Five Linux Security Myths You Can Live Without - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:52 AM

Five Linux Security Myths You Can Live Without

Ignorance may be bliss, but a smoking crater where your Linux workstation once sat is not. Here are some common Linux security myths that you're better off living without.

Before I wrote this article, I went to some Linux newsgroups to find out what typical concerns among security-conscious Linux users might be. I asked, simply, what they felt were the biggest myths surrounding Linux security.

Boy, did I get an earful! It was as if I had gored someone's pet ox.

When I asked about the most common misperceptions of Linux security, I wasn't implying that Linux is any worse, or any better, than other operating systems. There are few "religions," however, with followers as zealous as those of Linux. As with any religion, you can't make zealots question the perfection of their belief systems.

It reminded me of an expression: You can always tell a Linux user--you just can't tell them much.

In spite of the flames, I got what I was looking for: The Linux security myths that are most likely to cause trouble for users and administrators. Some of these are more likely to trip up newbies, but they can turn up even among experienced users. And when you're talking about security, most of us deal with more than enough "trouble" without making any more for ourselves.

Here they are, listed in no particular order:

1. All distributions are equally secure, or insecure, right out of the box.

All distributions are not created equal: Some distros, by default, are very secure; others install with virtually no default security. A good source of independent information on the quality of distro security is, a site that supports the idea that some distros offer better security than others.

As a rule, some of the most popular and feature-laden distros, such as Fedora Core 3 , are not built with immediate, instantaneous security in mind. But I've never found a Linux distro that an educated user can't make secure. Just remember that one size does not fit all: You always make a tradeoff between convenience and security. A knowledgeable user can lock down just about any distro tight--so tight that it's hard to get anything accomplished.

It's also up to users to keep an eye out for new vulnerabilities that appear all the time in various distros. The day I wrote this, in fact, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and Suse all sported new security-related updates, as discussed at

Over the years, I've installed a number of distros almost since the day they hatched. My current favorites for out-of-the-box security include Trustix, EnGarde, and Immunix, as well as the hardened versions of Gentoo and Debian. "Hardening" means that a distro vendor or developers have plugged standard security gaps, such as buffer overruns, right down to the compiler and even to the library level.

I'm also currently exploring a distro called Annvix (, a secure, server-oriented distro based on Mandrakelinux. So far, so good: It looks secure, even right off the freshly burned CDs.

2. Linux Security by default is better or worse than Windows.

Want to start a fight? Go to any advocacy newsgroup, for either Windows or Linux, and agree--or disagree--with either side. Then watch the fireworks!

I've discovered that the default, unpatched, versions of either product (including most Linux distributions) is full of security holes. Get the newest release, keep it up to date, and install with security in mind. Among other things, this means setting a root password stronger than "toor" or "guest," and not setting the permissions for important directories and files such as /kmem to "rwxrwxrwx", just as Windows admins should install passwords for all users and restrict dangerous administrative access privileges to those who require it.

One real distinction between the two operating systems' default security settings lies in their networking settings, where Windows XP patched with Microsoft's Service Pack 2 offers excellent default security. My point isn't to belittle the standard installation of most Linux distros, but to emphasize that when it comes down to asking which OS has the bigger "Kick Me!" sign taped to its butt, you have to assume they're equally tempting targets. I'm not just speculating here: I installed Windows XP and a standard Linux distro, logging the number of attempted attacks on each system. Both basically took an equal number of attacks, but none of them got through either system's rudimentary, but carefully configured, software firewalls. Know what to expect from a distro's default security, and then take the time to lock it down.

3. Security is only a kernel/user-land/developer concern.

Security is everyone's concern, whether a workstation is networked to a T1/DS3 or still uses a dial-up modem. Don't forget simple physical security, either: One of my first security audits was brought to its knees when the Tiger Team took a brick to our server rack. And for home systems, few "attacks" are as dangerous as a child's poking finger and the words, "What's this do, Daddy?" (usually followed by a rapid fsck).

The fact is, the minute one group proclaims security someone else's problem, it becomes theirs. My experience is that if you remove all security protection, such as installing a system without a root password, the resulting problems are so complicated and so immediate that a clean reinstall is the easiest solution.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll