Article
Card image cap for article

Security in Linux Ubuntu

Cybersecurity

9/7/2025

Introduction

When most people think about computer security, their minds immediately turn to Windows. This is for good reason, as the majority of global cyber attacks target Microsoft systems, because they remain the most widespread in corporate offices and at home. Windows remains the dominant desktop OS with a 74% global market share [1].

By comparison, Linux currently holds only around 2% of the desktop market [1]. However, its widespread use in server, IoT and cloud infrastructure makes it critically important in security discussions, just in a different way.

Shift towards Linux on the Desktop

There is growing momentum, particularly in Europe, to replace Windows with Linux in certain environments. The main drivers include:

  • Dependency on a single US company and concerns over digital sovereignty
  • Microsoft’s cumbersome and costly update policies for Windows 10/11
  • Security risks linked with proprietary, closed-source ecosystems

This trend is reflected by some governments and public institutions seeking independence, security, and cost efficiency. These institutions serve as an example:

  • Denmark: The Danish Ministry for Digital Affairs began phasing out Microsoft Windows/365 for about half of its staff in 2025, switching to Linux and LibreOffice as part of a national digital sovereignty strategy [2].
  • Germany (Schleswig-Holstein): The desktop of over 30,000 government workers are planned to be migrated from Windows to Linux and LibreOffice, with additional adoption of other open-source solutions for email and data storage.

Windows vs. Linux: Security Models

Switching to Linux does not mean gaining “immunity” to attacks. Instead, Linux’s design philosophy simply shifts the security posture. While Windows has historically prioritized user convenience and backward compatibility, Linux emphasizes security by design:

  • Multi-user environments (no default single-user dominance)
  • Strict file permissions
  • Strong separation between regular users and administrators

These built-in safeguards reduce the attack surface, even though threats remain.

Linux in Critical Infrastructure

Far beyond the desktop, Linux is the backbone of global IT. As of 2025, it powers about 78% [1] of web-facing servers worldwide. Its dominance in servers, data centers, and cloud operations makes securing Linux environments a central topic for cybersecurity.

My Personal Motivation to Switch to Linux

My own move to Linux stems from both professional and personal considerations:

  • End of update services for existing Windows versions on my home PCs
  • As a lifelong learner, maintaining pace with ubiquitous technology
  • A desire to understand how hackers operate, since many attack tools and methods are developed on Linux

The Threat Landscape for Linux Today

  • Misconfigurations(in servers or Cloud instances) are among the biggest risks: open ports, default or weak credentials, and too lax permissions.
  • Exploit kits and targeted malware are growing, especially crypto-mining tools that silently use your system’s resources
  • Social engineering puts the human factor at risk: a careless click on a phishing link can compromise not only a PC, but also the business infrastructure it connects to
  • Supply chain risks, where vulnerabilities hidden in software dependencies or packages are harder to spot, but increasingly exploited

Attackers no longer ignore Linux. Its reputation for security is justified relative to some alternatives, but security is never an automatic feature. It must be actively maintained.

Building a Practical Security Baseline on Linux

The good news is that maintaining an acceptable level of security on Ubuntu doesn’t require professional IT skills. On the other hand, it is much more demanding than clicking a button to activate Windows Defender or to apply Windows Update.

It is most educational when applying these steps on a Linux Ubuntu machine yourself, as I did successfully in one day, including remote login via SSH and user account management.

A few high-level steps form a strong foundation:

  1. Stay current with updates: Regularly run apt update and apt upgrade. This closes gaps before they can be exploited.
  2. Control access and privileges: use sudo and su sparingly from only one account. Ensure strong, unique passwords and consider two-factor authentication where possible. Establish other accounts for specific purposes that are narrowly limited to their associated tasks (without sudo)
  3. Network protection: Configure a firewall and SSH to work with a public/private key pair and a passphrase. for secure remote access.
  4. Reduce attack surface: Uninstall software you do not use, and disable services listening for external connections.
  5. Backup and recovery: A working backup strategy remains your best line of defense against ransomware and hardware failure alike. Consider file encryption.

Together, these steps create a balance: enough security to repel common threats without overwhelming everyday users.

Practical Steps

On Debian-based distributions - including Ubuntu - these two commands are the most important step you can take to minimize the attack surface:


sudo apt update
sudo apt dist-upgrade

With the command 


sudo apt autoremove

you will get a listing of software packages that are no longer needed.

Getting Info about Available Upgrades by Default

Adding the command 


run-parts /etc/update-motd.d/

to the bash configuration file at ~/.bashrc provides the information if any upgrades are available, each time, when a Terminal is opened using bash.

Extended Support by ESM Apps

The utility "Expanded Security Maintenance for Applications" (ESM Apps) allows to access security updates available for packages installed from Ubuntu's "universe" and "multiverse" repositories. If you register on the Ubuntu One website, you can get an Ubuntu Pro subscription for free, with a license for 5 machines. Copy the token and place it in:


sudo pro attach /

With


pro security-status --esm-apps

you can see which packages would get these updates. These will be applied with the next apt update and upgrade.

With the following configuration in /etc/apt/apt.conf.d/20auto-upgrades the system will still check for updates and show a message at the Terminal when any are available, but it won't automatically install them:


APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "0";

In case you would like to have an automatic upgrade procedure (without automatic reboot) run


sudo apt-get install unattended-upgrades

if it wasn't preinstalled on your machine.

In the next step run


sudo dpkg-reconfigure -plow unattended-upgrades

and select "yes" to activate it for automatic updates.

Be sure to have


APT::Periodic::Unattended-Upgrade "1";

set in /etc/apt/apt.conf.d/20auto-upgrades. Automatic reboot can be disabled by


Unattended-Upgrade::Automatic-Reboot "false";

in the configuration file /etc/apt/apt.conf.d/50unattended-upgrade.

Has my Linux Machine been Compromised?

It is good to check if the current state of affairs is secure. This allows to define a baseline, to which the security posture can be compared to at any point later in time.

Who is currently logged in?

Check active user sessions, by seeing who is currently logged in


who
w
last -a | head

The command followed by w enumerates the active logins using a Terminal or graphical seats.

Important: note that there is just one user, myself. Other valuable information:

  • seat0 represents the system's (local) seat tied to the display manager
  • user logged in via virtual terminal tty2, and GDM/gnome-session binds to tty2
  • user logged in ("FROM = -" means local login, not via SSH) at 6:44 a.m. on Saturday 6

The command last -a | head prints the most recent logins and reboots.

If this matches your own recollection of the working history, then you can be sure that it was you, and no one else. Supplementary information is provided by WHAT. In this column one can see the kernel version that was used for reboot. With the command


uname -a

you get the kernel and Ubuntu versions. In my case it is 6.14.0-29 and 24.04.1, respectively. From https://ubuntu.com/kernel/lifecycle I see that I am up to date in that respect.

Processes that are currently running

The following command lists all active processes:


ps aux
ps -ef

It is not easy to discern anything unusual because of the large number of processes running. Identifying anything unusual requires experience, and that's what we are doing right now!

Active network connections

The following command lists all active network connections:


netstat -tunap
ss -tulnp

Look for any IP addresses that seem suspicious.

Check log files for failed or successful logins

The following command lists all logins and logouts for user and root:


last
last root

Look for anything unusual.

Check for suspicious users or groups

The following command lists all users and groups:


cat /etc/passwd
cat /etc/group

Look for anything unusual.

Rootkit scanning

Rootkit scanning is essential in Ubuntu because rootkits are stealthy types of malware that can hide deep within the operating system, often giving attackers complete, unauthorized control over the system while remaining undetected.

By installing Rootkit Hunter with 


sudo apt install rkhunter

we get the software installed. Now, we need to update the signatures by 


sudo rkhunter --update

so that the scan will use the most recent information of fingerprints for rootkits. The actual rootkit scan with Rootkit Hunter is done by


sudo rkhunter --check

This takes a while and provides a detailed list of traces of any known rootkits that might be present. This view includes also backdoors, sniffers and exploits.

The warning is associated with the fact that I just downloaded curl. The file's checksum, permissions or timestamp have changed since rkhunter last recorded its "known good" database. This I was able to confirm from the log files.

The known rootkits are also scanned.

As a system admin it is a good idea to monitor when users have utilized sudo to run services requiring elevated rights. 


sudo grep sudo /var/log/auth.log

lists those activities.

Protective measures

AppArmor

AppArmor is a Linux kernel security module that enforces mandatory access control (MAC) policies for programs. It restricts applications' access to files, capabilities and networking, based on per-program profiles.

Usually, it is preinstalled on Ubuntu and you can check the status with


systemctl status apparmor

It should say active (exited), shown in green color. If it is not enabled do


systemctl enable apparmor

The command


sudo aa-status

gives a readout of what AppArmor is currently doing.

In case you have any processes listed as unconfirmed you should render them to enforce mode by 


sudo aa-enforce /etc/apparmor.de/

Firewall

The uncomplicated firewall (ufw) is already installed on the newest versions of Ubuntu. It offers a simplified set of commands to protect the communication via ports by selectively enabling or disabling them. Just one simple command is required to open or close any desired port.

Whenever you perform a ufw command, it will automatically configure both the IPv4 and the IPv6 rules. This alone is a huge time-saver, and much of what we've had to configure by hand with iptables is already there by default.

Check with


sudo systemctl status ufw

that it is active. With the command


sudo ufw status

I can see which ports are open. Since I have not yet used SSH for remote login, I have only the ports


443/tcp
80/tcp

open. In fact, if I am not running a public web server I should also close 80/tcp to any traffic with the Internet by


sudo ufw deny 80/tcp

because passwords and other information is transmitted without encryption through port 80.

