How to secure and use Linux.          Contact me

This page updated: June 2019



Applications section
Things To Do section
Miscellaneous section









Applications



(In Linux Mint, at least:) Any time you hear of an application you'd like to try, first go to Start menu and see if it's already installed in your system. If not, go to Software Manager and see if it's available there. [But check to see if the version you get is seriously old.] If not, go to web site for the application and get it from there.

Applications that work well and I use have a green check-mark next to them.



Password Manager:

VPN:

GUI Text Editor:

CLI Text Editor:

Source Code Editor:
GitHub:
Alistair Ross's "Howto: What is Git and Github? How do I use it and why should I care?"
See "Using GitHub" section of my Computers page

Markdown editors:
Add Markdown AllInOne + Markdown Preview Enhanced extensions to VSCode. Or:
Boostnote
Remarkable
voldyman / MarkMyWords

PDF Viewer and Editor:
Adobe no longer supports Linux for PDF viewing and editing.

I think "annotating" a PDF is not the same as "doing form-filling". Neither is same as "editing". And there are two types of form-filling: "XFA" and "AcroForms".

I ended up having to go to a Windows machine to do my PDF tax forms.

poppler-utils ? PDF Chain / pdfchain ?
quickfill add-on for Chromium ?
Xournal (does annotation, writing over top of a PDF that is used as the background image).

Useful online service: Pdf2Jpg.net

From someone on reddit:
I was not looking forward to today because I was under the impression that I was going to have to set up a cracked version of Windows on a VM so that I could use a free trial of Acrobat Pro to do a simple (but time-sensitive) PDF edit on my xubuntu machine.

That was before I stumbled upon pdftk.

The process was quite simple:
sudo apt-get install pdftk 
pdftk PDF_File.pdf burst #This command strips out all of the pages and creates individual .pdf files

#Sign the signature page with GIMP
#Create a new page to add new text with LibreOffice 
#Paste signature into new page and export as PDF

ls *.pdf >> pdf-filenames.txt #Create a file of individual page names
value=$(<pdf-filenames2.txt) #Assign pagenames to bash variable
pdftk $value cat output Merged_Document.pdf #Merge the files back into one
[There is also Python package to do stuff like this, PyPDF2.]


Diagram And Flowchart Editors:
Farm-Fresh web icons

Genealogy (family tree):
Steve Emms' "8 Best Free Linux Family History Software"









Web Site Tools:
Alistair Ross's "How to password protect web sites via .htaccess"
Alistair Ross's "Quick and dirty hacks: one line HTTP Server"

Downloading Videos and Images:
VLC has a "Record" function that's supposed to let you save any video VLC is playing, but Record totally sucks, don't use it.

For downloading videos, use browser add-on "Video DownloadHelper" by mig, and install the companion app that it uses.

Recording Desktop Activity:
Vokoscreen.

Recording CLI Activity:

Image Viewing and Editing:
FOSS Linux's "How to Resize Images by Command line in Ubuntu"
Alistair Ross's "Quick Tip: convert images at the command line with ImageMagick"

Video Editor:
Tried Kdenlive and Openshot-qt video editors, but way too complicated for me, all I want to do is cut segments out of existing videos.

Installed VidCutter video editor through Mint's Software Manager. Unfortunately a couple of GB of stuff came with it; it uses KDE stuff. But the app does what I want, without too much hassle.

Shotcut. Flowblade. Davinci Resolve (using installer script). Pitivi. Lightworks. Olive

FOSS Linux's "How to capture screenshot GIF, and Video with Audio, from command line"
Alistair Ross's "Screencast recording with Green Recorder"
Rotating videos with FFmpeg
SK's "20+ FFmpeg Commands For Beginners"

Encryption etc:

Communication:

Backup and Restore:
Good idea to save snapshots of output from "sudo fdisk --list" and "lsblk --fs --list --paths" into files, and back up those files, so you can rebuild the configuration of your system if necessary. Also copy /etc/fstab to somewhere that will get backed up.

