The real answer is: As secure as you want it to be.

It is natively far more secure than windows but can be made even more so with tools like a firewall if you feel the need. AFAIK there are no virus scanner programs for linux viruses because in the real world there aren't enough of them to justify it. There are a few that scan for windows viruses so you don't pass them on to windows users, but that's usually a server function and most linux users don't bother with them. I usually install rkhunter (rootkit protection) but that's about it.

IMO, the main reason no one writes malicious code for linux is there are too many security features you would have to defeat. The first level of security linux offers involves the concept of file ownership and permissions. Even if you did find a linux virus, you'd have to give it your admin password and install it yourself.

Other security things you can do: No root password (Kubuntu default), have a dedicated admin user account to do installations and updates and don't use your system with this account, use iptables, use a firewall, use non-standard ports for vulnerable functions (like ssh), turn off all unused ports/services, keep your system up to date, use virtual machines to access the internet...

...I'm sure there's more that I can't think of right now. There's even a linux (Xen) based distro which is security centric and adds additional levels of security called Qubes OS.

Personally, I run Kubuntu (12.04 for the next four years) just the way it installs itself, which is a "default" install. I turn off the ping echo in my wireless router, and Kubuntu locks all my accessible ports. For what it's worth, "ShieldsUp!" shows all ports as green (locked, no response to any ACKs). I don't save unrequested email attachments, to say nothing of marking them executable and then running them -- just about the only way malware could infect a Linux box that isn't running a Java VM or Adobe flash. I use to run chkrootkit and rkhunter as a daily cron but Kubuntu precise didn't install them and I decided not to.

I used to run AV software for the sake of my Windows using friends, so that if I passed an email on to them they wouldn't get infected. BUT, most of my friends and relatives now run Kubuntu, so I removed the AV. About 6 months ago I stopped using KMail and now use gmail as my primary email client.

In nearly 15 years of using Linux, half of them without any "protection", I have NEVER encountered a Linux virus or Trojan. I have both Flash and Java VM installed and have yet to see Linux malware. My ports show no attempts at breaking in.

File sharing probe results on my system:

And like GreyGeek, my system is in a default configuration as far as network security is concerned - no added firewall applications.

Hmm....my system is also standard Kubuntu but failed the Shields Up tests.

And for the port report instead of listing my ports as Steath, they are listed as closed. Hmmm...

More than likely your wireless router is echoing the ping before Kubuntu sees it. So even with Kubuntu's iptables turning of ping echo your router will echo it unless you tell it not to.

As for as some of your ports being too gabby, you may have installed an app which opened a hole.
Do
sudo netstat -lp
and check its listing with your port address to see which app is being too mouthy.

Three things.


Windows vs. Linux

Properly administered, there is no appreciable difference: both can be very resilent against attack. The key here, of course, is properly administered. It has taken Microsoft a long time (too long, really) to migrate both the OS and its customers away from the assumption that all users are administrators. Hell, even with Windows 8, the initial user is an admin. Furthermore, SMB networking relies on broadcasts for service discovery, so every SMB node by necessity listens on at least one port. These two aspects, put in place long before Internet access was common, are the primary reasons why Windows came to be regarded as insecure.

A well-maintained Windows machine can be a secure machine. It takes only one non-default configuration:

• (default) the Windows firewall -- blocks SMB traffic not on the LAN
• (default) User Account Control -- raises a consent dialog when a human or a piece of code wants to perform an admin function
• (default) Windows updates -- monthly fixes (all software has bugs)
• (not default) standard user -- run with "normal," not admin, privileges

Prevalence of malware

Bad guys are lazy. They write for maximum attack spread. Because Windows desktops are everywhere and because many machines are not up to date, they're attractive targets. Linux has a legacy of being run in environments with stricter configuration policies and change control; greater care and feeding generally means less utility for misuse. You don't see too many pwn3d Windows servers for the same reasons you don't see many pwn3d Linux machines: better maintenance.

But to assume that anything based on Linux is by definition more secure is a mistake. See: Android.


Gibson "Research" and Shields Up

Pure scare-ifying, and not taken seriously by anyone in the security community. I've written about this before.

This is not true, there are ways in which to gain access to a linux computer without the admin password and still gain full root prevliges. However, unlike windows these holes tend to get fixed very quickly when discovered which is why its most important to keep your system up to date.

More accuratly kubuntu locks the root user acount so doesn't bother to set a password (passwd -l root to lock the root acount)

I agree, but I do find it far easier to properly administer linux over windows, or is that just me?

Just read your post S-R and was about to post my reply, but ... I already did, right under post in your link to your Gibson analysis!

Qq said there:
"Glad to see your take on the Gibson site, SteveRiley. I have also noticed the things you mentioned and quit using the site long ago. I'm no expert at all on these issues; good to see your knowledgeable review/analysis of it."

The best level of security is to have closed ports. If the ports are closed no one can get in to your pc. The stealth option is the next best level of security.

SteveRiley: I've read your rant on the other thread. It's informative, but where you say
Your quite right in that there is no "stealth mode" but the "no response" is, I'm assuming, Gibson's interpretation of what is "Stealth mode".

I believe that at the end of the day this site highlights the possible breaches in security from Windows machines and if it gets the users to "beef up" the security of their systems than surely that's a good thing.

Maybe it's more a measure of that which one is familiar with? When I first started experimenting with Linux, my lack of knowledge really made things appear difficult. Now I'm pretty comfortable with many of the ins and outs. I'm actually beginning to forget some Windows admin stuff, especially XP!

