Stay Ahead With Linux Security Features
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026 
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026 
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026 
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026 
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026 
Refine features
X Clear Filters Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
system updateroot accessdisk encryptionEnhance Security On Ubuntu 22.04: Encrypt Drives, Update, And More
Thanks to the fact that Linux is open-source, it is one of the most secure operating systems available . However, it is not perfect—like any software, it is open to exploits and there is a lot that can be done to improve its security. Improving the operating system is not just for experienced users—there are some simple things that everyone can do to make Ubuntu Linux more secure. . Encrypt Your Hard Drive While a strong password is important for keeping your computer locked, it is not a foolproof way to keep your files secure—an experienced Linux user can access the files from a stolen laptop without a password. However, encrypting your hard drive makes it so that the password is not just a key to your computer but a code that is essential to accessing your files—without the password, any files that a hacker steals are impossible to read. Unlike the other tips in this article, full hard drive encryption must be done during Ubuntu’s installation—while it is possible to encrypt partitions after installation, it is not as straightforward—plus, it is not all-encompassing like full hard drive encryption. Below, we have a brand new image of Ubuntu 22.04. When you boot up your machine, whether it be on a physical device or a virtual machine, follow the set up as normal until you reach the screen shown below: After reaching this screen, make sure to click on the “advanced features” option under “Erase disk and install ubuntu”. Once you do so, you should be greeted with the following screen: Once the advanced features menu opens up, make sure to select the “Use LVM…” option as well as the Encryption option. Once you do so, hit OK and click the Install Now option. Afterwards, you should see a screen similar to the one below: Here, we want to establish a security key as well as a recovery key in case you forget the initial security key. For additional security, you can overwrite the empty disk space and being that this is all done at installation, your diskshould be empty. Once you have that all set up, you can continue with installation as normal and you should be all set, you now have disk encryption enabled! Update your Operating System Regularly While operating system updates are seen as a nuisance by many, keeping an operating system up to date is one of the most important measures that can be done to keep a system safe. A perfect example of the dangers of out-of-date software is the infamous WannaCry attack, in which a North Korean ransomware infected over 200,000 computers and caused hundreds of millions of dollars in damages in 2017. WannaCry only affected Windows computers that did not have the latest security update. While not all of the widely used versions of Windows had this update available, according to research from the Kaspersky Lab , 98% of users affected by WannaCry were using Windows 7, which did have the security update available. If these users simply updated their computers, they would not have been affected by one of the largest ransomware attacks. While Linux is generally more secure than Windows, it is just as important to regularly update Linux. Since Linux is open-source, anyone can search its code for bugs and help to fix them. This means that once an exploit in Linux is found, it will generally be fixed quickly, but it also means that it is important to update as soon as possible because the exploit will be known to the public. The easiest way to update Ubuntu is to run the software updater application. To update via the terminal, enter the command “sudo apt update && sudo apt upgrade -y.” Disable Root Access Linux is a command-heavy operating system—while an average user can use Linux and never see the terminal, it is still a powerful tool that can potentially give attackers full access to a computer. The unrestricted ability to run any command in Linux is known as “root access,” and can be safely disabled since it is not really needed most of the time. If root access isever needed, it can always be locked behind a password. To lock root access behind a password, open the terminal and enter “sudo -i.” When the next line, a # prompt, appears, enter “password.” This will give you the prompt for setting a root password. Disable unnecessary services Because Linux has been around for so long, it contains many leftover features that are outdated and no longer necessary. If allowed to run, these features can be a security flaw, especially if they provide access to ports. To list all services that are running in Linux, open the command line. See the below resources for more information on this: tldp How to List Services in Ubuntu Server / Desktop Safe Internet Browsing Nowadays, most browsers make a profit by selling their users’ data to advertisers. While this is usually unnoticeable by users, allowing websites to install data-collecting third-party cookies can make users open to attacks, phishing, and