Good idea to save browser things such as bookmarks, settings of "trained" browser add-ons (such as uBlock Origin, uMatrix, Privacy Badger, CanvasBlocker), digital certificates, into files and back those up.

Aaron Kili's "24 Outstanding Backup Utilities for Linux Systems in 2018"

Anti-Virus and Malware Scanners:
For every product, you can find detractors. It slows down the system, increases the attack surface, runs at too high a privilege level, has a history of exploits, gives too many false positives, etc.

Some people say there is no risk of malware on Linux, but this is less true every year. Now that most of the world's servers and most of the IoT devices are running some form of Unix/Linux, attacks and malware are becoming more and more common. Now that home users spend 90% of their time in a browser, browser and browser add-on exploits are a big risk. Attack surfaces such as code/macro engines inside "smart" documents such as MS Office and PDF documents, or inside email clients, are similar to those in any other OS. Java, Javascript, Python, etc, everything is trying to become cross-platform.

From someone on reddit 3/2019:
Cybersecurity blue team here, in the wild we probably see more Linux payloads than we do Windows due to the high number of servers that run enterprise Linux. That being said, botnet attacks and scripted exploits normally drop and try to execute both Windows and Linux versions of the same payload which is super scary to see. Linux doesn't protect you from viruses at all. In fact, thinking you're more secure just for running Linux is deluded, new privilege escalations are released almost daily. If you stay on top of it, you could own someone's laptop pretty trivially with some help from exploit-db.

Also see:
Wikipedia's "Linux malware"
Catalin Cimpanu's "ESET discovers 21 new Linux malware families"
Paolo Rovelli's "Don't believe these four myths about Linux security"


Moe Long's "The 7 Best Free Linux Anti-Virus Programs"
Tecmint's "The 8 Best Free Anti-Virus Programs for Linux"
Dave Taylor's "Linux antivirus and anti malware: 8 top tools"
Wikipedia's "Linux malware"

Easy Linux tips project's "Security in Linux Mint: an explanation and some tips" strongly advises NOT installing anti-virus software, and gives reasons.



See the "Testing your defenses" section of my "Computer Security and Privacy" page.

Application Control and Security:
My evaluation:
The mainstream solutions (at least, in Mint) seem to be Firejail and AppArmor.



Network Control and Security:
This section is for tools that generally run unattended. For tools used by a person, see the Network Monitoring section.

Some terms:

Ubuntu's "DoINeedAFirewall"

You can change your MAC address to any value, either for Wi-Fi or for wired Ethernet, via Mint's Network application or Ubuntu's Network Manager application.

Open Source Intrusion Detection Tools: A Quick Overview

CLI Shell:
There are lots of other alternatives: dash, ksh, oksh, csh, tcsh, loksh, mksh, yash, etc.

Office:


Word Online: can be used for free by anyone with an Outlook.com or Hotmail account.

Office 365 is a home and business subscription service. Some subscription plans offer desktop Office but others don't. Some plans include web services like business email and Azure AD but others don't.

From someone on reddit 7/2019:
[For small-business use:]
Honestly, Linux Desktop isn't really business-ready at the moment. It's getting close but it's not there.

For office work you need Microsoft Office, be it Word, Powerpoint, Visio, or Excel.

Some will say you can use LibreOffice, or other open-source. But the main problems are the same tasks are not always possible (try setting sequential formulas in an excel sheet with the Ctrl + Enter on Libre), and when you create documents in these alternatives, they don't look the same when opened with Microsoft Office (i.e. vendors or clients you deal with will see this as unprofessional).

An issue I see, as a home user, is that the printer drivers seem to be a little different. Maybe it's a bug in my distro (Mint) or apps or the driver for my printer (HP 363x series), but same printer on Linux and Windows gives slightly different margins, occasionally edges of some docs on Linux get slightly cut off, and no way to fix it that I can find.