Note: one should avoid sharing IP addresses publicly (see above). In this case, however, it is not critical because it is a subnet address domain that is not routable via the public Internet.

Creating Accounts with Limited Privileges

It is good practice for security to have different user accounts, each provided with the rights to accomplish the tasks required for that user. Not more and not less.

First of all, let's check which users have access to the sudo command:


sudo grep -Po '^sudo.+:\K.*S' /etc/group

Be sure to have only the main user with the rights to use sudo. Let's create a new user with the name limiteduser that has minimal rights:


sudo adduser limiteduser

Give a password with enforced length (and complexity). If we stop here and do not assign further privileges, this command will confirm that access to sudo is denied:


sudo -l -U limiteduser

To see what actually can be achieved from the new account, temporarily log in by


su - limiteduser

Commands such as sudo ls /root should be denied.

Password Policy

As an admin it is good to check that no user is without password. Use this command to rule that out:


sudo cat /etc/shadow/ | awk -F: '($2==""){print $1}'

The utility to enforce password length can be managed by installing pwquality:


sudo apt-get install libpam-pwquality

In the configuration file /etc/security/pqquality.conf set minlen = 16, which should be the minimum password length.

Logging into the Ubuntu Server via SSH with PKI and Passphrase

There are times when you want to access the Linux server via a remote connection. SSH is an encrypted communication channel. The SSH protocol uses strong industry-standard encryption to protect the confidentiality and integrity of all data transmitted between the client and server.

SSH access should use public/private key pairs (sometimes managed as part of Public-Private Key Infrastructure), rather than passwords, for increased security. Disabling password authentication prevents brute-force attacks and ensures only holders of a valid private key can access the server.

Go to Git Bash on the remote machine (e.g. Window) and run the command


ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

You will be asked where to save the keys encompassing the private and public keys. Press Enter to accept the default location (/c/Users/YourName/.ssh/id_rsa for Git Bash).

In the next step, it is recommended to set a passphrase. Find your public key and transfer it to the Linux server and place it into ~/.ssh/authorized_keys and remember to make the file an executable by


chmod 600 ~/.ssh/authorized_keys

With this command on the Linux machine's firewall ufw I make it accessible from the home network only (this is important if you do not need to access it from the Internet!)


sudo ufw allow from 192.168.178.0/24 to any port 22

By using 


sudo ufw status verbose

I can check that port 22 allows only traffic in from the home subnet. Now I can go back to a remote machine (e.g. Windows) and use the command


ssh user@

where I insert the IP address of the Linux server.

I will be asked to type in the passphrase. The connection between the client and the server is authenticated by the correct private-public key combination. It provides also data integrity for the authentication process itself. The public/private key mechanism proves the identity (authentication) of the client to the server by demonstrating possession of the private key, without the private key ever being transmitted.

It is good practice to generically disable password-based SSH access to the Linux server (password of the user account on Linux) by going to /etc/sshd_config: apply the following settings:


PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no

After that restart the ssh service by


systemctl restart sshd

It is also advisable to disable the root user to login via SSH. This can be achieved by opening the /etc/sshd_config and applying the following setting:


PermitRootLogin no

The attack surface can be further reduced by removing software packages or utilities that you do not use. I did this by applying the following command:


apt-get purge --auto-remove telnetd ftp vsftpd samba nfs-kernel-server nfs-common

Conclusion

Linux security demands careful attention to detail and a willingness to invest time in truly understanding how Ubuntu systems work. The steps to harden the setup, from managing users and setting up firewalls to regular updates and granular configuration, can seem daunting at first. That investment yields significant rewards, though.

By engaging with these processes, I reinforced my understanding where threats linger and gained deeper insight into the protective measures available for my environment. Ultimately, this empowers any user to implement robust, tailored defenses and maintain control over the security of the Linux Ubuntu system.

References

[1] "Linux Statistics 2025: Desktop, Server, Cloud & Community Trends", by Tushar Thakur, August 3, 2025, URL: https://sqmagazine.co.uk/linux-statistics/

[2] "Denmark wants to replace Windows and Office with Linux and LibreOffice as it seeks to embrace digital sovereignty", URL: https://www.techradar.com/pro/denmark-wants-to-replace-windows-and-office-with-linux-and-libreoffice-as-it-seeks-to-embrace-digital-sovereignty

[3] "Von Microsoft zu Open Source: Wie Schleswig-Holstein den Wechsel schaffen will", URL: https://www.heise.de/hintergrund/Von-Microsoft-zu-Open-Source-Wie-Schleswig-Holstein-den-Wechsel-schaffen-will-10279400.html

The following two sources were very helpful for me and were directly applicable in practice:

[4] "Mastering Linux Security and Hardening" - Second Edition, by Donald. A. Tevault, Packt Publishing, Feb 2020

[5] "10 Basic Ways to Secure Ubuntu from Hackers", youtube video by Tony Teaches Tech, URL: https://www.youtube.com/watch?v=rxOTDG1peLw

Go back