None of us want personal information to fall into the wrong hands. But how to protect the system from attacks and data theft? Do you really have to read kilometer-long manuals on setting up and encryption algorithms? Not at all necessary. In this article, I will show you how to make a Linux system secure in just 30 minutes.
Introduction
We live in an age mobile devices and permanent online. We go to a cafe with a laptop and run web servers on the Internet on home machines. We register on hundreds of sites and use the same passwords for web services. We always have a smartphone in our pockets, which is stuffed with dozens of passwords, and stores the keys to several SSH servers. We have become so accustomed to the fact that third-party services take care of our privacy that we have already ceased to pay attention to it.
When I lost my smartphone, I was very lucky that the anti-theft installed on it turned out to be efficient and allowed me to remotely erase all data from the device’s memory. When I inadvertently opened an SSH port on my home machine with a user without a password (!) to the outside world (!!), I was very lucky that script-kiddies made their way to the machine, which, apart from the funny shell story, did not leave any serious traces of their stay in system. When I accidentally posted a listing on the Internet with my Gmail password, I was very lucky that there was a kind person who warned me about it.
Maybe I'm gouging, but I firmly believe that such incidents have happened to many who read these lines. And it's good if these people, unlike me, seriously took care of protecting their car. After all, the anti-theft might not work, and instead of a script kiddy, serious people could get into the car, and I could lose not a smartphone, but a laptop, on which, apart from the user's password, there was no other protection. No, rely on one two-factor Google authentication and stupid passwords are definitely not worth it in our age, something more serious is needed.
This article is a paranoid unixoid's guide dedicated to the total protection of a Linux machine from anything and everything. I do not dare to say that everything described here is mandatory for use. Quite the contrary, this is a collection of recipes, the information from which can be used to protect yourself and data at those frontiers where it is needed in your particular situation.
Password!
It all starts with passwords. They are everywhere: in the login window in a Linux distribution, in registration forms on Internet sites, on FTP and SSH servers, and on the lock screen of a smartphone. The standard for passwords today is 8–12 mixed case characters with numbers included. Generating such passwords with your own mind is quite tedious, but there is an easy way to do it automatically:
$ openssl rand -base64 6
No external applications, no web browser extensions, OpenSSL is available on any machine. Although, if it is more convenient for someone, he can install and use pwgen for these purposes (they say that the password will be more resistant):
$ pwgen -Bs 8 1
Where to store passwords? Today, each user has so many of them that it is simply impossible to keep everything in your head. Trust the browser's autosave system? You can, but who knows how Google or Mozilla will treat them. Snowden said that it was not very good. Therefore, passwords must be stored on the machine itself in an encrypted container. The founding fathers recommend using KeePassX for this. The thing is graphical, which the founding fathers themselves do not much like, but it works everywhere, including the well-known Google Probe Android (KeePassDroid). All that remains is to transfer the database with passwords to the right place.
We encrypt
Encryption - how much in this word ... Today, encryption is everywhere and nowhere at the same time. We are forced to use HTTPS versions of sites, but we don't care. They tell us: "Encrypt your home directory", and we say: "I'll set it up later." They tell us: “The favorite pastime of Dropbox employees is to laugh at the personal photos of users,” and we: “Let them laugh.” Meanwhile, encryption is the only absolute means of protection today. And it is very affordable and smoothes wrinkles.
In Linux, you can find tons of encryption tools for everything and everything, from hard disk partitions to single files. The three most well known and time tested tools are dm-crypt/LUKS, ecryptfs and encfs. The first encrypts entire disks and partitions, the second and third - directories with important information, each file separately, which is very convenient if you need to make incremental backups or use it in conjunction with Dropbox. There are also several lesser known tools, including TrueCrypt for example.
I will make a reservation right away that encrypting the entire disk is a difficult task and, most importantly, useless. There is and cannot be anything particularly confidential in the root directory, but the home directory and swap are just a storehouse of information. Moreover, the second one is even larger than the first one, since data and passwords already decrypted can get there (normal programmers prohibit the system from throwing such data into a swap, but such a minority). Setting up encryption for both is very simple, just install the ecrypts tools:
$ sudo apt-get install ecryptfs-utils
And, in fact, enable encryption:
$ sudo ecryptfs-setup-swap $ ecryptfs-setup-private
Next, just enter your password used for login and log in to the system. Yes, it's really that simple. The first command will encrypt and remount the swap by changing desired lines in /etc/fstab. The second one will create the ~/.Private and ~/Private directories, which will store the encrypted and decrypted files, respectively. When you log in, the PAM module pam_ecryptfs.so will be triggered, which will mount the first directory on the second with transparent data encryption. After unmounting, ~/Private will be empty, and ~/.Private will contain all files in encrypted form.
It is not forbidden to encrypt the entire home directory as a whole. In this case, performance will not drop much, but all files will be protected, including the same network directory~/dropbox. It is done like this:
# ecryptfs-migrate-home -u vasya
By the way, there should be 2.5 times more disk space than vasya has data, so I recommend cleaning up in advance. After the operation is completed, you should immediately log in as the user vasya and check if it works:
$ mount | grep Private /home/vasya/.Private on /home/vasya type ecryptfs ...
If everything is OK, the unencrypted copy of the data can be overwritten:
$ sudo rm -r /home/vasya.* 
We cover our tracks
OK, passwords are in a safe place, personal files too, now what? And now we have to make sure that some pieces of our personal data do not fall into the wrong hands. It's not a secret for anyone that when a file is deleted, its actual contents remain on the media even if formatting is done after that. Our encrypted data will be safe even after erasing, but what about flash drives and other memory cards? This is where the srm utility comes in handy, which not only deletes the file, but also fills the data blocks left after it with garbage:
$ sudo apt-get install secure-delete $ srm secret-file.txt home-video.mpg
# dd if=/dev/zero of=/dev/sdb
This command will erase all data on the sdb stick. Next, it remains to create a partition table (with one partition) and format it into the desired file system. It is recommended to use fdisk and mkfs.vfat for this, but you can also get by with the graphical gparted.
Preventing BruteForce Attacks
Fail2ban is a daemon that scans logs for attempts to guess passwords for network services. If such attempts are found, then the suspicious IP address is blocked by iptables or TCP Wrappers. The service is able to notify the host owner about the incident by email and reset the block via given time. Fail2ban was originally developed to protect SSH, today there are ready-made examples for Apache, lighttpd, Postfix, exim, Cyrus IMAP, named and so on. Moreover, one Fail2ban process can protect several services at once.
In Ubuntu / Debian, to install, we type:
# apt-get install fail2ban
The configs are located in the /etc/fail2ban directory. After changing the configuration, restart fail2ban with the command:
# /etc/init.d/fail2ban restart
Threat from outside
Now let's take care of the threats coming from the bowels world wide web. This is where I should start talking about iptables and pf running on a dedicated machine running OpenBSD, but that's all redundant when there's ipkungfu. What it is? This is a script that will do all the dirty work of configuring the firewall for us, without having to make kilometer-long lists of rules. Install:
$ sudo apt-get install ipkungfu
Edit config:
$ sudo vi /etc/ipkungfu/ipkungfu.conf # The local network, if there is - we write the network address along with the mask, if not - we write the loopback address LOCAL_NET="127.0.0.1" # Our machine is not a gateway GATEWAY=0 # Close the necessary ports FORBIDDEN_PORTS="135 137 139" # Block pings, 90% kiddis will fall off at this stage BLOCK_PINGS=1 # Dropping suspicious packets (flooding of various kinds) SUSPECT="DROP" # Dropping "wrong" packets (some types of DoS) KNOWN_BAD="DROP" # Port scanning? Thrash! PORT_SCAN="DROP"