Robert Zak's "How to Open a docx File without Microsoft Office"

Virtual Machine:
A virtual machine has a complete copy of an operating system in it; a container shares a single underlying OS with other containers, mediated by the container framework/engine. VMs are a much more mature technology and have CPU support, so are more secure in general. An emulator is a VM that has a veneer of a different operating system in it.

ZeroSec's "Learning the Ropes 101 - Virtualisation"
da667's "Resources for Building Virtual Machine Labs Live Training"
SK's "How To Check If A Linux System Is Physical Or Virtual Machine"
SK's "OSBoxes - Free Unix/Linux Virtual machines for VMWare and VirtualBox"

By the way, virtualenv for Python is just a way of running a Python app with a certain set of libraries. Despite the name, it is not a virtual machine, and the app is not isolated from the OS.

Emulator:
A virtual machine has a complete copy of an operating system in it; a container shares a single underlying OS with other containers, mediated by the container framework/engine. VMs are a much more mature technology and have CPU support, so are more secure in general. An emulator is a VM that has a veneer of a different operating system in it.


Container System:
A virtual machine has a complete copy of an operating system in it; a container shares a single underlying OS with other containers, mediated by the container framework/engine. VMs are a much more mature technology and have CPU support, so are more secure in general. An emulator is a VM that has a veneer of a different operating system in it.

Wikipedia's "Linux containers"
Alistair Ross's "What is Docker (and Linux containers)?"
Opensource.com's "What are Linux containers?"

Containers on Linux generally use namespaces, cgroups, and (on SELinux) seccomp to confine the app and strip services from its environment.

[I think I'm mixing container systems (Docker etc), app frameworks (Node etc), and deployment frameworks (Flatpak etc) in here. Not sure.]

OSTechNix's "Linux Package Managers Compared - AppImage vs Snap vs Flatpak"
From someone on reddit:
Snap is hard wired to Ubuntu and does not contain basic libs that exist in Ubuntu.
Flatpak is designed to be cross-distro, and packages everything.
AppImage contains as many libs as its developer decided to put in it.


Database:
Jack Wallen's "An Introduction to MySQL"
Gabriel Canepa's "Learn MySQL / MariaDB for Beginners - Part 1"
Gabriel Canepa's "How to Install, Secure and Performance Tuning of MariaDB Database Server"
Carla Schroder's "What Is NoSQL?"
Muhammad Arul's "How to Install and Configure MongoDB on Ubuntu 18.04 LTS"

Remote Access (Remote Desktop) to Linux machine:

TeamViewer installs a version of Wine (probably not good).
AnyDesk
NoMachine



System Hardware Monitoring and Control:
Use "Disks" app, or install "GSmartControl" app through Software Manager, to test hard disk and see SMART info.
Thomas-Krenn's "SMART tests with smartctl"

Software Resource Monitoring:

Network Monitoring:
This section is for tools used by a person. For tools that generally run unattended, see the Network Control And Security section.

Some terms:

Hayden James' "Linux Networking commands and scripts"

Security Testing and Penetration Testing:



Some applications are written to work only in a specific GUI framework, such as KDE or Gnome. Others are written to work inside a cross-platform framework, such as Electron or Node.js or Ruby Rails, that then has versions which run inside various lower frameworks, such as KDE or Gnome.

There are some application-deployment frameworks, such as Docker and Ansible.

Easy Linux tips project's "Firefox: optimize its settings"
Easy Linux tips project's "Google Chrome and Chromium: improve their settings"

Alistair Ross's "Review: Download Managers for Linux"

Lilite: A Linux Autoinstaller

Fonts:
ArchLinux's "Font configuration"
Install fontconfig-infinality.
cryzed / fix-infinality.md

Linux4one's "How to Install Google Earth on Linux Mint 19"
But it's available through Mint's Software Manager too.
If all searches go to equator, edit /opt/google/earth/free/googleearth (or /opt/google/earth/pro/googleearth ?) to add a line "export LC_NUMERIC=en_US.UTF-8" before line that starts with "LD_LIBRARY_PATH".

cboxdoerfer / fsearch (fast file search utility)
Joey Sneddon's "Linux File Search Tool 'Catfish' Just Got Even Faster"