IME a major vector for malware are for inexperienced users is downloaded software. Maybe they get some file in a format that their system doesn't recognize. Or they're told "use xyz", or "xyz is cool". They google it to find what looks a reputable site, done. Even non-criminal sites may slip in adware, so it's easy for malware to disguise itself.
Windows users have been falling into versions of this hole for decades. A good Linux distro's repositories make it much more secure.
Regards, John Little

Gibson's fixation on ports is just one example of how he demonstrates a skewed understanding of security and risk. His notion of "stealthed" ports has created a lot of confusion but really solved nothing. Furthermore, since so many products decided that they needed to implement stealth, TCP/IP has been broken.

Here's an experiment. Most of you probably are running CUPS, if you have a default Kubuntu install. The CUPS service runs a deamon that creates a listening socket on port 631/tcp. You can even talk to it. Watch:
Here's the conversation:
I've added line numbers to facilitate discussion, and omitted the options so that the lines don't wrap.

1. TCP SYN-flag from the client to the service listening on 631/tcp.
2. TCP ACK and TCP SYN-flag from the service to the client.
3. TCP ACK from the client to the service. This completes the TCP three-way handshake.

Now I'll close the connection:
And here's the conversation:
4. TCP FIN-flag from the client to the service.
5. TCP ACK and FIN-flag from the service to the client.
6. TCP ACK from the client to the service. This completes the TCP four-way teardown.


Now I'm going to try to connect to some random port that has no listening socket:
And the conversation:
1. TCP SYN-flag from the client to the service listening on 631/tcp.
2. TCP RST-flag from the service to the client. The server resets the connection because nothing is listening on the specified port.

Gibson would call this a "closed" port. But this is a foreign concept to TCP/IP: ports are not "open" or "closed." On a host, ports are either in use or not. A connection request to a port not in use results in the computer's IP stack telling you so: "nothing here, sorry."

Once upon a time, firewalls behaved the same way. However, firewalls can also silently drop invalid incoming connection requests rather than replying with a reset. Here's an example, where I connect to the external interface of my firewall and specify a port that's not publishing anything:
Nothing happens, and I press Ctrl+C to kill telnet.

Here's the conversation:
Is it really nothing? No. My computer sends SYN-flag datagrams, but since my firewall isn't publishing anything on port 9999/tcp, and my firewall doesn't send RST-flag replies, my computer receives nothing in response. So TCPdump displays nothing. The connection remains in a half-open state until I press Ctrl+C.

This is what Gibson calls a "stealthed" port. But is there really such a thing? No. Keep reading.

Only in the context of a firewall does it make sense to use "open" or "closed" to describe a port state. A port is open if there exists a rule that allows inbound connections to pass through the firewall to something behind it. A port is closed if no such rule exists. But whereas hosts respond with "nothing here, sorry" when incoming connections fail, firewalls nowadays simply drop the connection requests on the floor.

Why silently drop? Some time ago, it became fashionable to worry about whether that "nothing here, sorry" error might reveal tantalizing clues to an attacker. Gibson latched onto this, and decided that it was somehow more secure if a computer could act like a firewall when it receives incoming requests to ports that have no services. He invented the term "stealth" to describe the behavior, on a host, of a "closed" port on a firewall. So then he had to redefine "closed" -- which, remember, means nothing from the perspective of a host -- to reflect the "not in use" meaning on a host.

But a host can't act like a firewall: TCP/IP doesn't behave this way. A non-response to an incoming connection is a very early form of security theater that every firewall manufacturer decided it needed. Host-based firewalls adopted this feature very quickly. Zone Alarm was one of the first to do so, and Gibson made a lot of money shilling for it. To make a host act like a firewall requires installing additional software.

But this behavior breaks TCP/IP. The protocol was not designed to maintain lots of half-open connections. I can exhaust the resources of a firewall by sending a bunch of SYN-flags to ports that are open, cause the firewall to reply with its ACK/SYN-flags, and never send the final ACKs. The firewall will maintain each half-open connection for four minutes (two times the MSL, or maximum segment lifetime of two minutes). Similarly, I can exhaust the resources of a client by getting malware on the box that creates half-open connections on every usable port.

Why has a non-response been considered more secure than "nothing here, sorry"? It's based on the flawed assumption that hiding is useful or even possible. For actual servers that you actually want to receive connections, hiding is useless. Trying to maintain "stealth" when you want to have even one "open" port is just silly. Imagine you have a Windows HTTP server behind a firewall. The firewall has a single rule that allows connections to the server's port 80/tcp. If someone now tries to connect to port 139/tcp, who cares whether the firewall drops the requests or replies with an RST-flag? In both cases the connection is refused, which is the goal. "Stealth" is not more secure, and "closed" is not less secure. They're equivalent.

Hiding might make sense only when the computer has no need to listen for anything incoming. However, your computer is obviously still making outbound connections, and the moment you do that, your computer's presence -- its public IP address -- becomes known. Really, then, it's impossible to hide on the Internet. Given this, attempts to achieve "stealth" even on client PCs is just security theater.

Wow, this post got really long. If you've slogged your way through all of it, thanks much. Unfortunately, it takes much time and many words to explain why seemingly good and simple ideas like "stealth" actually make no sense at all.

Wow. Informative, and I mean that. Nice post.