To enable ipkungfu, open the /etc/default/ipkungfu file and change the line IPKFSTART = 0 to IPKFSTART = 1. Run:
$ sudo ipkungfu
Additionally, we will make changes to /etc/sysctl.conf:
$ sudo vi /etc/systcl.conf # Drop ICMP redirects (against MITM attacks) net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 # Enable TCP syncookies mechanism net.ipv4 .tcp_syncookies=1 # Various tweaks (protection against spoofing, increasing the queue of "half-open" TCP connections, and so on) net.ipv4.tcp_timestamps=0 net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_max_syn_backlog=1280 kernel .core_uses_pid=1
Activate changes:
$ sudo sysctl -p
Detecting intrusions
Snort is one of the favorite tools for admins and a mainstay in all security guides. Thing with long history and colossal possibilities, to which entire books are devoted. What does he do in our guide to quick setup safe system? And here is the place for him, Snort does not need to be configured:
$ sudo apt-get install snort $ snort -D
All! I'm not kidding, Snort's default settings are more than enough to protect typical network services, if you have them, of course. You just need to look at the log from time to time. And in it you can find lines like these:
[**] MS-SQL probe response overflow attempt [**] http://www.securityfocus.com/bid/9407]
Oops. Someone tried to cause a buffer overflow in MySQL. There is also a link to a page with a detailed description of the problem. The beauty.
Someone inherited...
Someone especially smart was able to bypass our firewall, get past Snort, get root permissions in the system and now visits the system regularly using the installed backdoor. Not good, the backdoor needs to be found, removed, and the system updated. To search for rootkits and backdoors, use rkhunter:
$ sudo apt-get install rkhunter
We launch:
$ sudo rkhunter -c --sk
The software will check the entire system for rootkits and display the results. If the malware is still found, rkhunter will point to the place and it can be overwritten. A more detailed log is located here: /var/log/rkhunter.log. It is better to run rkhunter as a daily cron job:
$ sudo vi /etc/cron.daily/rkhunter.sh #!/bin/bash /usr/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Results" [email protected]
We replace Vasya's email address with our own and make the script executable:
$ sudo chmod +x /etc/cron.daily/rkhunter.sh
$ sudo rkhunter --update
By the way, it can be added before the check command in the cron script. Two more rootkit search tools:
$ sudo apt-get install tiger $ sudo tiger $ sudo apt-get install lynis $ sudo lynis -c
In fact, the same Faberge eggs from a bird's eye view, but they have different bases. Perhaps with their help it will be possible to reveal what rkhunter missed. Well, for starters, debsums is a tool for verifying file checksums, installed packages with a standard. We put:
$ sudo apt-get install debsums
We start the check:
$ sudo debsums -ac
As always? launch can be added to cron jobs.
Outside
Now let's talk about how to maintain your anonymity on the Web and gain access to sites and pages blocked at the request of various copyright organizations and other Mizulins. The easiest way to do this is to use one of the thousands of proxy servers around the world. Many of them are free, but often cut the channel to the speed of an ancient analog modem.
To safely navigate the sites and only turn on the proxy if necessary, you can use one of the many extensions for Chrome and Firefox, which are easily found in the proxy switcher directory. We install, drive in the list of necessary proxies and switch to the required one, seeing instead of the page the sign “Access to the page is limited at the request of Mr. Skumbrievich”.
In those situations when the entire site fell under the filter and its address was blacklisted on the side of the providers' DNS servers, you can use free DNS servers whose addresses are published. Just take any two addresses you like and add to /etc/resolv.conf:
Nameserver 156.154.70.22 nameserver 156.154.71.22
To prevent various kinds of DHCP clients and NetworkManagers from overwriting the file with addresses received from the provider or router, we make the file unwritable using extended attributes:
$ sudo chattr +i /etc/resolv.conf
After that, the file will become write-protected for everyone, including root.
