Linux Security Basics

Linux is already one of the most secure operating systems out there. With a few simple habits, you can keep it that way.

Linux Is Already More Secure Than Windows

You might have heard that Linux doesn't get viruses. That's not quite true, but Linux really is much more secure than Windows out of the box. Here's why, in plain terms:

You don't run as admin by default. On Windows, many people run their account with full administrator access all the time. On Linux, you use a regular account and only type your password (with sudo) when something actually needs system-level access. This means malware can't silently install itself — it would need your password first.
Software comes from trusted sources. On Windows, you download installers from random websites. On Linux, software comes from your distro's official repositories — curated, tested, and signed. It's more like an app store than a wild west.
Smaller target. The vast majority of malware is written for Windows because that's where the users are. Linux desktop users make up a small fraction of the market, so attackers mostly don't bother.
Open source means more eyes. Linux's code is public. Thousands of developers can inspect it, find bugs, and fix them. Security flaws tend to get caught and patched quickly rather than hidden.
Built-in file permissions. Linux has a strict permission system that controls who can read, write, or run every file. Programs can't just do whatever they want.

That said, no system is invincible. The tips on this page will keep your Linux setup locked down tight.

Keep Your System Updated (The #1 Most Important Thing)

If you only do one thing from this entire page, do this: keep your system up to date.

Security updates patch known vulnerabilities — holes that attackers already know about and are actively trying to exploit. When you skip updates, you're leaving the front door unlocked with a sign that says "I'm unlocked."

# Ubuntu / Mint / Debian
sudo apt update && sudo apt upgrade

# Fedora
sudo dnf upgrade

# Arch / Manjaro
sudo pacman -Syu

# openSUSE
sudo zypper update

Run this regularly — once a week is a good habit, or just do it whenever you see the update notification. Most desktop distros will notify you when updates are available. Don't ignore those notifications.

Tip: On most distros, you can also update through a graphical Software Center or Update Manager. You don't have to use the terminal if you don't want to. The important thing is that updates actually get installed.

Firewall Basics

A firewall controls which network connections are allowed in and out of your computer. Think of it as a bouncer for your network traffic — it decides who gets in and who gets turned away.

Most Linux desktops don't have any services listening for incoming connections by default, so a firewall isn't as critical as on a server. But it's still good practice to have one running, especially on laptops that connect to public WiFi.

UFW (Ubuntu, Mint, Debian)

UFW stands for "Uncomplicated Firewall" — and it lives up to the name. It's the simplest way to manage a firewall on Ubuntu-based distros.

# Check if UFW is installed (it usually is on Ubuntu/Mint)
sudo ufw status

# Turn it on
sudo ufw enable

# That's it! By default, UFW blocks all incoming connections
# and allows all outgoing. That's exactly what you want.

# If you need to allow something specific (e.g., SSH):
sudo ufw allow ssh

# Allow a specific port:
sudo ufw allow 8080

# Block a specific port:
sudo ufw deny 3000

# See your current rules:
sudo ufw status verbose

# Turn it off (if you ever need to):
sudo ufw disable

firewalld (Fedora)

Fedora uses firewalld, which is already running by default. You probably don't need to touch it, but here are the essentials:

# Check status (it should already be running)
sudo firewall-cmd --state

# See what's currently allowed:
sudo firewall-cmd --list-all

# Allow a service (e.g., SSH):
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

# Allow a specific port:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload

# Remove a rule:
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Good to know: The --permanent flag makes the rule survive reboots. Without it, the rule disappears when you restart. The --reload applies your permanent changes to the running firewall.

Don't Run Everything as Root

On Linux, the root user (also called the superuser) has unlimited access to everything — every file, every setting, every process. There are no guardrails. If something goes wrong while you're root, it can go very wrong.

Here's why this matters for security:

If you're browsing the web as root and visit a malicious site, any exploit has full access to your entire system.
If you run a sketchy script as root, it can do literally anything — delete your files, install a backdoor, brick your system.
Even honest mistakes become catastrophic. A typo like rm -rf / home (note the accidental space) would wipe your entire system as root. As a normal user, it would just give you a "permission denied" error.

The right approach: Use your regular user account for everything. When a command genuinely needs elevated privileges, use sudo in front of it. That way you're only root for that one command, not all the time.

Never do this: sudo su or sudo -i to get a permanent root shell, then forget about it and keep working. If a guide tells you to run something as root, use sudo for that specific command instead.

Strong Passwords and Password Managers

Your Linux login password matters — it's what stands between a regular user and sudo (admin) access. If someone gets your password, they effectively have root access to your machine.