Check hash of a file you downloaded:
Alexandru Andrei's "How to Verify Authenticity of Linux Software with Digital Signatures"
drewblay / Compare-File-To-Hash

Robert Zak's "16 of the Best Free Games For Linux"



My "Develop a Desktop Application" page













Things To Do



Work your way through some basic tutorials:
Linux Journey
LinuxCommand.org
Linux Survival
Ubuntu's "Using The Terminal"
Ryans Tutorials' "Linux Tutorial"

Far more in-depth:
Sven Vermeulen's "Linux Sea"
David A Rusling's "The Linux Kernel" (circa 1999)
The Linux Kernel documentation



Tightening Security:
Really, it seems that 95% of the vulnerabilities are eliminated if you just don't run a web server on your machine. Also don't run SSH or FTP or other login-type services, and keep software updated, and you're above 99%.

From older version of Easy Linux tips project's "Security in Linux Mint: an explanation and some tips":
"Don't install Windows emulators such as Wine, PlayOnLinux and CrossOver, or the Mono infrastructure, in your Linux, because they make your Linux partially vulnerable to Windows malware. Mono is present by default in Linux Mint; run 'sudo apt-get remove mono-runtime-common' to get rid of Mono."
[First run 'sudo apt-get --simulate remove mono-runtime-common' to see what else you'd lose.]

Ask Ubuntu's "What are PPAs and how do I use them?"
But: "One thing to keep in mind about using PPAs (Personal Package Archives) is that when you add a PPA to your Software Sources, you're giving Administrative access (root) to everyone that can upload to that PPA. Packages in PPAs have access to your entire system as they get installed (just like a regular package from the main Ubuntu Archive), so always decide if you trust a PPA before you add it to your system."


Easy Linux tips project's "Security in Linux Mint: an explanation and some tips"
The Empire's "An Ubuntu Hardening Guide"
Brandon J. L.'s "Linux Security 101: Hardening Your System for The Common Geek"
lfit's "Linux workstation security checklist"

SK's "How To Password Protect GRUB Bootloader In Linux"
[But that doesn't protect against booting from USB drive.]

See Anti-Virus and Malware Scanners section.

See Application Control and Security section.

Tightening Privacy:



Reporting Bugs:
On Mint, run System Reports application to see any crash reports.

Run "apt show PKGNAME" to get info about a package, including URLs for bug-reporting and source code.

For some problem, check the version number of the software you are running, and what the latest released version number is. Is it possible for you to upgrade and re-test ?

Rocket2DMn's "Improving Ubuntu: A Beginners Guide to Filing Bug Reports"
Brendan Hesse's "How to Submit a Bug Report to Apple, Google, Facebook, Twitter, Microsoft, and More"



Accounts:
Run "sudo more /etc/shadow". Any account with password field (2nd field) set to a single character such as "*" or "!" or "x" is blocked from login: no possible password can be typed to log into that account.

My understanding of accounts:

Ubuntu's "RootSudo"

Some command-line ways to list all users: "getent passwd", "compgen -u", "cat /etc/passwd".

List users with no password set: "sudo awk -F: '($2 == "") {print}' /etc/shadow"

List users with UID set to 0 (superuser): "sudo awk -F: '($3 == "0") {print}' /etc/passwd"

List info about a user: "id user1"

Set limits on users or groups: /etc/security/limits.conf

Login security can be defeated if attacker has physical access:
Alarming article about (a hole in) account security:
Abhishek Prakash's "How to Reset Ubuntu Password in 2 Minutes" (boot into Recovery mode)
Maybe there is some way to password-protect GRUB, or maybe this doesn't work if /home is encrypted ?
SK's "How To Password Protect GRUB Bootloader In Linux"

Another way to change passwords if you have physical access: boot the machine from a Live system on USB or CD, do "sudo -i", do chroot to the main system disk, do "passwd $username".