To further anonymize your browsing experience, you can also use the dnscrypt daemon, which will encrypt all requests to the DNS server in addition to the proxy server used to connect to the site itself. Install:
$ wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.bz2 $ bunzip2 -cd dnscrypt-proxy-*.tar.bz2 | tar xvf - $ cd dnscrypt-proxy-* $ sudo apt-get install build-essential $ ./configure && make -j2 $ sudo make install
Specify the loopback address in /etc/resolv.conf:
$ vi /etc/resolv.conf nameserver 127.0.0.1
Let's start the daemon:
$ sudo dnscrypt-proxy --daemonize
By the way, there are versions of dnscrypt for Windows, iOS and Android.
Onion Routing
What is onion routing? This is Tor. And Tor, in turn, is a system that allows you to create a completely anonymous network with access to the Internet. The term “onion” is used here in relation to the operation model, in which any network packet will be “wrapped” in three layers of encryption and will pass through three nodes on the way to the addressee, each of which will remove its own layer and transmit the result further. Everything, of course, is more complicated, but for us the only important thing is that this is one of the few types of networking that allows you to maintain complete anonymity.
However, where there is anonymity, there are connection problems. And Tor has at least three of them: it's horrendously slow (thanks to encryption and passing through a chain of nodes), it will create a load on your network (because you yourself will be one of the nodes), and it is vulnerable to traffic interception. The latter is a natural consequence of the ability to access the Internet from the Tor network: the last node (the exit) will remove the last layer of encryption and can access the data.
However, Tor is very easy to install and use:
$ sudo apt-get install
Everything, now on the local machine there will be a proxy server leading to the Tor network. Address: 127.0.0.1:9050, you can drive it into the browser using the same extension, or add it through the settings. Keep in mind that this is SOCKS, not an HTTP proxy.
INFO
The Android version of Tor is called Orbot.To put in command line the password has not been saved in history, you can use a clever trick called "add a space at the beginning of the command."
It is ecryptfs that is used to encrypt the home directory in Ubuntu.
The fight against flood
Here are a few commands that can help with flooding your host.
Counting the number of connections on a specific port:
$ netstat -na | grep ":port\" | wc -l
Counting the number of "half-open" TCP connections:
$ netstat -na | grep ":port\" | grep SYN_RCVD | wc -l
Viewing the list of IP addresses from which connection requests are made:
$ netstat -na | grep ":port\" | sort | uniq -c | sort-nr | less
Analyzing suspicious packets with tcpdump:
# tcpdump -n -i eth0 -s 0 -w output.txt dst port port and host of the IP server
We drop the attacker's connections:
# iptables -A INPUT -s attacker's ip -p tcp --destination-port port -j DROP
We limit maximum number"half-open" connections from one IP to a specific port:
# iptables -I INPUT -p tcp --syn --dport port -m iplimit --iplimit-above 10 -j DROP
Disable responses to ICMP ECHO requests:
# iptables -A INPUT -p icmp -j DROP --icmp-type 8
findings
That's all. Without going into details and without the need to study manuals, we have created a Linux-box that is protected from outside intrusion, from rootkits and other infections, from direct human intervention, from traffic interception and surveillance. All that remains is to regularly update the system, disable password login via SSH, remove unnecessary services and avoid configuration errors.
At the annual LinuxCon conference in 2015, the creator of the GNU / Linux kernel Linus Torvalds shared his opinion about the security of the system. He emphasized the need to mitigate the effect of the presence of certain bugs with competent protection, so that if one component fails, the next layer covers the problem.
In this article we will try to reveal this topic from a practical point of view:
7. Install firewalls
Recently there was a new vulnerability that allows DDoS attacks on servers under Linux control. A bug in the system core has appeared since version 3.6 at the end of 2012. The vulnerability allows hackers to inject viruses into download files, web pages and expose Tor connections, and it does not take much effort to hack - the IP spoofing method will work.The maximum harm for encrypted HTTPS or SSH connections is connection interruption, but an attacker can put new content into unsecured traffic, including malware. To protect against such attacks, a firewall is suitable.
Block access with Firewall
Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend that you allow only the traffic you really need to pass through and completely block all other traffic.