Good password habits:

Make it long. A 4-word passphrase like correct horse battery staple is both easier to remember and harder to crack than P@ssw0rd!.
Don't reuse passwords. If one service gets breached and your password leaks, attackers will try it everywhere else.
Use a password manager. You only need to remember one strong master password. The manager handles everything else.

Recommended Password Managers

App	Type	Highlights
KeePassXC	Local (offline)	Your passwords stay in an encrypted file on your computer. Nothing goes to the cloud. Free and open source. Great Linux app.
Bitwarden	Cloud-synced	Syncs across all your devices. Has a browser extension, desktop app, and mobile app. Free tier is very usable. Open source.

KeePassXC is perfect if you want everything local and under your control. Bitwarden is better if you need to access your passwords on multiple devices (phone, work computer, etc.).

# Install KeePassXC
sudo apt install keepassxc               # Ubuntu / Mint / Debian
sudo dnf install keepassxc               # Fedora
sudo pacman -S keepassxc                 # Arch / Manjaro

# Install Bitwarden (download the .AppImage from bitwarden.com,
# or install from Flathub):
flatpak install flathub com.bitwarden.desktop

Be Careful with PPAs and AUR Packages

Your distro's official repositories are curated and tested. Software from those repos is generally safe. But sometimes you'll want software that isn't in the official repos, and that's where you need to be more careful.

PPAs (Ubuntu / Mint / Debian)

A PPA (Personal Package Archive) is a third-party repository that anyone can create. When you add a PPA, you're trusting that person to not put malware in their packages — and to not accidentally break your system with a bad update.

Only add PPAs from developers you trust — well-known projects, official developer PPAs, etc.
Don't add PPAs just because a random forum post told you to. Check who maintains it first.
If you no longer need a PPA, remove it: sudo add-apt-repository --remove ppa:whatever/ppa

AUR (Arch / Manjaro)

The AUR (Arch User Repository) is community-contributed. Packages there are not reviewed by the Arch team. Anyone can upload a package.

Always read the PKGBUILD before installing. This is the script that builds the package — it could contain anything. AUR helpers like yay will show it to you before proceeding.
Check the votes and comments on the AUR page. Popular, well-maintained packages with lots of votes are generally safer.
Avoid packages with very few votes and no recent updates. They might be abandoned or poorly maintained.

General rule: Prefer Flatpak, Snap, or AppImage versions of software when available. These run in sandboxes with limited access to your system, which adds an extra layer of protection even if the software itself is sketchy.

Disk Encryption

Disk encryption protects your data if your computer is lost or stolen. Without encryption, anyone who gets physical access to your hard drive can read everything on it — even if they don't know your login password. They can just pull the drive out and plug it into another machine.

With encryption, the entire drive is scrambled. Without the decryption password, the data is meaningless gibberish.

Setting up LUKS encryption (during install)

LUKS (Linux Unified Key Setup) is the standard disk encryption system on Linux. The easiest time to set it up is during installation — most distros offer a simple checkbox for it.

How to enable it

Ubuntu / Mint: During installation, on the disk partitioning step, check the box that says "Encrypt the new installation for security". You'll be asked to create a passphrase. That's it.
Fedora: On the installation disk selection screen, check "Encrypt my data". Set a passphrase when prompted.
Arch: You'll need to set up LUKS manually during install. The Arch Wiki has a thorough guide. If you're using an installer like archinstall, it offers an encryption option.

Things to know

You'll need to enter your encryption passphrase every time you boot. This is separate from your login password.
If you forget your encryption passphrase, your data is gone. There is no recovery. Write it down somewhere safe when you first set it up.
Performance impact is minimal on modern hardware. Most CPUs have built-in acceleration for encryption, so you won't notice any slowdown.
You can't easily add LUKS encryption after installation. If you want it, plan for it during your initial setup.

Browser Security Basics

Your browser is probably the most exposed piece of software on your computer — it's constantly talking to the internet and running code from websites. A few simple steps go a long way:

Install uBlock Origin. This is a free, open-source ad and tracker blocker. It doesn't just remove annoying ads — it blocks malicious ads (malvertising) that can infect your computer. It also speeds up page loads significantly.
- Available for Firefox, Chrome, and most Chromium-based browsers.
- Install it from your browser's official extension store.
- The default settings are great. You don't need to configure anything.
Use HTTPS everywhere. HTTPS encrypts the connection between your browser and the website, so nobody in between can see what you're doing. Most modern browsers already warn you when a site doesn't use HTTPS. Don't enter passwords or personal information on HTTP (non-encrypted) sites.
Don't install random browser extensions. Every extension you install can see some or all of your browsing activity. Only install extensions you actually need, from well-known developers. If an extension asks for permission to "read and change all your data on all websites" — think carefully about whether you trust it.
Keep your browser updated. Browsers are one of the most common attack vectors. Updates patch security holes. Let your browser update itself automatically.

Which browser? Firefox comes pre-installed on most Linux distros and is a great choice for privacy. It's open source and made by Mozilla, a nonprofit. If you prefer a Chromium-based browser, Brave or Vivaldi are decent options with built-in privacy features.

Checking for Rootkits

A rootkit is a particularly nasty type of malware that hides deep inside your system, often making itself invisible to normal tools. Rootkits on Linux desktops are extremely rare, but if you want extra peace of mind, you can scan for them.

Scanning with rkhunter and chkrootkit

There are two well-known rootkit scanners for Linux. Neither is perfect, but running them occasionally is a reasonable precaution.

rkhunter

# Install
sudo apt install rkhunter                # Ubuntu / Mint / Debian
sudo dnf install rkhunter                # Fedora

# Update its database, then scan
sudo rkhunter --update
sudo rkhunter --check

# It will flag some things as warnings — many are false positives.
# Read through the results; don't panic at every warning.

chkrootkit

# Install
sudo apt install chkrootkit              # Ubuntu / Mint / Debian
sudo dnf install chkrootkit              # Fedora

# Run a scan
sudo chkrootkit

# Again, some false positives are normal. Look for anything
# that says "INFECTED" and research it before worrying.

Keep in mind: These tools are useful for spot-checks, but they're not a substitute for good security habits. Keeping your system updated and not running random scripts as root will protect you far more than any scanner.

File Permissions Matter

Linux's file permission system is one of its biggest security advantages. Every file and folder has rules about who can read it, write to it, or run it. This prevents programs and other users from accessing things they shouldn't.

You don't need to become a permissions expert, but it helps to understand the basics:

Don't chmod 777 things. You'll see this "fix" suggested online sometimes. It means "let everyone read, write, and execute this file" — which is almost never what you actually want. It's the security equivalent of leaving your house keys under the mat with a neon sign pointing at them.
Be cautious with chown and chmod on system files. Changing ownership or permissions of system files can break things or create security holes.
Your home directory is already private. By default, other users on the system can't read your files. Keep it that way.

For more on how permissions work and how to fix common permission problems, see the permissions troubleshooting page.

Automatic Security Updates

If you're worried about forgetting to update, you can set up automatic security updates. Your system will download and install critical patches on its own.

Setting up automatic updates

Ubuntu / Mint / Debian (unattended-upgrades)

# Install (may already be installed on Ubuntu)
sudo apt install unattended-upgrades

# Enable it
sudo dpkg-reconfigure -plow unattended-upgrades
# Choose "Yes" when asked

# That's it! It will now automatically install security updates.
# You can check the config at:
# /etc/apt/apt.conf.d/50unattended-upgrades

Fedora (dnf-automatic)

# Install
sudo dnf install dnf-automatic

# Enable the timer (this installs security updates automatically)
sudo systemctl enable --now dnf-automatic-install.timer

# To check the config:
# /etc/dnf/automatic.conf
# You can change it to only download (not install) if you prefer
# to review updates before they're applied.

A note of caution: Automatic updates are great for security patches, but occasionally an update can cause issues (especially with NVIDIA drivers or custom kernel modules). If you run into problems after an automatic update, check our broken updates troubleshooting guide.

Use a VPN on Public WiFi

When you're on a coffee shop, airport, or hotel WiFi network, anyone on that network can potentially snoop on your traffic. A VPN encrypts your internet connection so that even on an untrusted network, your data stays private.

We have a full guide on choosing a provider, setting one up, and understanding what a VPN can (and can't) do for you:

Read the VPN Setup Guide →

Quick Security Checklist

Here's everything on this page in a quick reference you can come back to:

What to Do	How Hard?	How Important?
Keep your system updated	Easy — just run updates	Critical
Use a regular user account, not root	Easy — it's the default	Critical
Use strong, unique passwords	Easy with a password manager	Very important
Enable a firewall	Easy — one command	Good practice
Install uBlock Origin	Easy — browser extension	Very important
Be careful with third-party repos	Just be mindful	Important
Encrypt your disk (LUKS)	Easy during install	Important for laptops
Set up automatic updates	Easy — a few commands	Nice to have
Use a VPN on public WiFi	Easy with a provider app	Good practice