Ask Ubuntu's "How do I reset a lost administrative password?" (boot into Recovery mode)
SK's "How To Reset Root User Password In Linux"

Not sure, but I think these methods work even if user's home is encrypted. Access to the disk encryption passphrase is controlled by the user permissions, so once you login as the user (with any or empty password), software can decrypt the user's home.

PAM (Pluggable Authentication Modules):
Files in /etc/pam.d directory.

To enable TOTP on desktop logins:
If you're going to enable this, I would save a copy of "/etc/pam.d/lightdm", then create another user account, login to that account, and enable TOTP on that account, to make sure everything works.

Chris Hoffman's "How to Log In To Your Linux Desktop With Google Authenticator"
nixCraft's "Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator"

"sudo apt-get install libpam-google-authenticator".
"man google-authenticator".

Keyring / GnomeKeyring / ksecretservice:
GNOME Keyring
Keyrings(7) man page
LZone's "Using Linux keyring secrets from your scripts"
On CLI, do "cat /proc/keys" to see some of the keys in the keyring.
On CLI, do "man keyctl".

SSH logins:
Chris Hoffman's "How to Secure SSH with Google Authenticator’s Two-Factor Authentication"
Linuxaria's "Add security to your ssh daemon with PAM module"

From Ravi Saive's ""How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins:
"Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly."


SK's "How To Configure SSH Key-based Authentication In Linux"
Alistair Ross's "How To Set Up SSH Keys"
Carla Schroder's "5 SSH Hardening Tips"



Security Test / Audit:


Lynis
Server Density's "80 Linux Monitoring Tools"
tcpdump:
Daniel Miessler's "A tcpdump Tutorial and Primer with Examples"
"sudo tcpdump -i lo -A | grep Host:"
iptraf
iptop
ntop
netstat: "sudo netstat -atupl"
lsof: "sudo lsof -i" to see established connections.
ss: "sudo ss -lptu".
NixCraft's "ss command: Display Linux TCP / UDP Network/Socket Information"
NixCraft's "Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins" (see "27. Testing Your Firewall")
firewalld
nethogs: install from Mint's Software Manager, and then "sudo nethogs"
ngrep
auditd

CERT's "Intruder Detection Checklist"

See the "Port scanning and router testing" section of my "Computer Security and Privacy" page.

SEI's "Steps for Recovering from a UNIX or NT System Compromise" (PDF)



Connecting Linux and Windows:
Separate Linux machine and Windows machine:

Could just format a USB drive as NTFS and move it back and forth.

Create file-share on Linux:
Mohd Sohail's "Share Folders On Local Network Between Ubuntu And Windows"
Jonathan Moeller's "Install & Configure Samba On Linux Mint 19"
Also Nemo-share extension to Nemo.

Create a file-share on Windows:
In Windows, create file-share, add permission in BOTH Sharing and Security. Then in browser on Linux, go to address "smb://IPADDRESS/SHARENAME", login with Windows account username and password.

Various ways:
Sandra Henry-Stocker's "How to share files between Linux and Windows"
Sandra Henry-Stocker's "Moving files between Unix and Windows systems"
Kristen Waters' "How to Mount SMB or NFS Shares With Ubuntu"
/u/Schlingnt's guide
In Linux Mint, Nemo file explorer has a "File / Connect to Server ..." menu item.

In a single-machine dual-booting situation:

Mount Linux filesystem while running Windows:
Mount the Windows main partition (NTFS filesystem) for read/write access under Linux:

Windows must be fully shut down, not hibernated, to allow Linux to have read/write access to the Windows partition. If all you want is read-only access in Linux, ignore the rest of this section.

In Windows 10, normally if you select "Start / Shutdown", it hibernates, doesn't fully shut down.

Ways to make Windows fully shut down:
  • Turn off "Fast Startup", and now "Start / Shutdown" will do a full shutdown.
  • Hold down Shift key while selecting "Start / Shutdown", and it will do a full shutdown.
I think it's best to leave "Fast Startup" turned off. But Windows will start up slower.