For packet filtering, most Linux distributions have an iptables controller. It is usually used by advanced users, and for simplified configuration, you can use the UFW utilities on Debian/Ubuntu or FirewallD on Fedora.
8. Disable unnecessary services
Specialists from the University of Virginia recommend turning off all services that you do not use. Some background processes are set to autoload and work until the system is turned off. To configure these programs, you need to check the initialization scripts. Services can be started via inetd or xinetd.If your system is configured via inetd, then in the /etc/inetd.conf file you can edit the list of “daemons” background programs, to disable the loading of the service, just put a “#” sign at the beginning of the line, turning it from an executable into a comment.
If the system uses xinetd, then its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying the disable = yes clause, as in this example:
Service finger ( socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes )
It's also worth checking for persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or /etc/inittab directories. After the changes have been made, run the command under the root account.
/etc/rc.d/init.d/inet restart
9. Protect the server physically
It is not possible to fully protect against attacks by an attacker with physical access to the server. Therefore, it is necessary to secure the room where your system is located. Data centers take security seriously, limiting access to servers, installing security cameras, and appointing constant guards.To enter the data center, all visitors must go through certain authentication steps. It is also strongly recommended to use motion sensors in all areas of the center.
10. Protect the server from unauthorized access
An unauthorized access system, or IDS, collects data about system configuration and files and then compares this data with new changes to determine if they are harmful to the system.For example, the Tripwire and Aide tools collect a database of system files and protect them with a set of keys. Psad is used for tracking suspicious activity using firewall reports.
Bro is designed to monitor the network, track suspicious activity patterns, collect statistics, execute system commands and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility scans your system against a database of known vulnerabilities and can detect unsafe settings in applications.
Conclusion
The tools and settings listed above will help you partially protect the system, but security depends on your behavior and understanding of the situation. Without attention, caution and constant self-learning, all protective measures may not work.What else do we write about?
Tags:
- 1cloud
- linux
- IS
In my observation, many of those who choose Linux just because they think that this OS is much better protected than Windows. In fact, everything is not so clear. Security is indeed the "chip" of this system, which covers the area from the Linux kernel to the desktop. However, the system always leaves a good chance for anyone who wants to "leave" in your /home folder. Linux may well be completely immune to the worms and viruses that are written for Windows, but worms and viruses are a relatively small part of the problem. Attackers have a lot of tricks up their sleeve, thanks to which they can get to important information for you, from ID photos to credit cards.
The most at risk for attacks are computers that are connected to the Web, however, devices without access to the "outside world" are no less vulnerable. For example, what can happen to an old laptop or hard drive, which are thrown by the user? After all, there are quite powerful tools for data recovery, and many are quite accessible for free download. Thanks to them, every average system administrator will be able to recover data from your disk, no matter what OS you worked with. If there is data on the hard drive, whether it is corrupted or not, then that data can be recovered. For example, you can recreate bank accounts, reconstruct recorded chat conversations, and restore images.
This is normal, but you should not completely stop using your PC because of this. Making a machine that is connected to the Internet immune to attacks is next to impossible. But it is possible to greatly complicate the task of the attacker, ensuring that he cannot "get" anything useful from an already compromised system. It is especially heartwarming that with the help of Linux itself, as well as some programs created on the basis of Open Source, it will be quite simple to protect your Linux OS.
We will discuss some aspects of Linux security in the following posts, but we will start with the most important, in my opinion, with updates. If they are disabled, then this is a serious problem, and if, for example, someone reasonably prefers to hide counterfeit Windows from the auto-update tool, then in the case of Linux, this behavior simply does not make sense.
All major Linux distributions (Debian, Fedora and Ubuntu among them) boast their own teams of security specialists who work hand in hand with their package maintenance teams to ensure that users are best protected from various security vulnerabilities. These teams must ensure that vulnerabilities are discovered in a timely manner, and must also quickly release "patches" that will quickly plug any discovered "holes".
