked if they should download and run the something from the internet, at the suggestion of some random guy on the internet… I’m trying to encourage them to go from blindly following internet fora advice to using it as a starting point to understand how to understand and solve issues.
That’s correct. Don’t trust. Verify.
However at some point every new user might have to trust someone who tells them to use the man command to get help about a command. Trust does not need to go beyond that.
man sudo
man apt
Job done.
Heh, man man is a good place to start, actually. One of the oddities on Linux is that some things have multiple man entries, as they are sorta duplicated in different sections. Knowing the difference between man(2) and man(3) for example is good.
That said, the principle is to not add random people to your trusted list. You got the OS image from purism, you probably got your hardware from purism. If they were going to lead you astray, they’ve already had the opportunity to do so. Plus there are people with more technical knowledge who have failed to find any serious issues with them. Following the advice of their tech support is probably fine, even if you don’t fully understand what they are telling you to do. Similarly, if you decide you want to run the nightly build of Mozilla Firefox, and go to their website, you’re adding them to the list of people who can ruin your day. If you trust the Mozilla Foundation to not intentionally screw you over, and trust that their security is good enough to not unintentionally screw you over, then go for it. The question to always ask is “do I trust entityX enough to give them my root password”, because that’s essentially what you’re doing when you install software from them.
This is more clear to me, and I agree with what you say. Thank you for clarifying.