Chris Hoffman's "How to Mount Your Windows 10 (or 8) System Drive on Linux"
Unix & Linux Stack Exchange's "How to mount the 'D:\' disk of Windows in linux mint?"
community.linuxmint.com's "gnome-disk-utility"

But: Ubuntu 18 / Mint Tara automatically recognizes Windows OS partition in a dual-boot system and mounts it; no package installation or other steps needed. It was read-only in my live session, maybe because I didn't shut down Windows fully.





Connecting Two Linux Machines:
Alexandru Andrei's "How to Use Netcat to Quickly Transfer Files Between Linux Computers"
Jonathan Moeller's "Install & Configure Samba On Linux Mint 19"



Special hardware:




After using Linux for a while:




Magic key-sequences:


Eric Simard's "Frozen Linux System? Here are 3 Ways to Deal With It"
superuser's "Does Linux have a Ctrl+Alt+Del equivalent?"
kember's "REISUB - the gentle Linux restart"
Wikipedia's "Magic SysRq key"



Problems and troubleshooting:


Easy Linux tips project's "Solutions for 27 bugs in Linux Mint 19.1"
Easy Linux tips project's "System hacks for advanced Linux Mint users"



/r/linuxmint
Easy Linux tips project's "Complete starters' guide for Linux Mint"
Linux Mint
community.linuxmint.com's "The Linux Mint User Guide"
community.linuxmint.com's "Tutorials"
Paul Hill's "Ten things to do after installing Linux Mint 18.3"



Looking at Other Distros:
Jason Evangelho's "How To Test Drive 200+ Linux Distributions Without Ever Downloading Or Installing Them"

RenewablePCs' "Which Linux distros are the best?"
Gary Newell's "How To Choose The Best Linux Distro For Your Needs"
It's FOSS's "Explained: Which Ubuntu Version Should I Use?"
Adarsh Verma's "Top 10 Best Linux Distros For 2018 - Ultimate Distro Choosing Guide"
Adarsh Verma's "9 Most Beautiful Linux Distros You Need To Use"
RenewablePCs' "Desktop Environments for Linux"
Distro Chooser
Librehunt

Jason Evangelho's "Linux For Beginners: Understanding The Many Versions Of Ubuntu"
Gary Newell's "Ubuntu vs Xubuntu"
Canonical's "Ubuntu flavours"
Canonical's "Derivatives"
Ubuntu forums

Sense I'm getting from various places: Upgrading Ubuntu from one major release to another often breaks something; better to do a fresh install. But Mint doesn't have that problem, upgrades are smooth.







Miscellaneous



Chris Hoffman's "The Linux Directory Structure, Explained"
Debian's "Device Names in Linux"
Gary Newell's "Complete List of Linux Mint 18 Keyboard Shortcuts for Cinnamon"
OSTechNix's "3 Good Alternatives To Man Pages Every Linux User Should Know"
TLDR pages ("simplify the beloved man pages with practical examples")
P. Lutus's "How to Use Secure Shell"
KernelNewbies
OverAPI



In Mint, to see what distro versions you are using:
cat /etc/lsb-release
cat /etc/upstream-release/lsb-release
cat /etc/debian_version



To see if you are using any 32-bit software:
lsof | grep i386-linux-gnu && echo "Found 32-bit library in use" || echo "No 32-bit library in use"
dpkg -l | grep "^ii" | grep ":i386" && echo "Found 32-bit packages installed" || echo "No 32-bit packages installed"
Jesse Smith's "Checking for 32-bit applications on the operating system"



Using your Linux box to do penetration-testing of other devices:
See my Penetration Testing and Bug-Bounty Hunting page



Compiling stuff from source:
LinuxJourney
Chris Hoffman's "How To Compile and Install from Source on Ubuntu"

SK's "An Easy Way To Remove Programs Installed From Source In Linux"
Ubuntu's "CheckInstall"

I don't know how to register a compiled app under apt. But once you've done so, you can create a .deb file from it by using "dpkg-repack". Or:
Debian Packager





Home     Site Map

Privacy policy