Your distribution must have a repository that is completely dedicated to security updates. You only need to activate this repository (by the way, it is quite possible that this has already been done in advance) and determine whether manually or in automatic mode install updates.
For example, in Ubuntu, this will require you to select System Administration from the menu, and then Software Sources. Then, on the Updates tab, you will need to specify how often the distribution should "test" the security repository, looking for new updates on it and determine whether the system should install updates automatically, or whether it should ask the user for confirmation before installing updates. The last option can be called more interesting, because it will allow you to view updates before they are installed. On the other hand, there is often no need to view, usually everything is in order with updates, and choosing automatic installation you will save some time.
In addition to updates, distributions often have a dedicated security mailing list. To send announcements of those vulnerabilities that have been discovered, as well as to send out packages that fix these vulnerabilities. It's a good idea to keep an eye on the distribution's security mailing list and regularly look for security updates in the packages that are most important to you. There is usually some time between the announcement of a finding of a vulnerability and the download of the update package to the repository; The mailing lists will show you how to download and manually install updates.
Staying anonymous online is not always the same as surfing the web safely. It is important to keep as much technical information about your device as safe from prying eyes as possible so that attackers cannot exploit your system vulnerabilities and steal your confidential data and use it for their own purposes, which can have serious consequences.
If you want to remain anonymous online and protect your data, in this article we will look at the most secure linux distributions to help you with this.
Most of the tools listed in this article are completely free to use. In addition to them, there are also paid options, such as VPN, but these free tools do their job much better. The need for security on the Internet is constantly growing, there is always the risk of cyber attacks and eavesdropping by intelligence agencies. Not surprisingly, several distributions were immediately created, combining tools that provide maximum anonymity on the network.
These distributions were originally aimed at narrow specialists, but in recent times they gained a lot of popularity. Due to the demand for such systems from users, they are constantly being developed and new ones are being added, perhaps now there are more than twenty of them, but we will consider only the best secure linux distributions.
Most of them use the Tor software for anonymity, which provides real high level anonymity, unlike VPN providers who still know your real IP address.
But a VPN still has many advantages, making it the best option in some cases. If connection speed is important to you or you are going to transfer files via P2P, a VPN will win here.
Before looking at the most secure linux distributions, let's talk about how Tor is anonymous. Tor or The Onion Router is a standard encryption protocol developed by the US Navy.
The Tor software works with multiple nodes, and this ensures high reliability and anonymity. When passing through a random node, the data is re-encrypted each time and becomes fully decrypted only at the last node. The Tor developers are also responsible for creating the Tails distribution, which Edward Snowden recommends.
Now back to VPN. Usually, these are paid services, find a good one, free vpn very difficult. The quality of VPN service depends on the provider, but as a rule, the speed of work VPN servers much faster than Tor.
1. Tails - Anonymous LiveCD
If you want to remain anonymous on the internet, Tails is a great choice. Its main purpose is to make sure you don't leave any digital footprints while you surf the web. It is one of the most commonly used distributions for anonymity, and the only one where all Internet connections are routed through Tor.
Usually, Tails is installed on a USB flash drive, all data is stored in RAM, and after the work is completed, it is erased. The operating system is based on Debian and comes with a large set of open source tools specifically designed for privacy. It supports MAC address spoofing and Windows camouflage when the system looks very similar to Windows 8.
tails uses outdated version Gnome, which looks ugly and minimalistic without the possibility of additional customization and improvement, since files are not saved between sessions. Perhaps for many it doesn't matter, because Tails does its job. The distribution has excellent documentation and you can read it on the official website.
2.JonDo Live-DVD
JonDo Live-DVD is a commercial solution for online anonymity. It works in a similar way to Tor, your data is also transmitted through a series of mixed JonDonym servers. At each node, the data is re-encrypted. It's a great alternative to Tails, especially if you're looking for something with a less restrictive user interface.
Like Tails, the distribution is based on Debian and also includes a suite of anonymization tools and the most commonly used applications.
JonDo Live-DVD is paid service, for commercial use. It's targeted at businesses, is faster than Tails, and doesn't support saving files either.
If you need something completely different, Whonix will be of interest to you. A completely different approach is used here. This is not a Live CD. Whonix runs in a VirtualBox virtual machine, the system is isolated from your main system, thereby reducing the risk of catching viruses or exposing your data on the network.
Whonix consists of two parts. Whonix Gatway acts as a Tor gateway, the second Whonix Workstation is completely isolated from the network and routes all its network connections through the Tor gateway.
Thus, we need to use two virtual machines, which can create certain problems if you have weak hardware. But nevertheless it works. True, it is not the most secure Linux distribution, like Live CD, because it does not store data on the hard drive.
Whonix is based on Debian but uses KDE as its desktop environment. The operating system is not suitable for everyday use and you can only use it in a virtual machine.
4.QubesOS
This is another anonymity distribution recommended by Snowden. Qubes tries to fix the shortcomings of all previous distributions with insufficiently beautiful and customizable user interface. This is a distribution for everyday use that combines the power of Tor and Whonix.
Here is a completely different approach to anonymity. The idea behind Qubes is security through separation. This means that your digital life will be divided between isolated virtual machines. Any application runs in a separate virtual environment.
It should be noted that Qubes comes by default with Purism's flagship laptop. This laptop is considered the safest device for users. And that's true, given the distro's powerful software.
If you want a convenient distro for everyday use with all the standard functionality and familiar applications, Qubes OS can be a great choice. Unlike the ones listed above, it can be installed on a hard drive.
5. UPR (Ubuntu Privacy Remix)
UPR, this is another installable distro focused on security. It is user-friendly and provides an isolated environment where sensitive data can be kept safe.
Judging by the name, you can already tell that it is based on Ubuntu. The distribution kit offers safe surfing on the Internet and the use of encrypted flash drives, for effective protection your data from unauthorized access. The distribution comes preinstalled with encryption tools such as GnuPG and TrueCrypt. UPR is only for safe surfing on the Internet, not for anonymity. It's great if you want to install the system on your computer instead of using a LiveCD. If you also need anonymity, you can install Tor or connect a VPN.
findings
Given that Tails is the most common of all those mentioned in this article, we can decide that it is the safest. But other distributions serve their purpose just fine too. So it all comes down to personal preference.
The most commonly attacked strength of a free OS is security. What Linux users are most proud of and value most. We bring to your attention 5 main myths.
Source
Myth 1. Linux is insecure because the source codes of the programs are available for hackers to examine. Ordinary users are unlikely to pick complex code, but hackers will, in order to exploit the vulnerabilities found later. Besides,
What is actually: manually view millions of rows source code and not required. This task is solved by statistical code analyzers and special software systems for auditing. Random and intentional errors are caught automatically and then the expert deals with each specific case. For closed binary Windows code this does not work. This is where you can really easily hide the bookmark.
Viruses
Myth 2. There are few viruses under Linux, but only because Linux is unpopular operating system. As soon as the number of users increases, virus writers will also catch up, and Linux itself will be no different from Windows in terms of susceptibility to network infection.
What is actually: 2% Linux users These are tens of millions of computers. If it were really simple, then it would have been created long ago. Android is also 95% Linux. Devices per Android based already a billion. So where are the epidemics?
Power Users
Myth 3. Linux is more secure, but only because Linux is used by more experienced users. If everyone starts using Linux, then the same epidemics of computer infection will begin.
What is actually: this is partly true. But not only from viruses, but also from fools. For this, he is not loved by many Windows users who tried to switch to Linux, but did not master it. For example, Windows actually encourages running as administrator account(the user is less bothered). Linux will not allow you to constantly work as root.
Again viruses
Myth 4. Linux also has viruses.
Antivirus
Myth 5. Under Linux installation antivirus is a must.
What is actually: it is mandatory to set up iptables and refrain from connecting questionable third party repositories. Then there is no need for an antivirus. Moreover, marketers of antivirus companies.