identity theft. Ubuntu comes with Firefox installed as the default browser. While Firefox is already a great browser for privacy, it is always good to disable third-party cookies. Additionally, browser extensions such as Adblock, HTTPS Everywhere, and NoScript can help make browsing the internet more secure. Adblock Adblock extensions disable advertisements on websites, making browsing the internet easier by hiding obstructing ads. They also prevent users from seeing malicious scam advertisements and disable third-party cookies. Popular adblock extensions include Adblock, AdBlock Plus, and uBlock Origin. HTTPS Everywhere Even though most people do not write “ before URLs anymore, the Hypertext Transfer Protocol is still used to connect to every website. Since 2008, websites have started to switch to the Hypertext Transfer Protocol Secure, or HTTPS, which encrypts traffic between the user and the site, and sites that only use HTTP are considered insecure. HTTPS Everywhere automatically switchesHTTP connections to HTTPS connections whenever it is available, helping keep internet traffic safer. NoScript While websites are still primarily built using HTML and CSS, they often have a lot of behind-the-scenes code written in languages such as JavaScript and Java. While there are many legitimate uses for these scripts, they are also one of the main tools used by malicious sites and hackers to run malware. NoScript disables scripts that are not from sites that users declare that they trust. Conclusion While Linux is a secure operating system by default, its ability to be customized allows for a multitude of ways to make it more secure. Making Linux more secure is something that anyone, not just cybersecurity experts, can and should do for the best and safest experience. . Fortify your Ubuntu system’s security by implementing drive encryption, ensuring regular updates, and managing root permissions meticulously.. Encrypt Hard Drive, Secure Ubuntu, Internet Browsing Tips, Linux Practices, OS Update Strategies. . Brian Gomez
Oct 10, 2022 •
102
security advisorydebiansystem updateInstalling Updates For Ubuntu 22.04 LTS And Debian 10: Security Steps
Whether you are a DevSecOps engineer responsible for managing your organization’s application infrastructure or you have your own personal Linux server that you use at home, the importance of keeping your systems safe and secure against malicious attacks by bad actors cannot be over emphasized. . While there are many aspects with regards to securing systems, one fundamental best practice is to continuously patch your systems and applications as soon as they are made available. The infamous WannaCry ransomware attack from the summer of 2017, that caused much grief to millions of users is a case in point. While the patch was made available much ahead of the actual attack, it was due to a sheer lack of security discipline that the attack was successful. “While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these or were using older Windows systems that were past their end-of-life. These patches are imperative to an organization's cyber-security, but many were not applied because of needing 24/7 operation, risking having applications that used to work break, inconvenience, or other reasons.” (Source: WannaCry ransomware attack - Wikipedia ) This article will walk you through specific steps you need to patch your Ubuntu and Debian based systems for operating system packages. We shall cover the basics of commands you need to execute through the CLI and through the GUI. We shall also cover some additional tips and techniques for automation, package conflict resolution, kernel patches and how to manage docker/container-based security updates. How Can I Update Ubuntu via the Command-Line? Most programmers prefer the command line or programmatic execution of commands. This method is quicker, you have better control, and the commands can be easily incorporated into scripts that can be setup for regular execution through automation. If you are new to the topic, the Ubuntu command manuals is a goodplace to get started. The commands we shall cover pertaining to this topic are: apt update: This command only fetches the information on latest packages that can be upgraded. Note that it does not actually upgrade any packages on the system, only refreshes the index local to the system. This package information is obtained from standard official sources and then stored locally on the system. If ever you need to check from which sources the package information gets picked, you will see it in under /etc/apt/sources.list on the system. apt list –upgradable: This command will then display the packages that have updates available and therefore can be upgraded on the system. This information is based on the information fetched previously from the update command apt upgrade: This is the actual command that does the upgrade of the packages in the system. Once executed, the OS will be successfully upgraded. Note that this command can install new packages if the dependencies require it, but it will never remove packages. apt full-upgrade: This command does a little more than what the upgrade command does. In addition to upgrading new packages and installing new packages as required, it also removes existing installed packages if it determines that the dependencies are no longer required. Use this option with caution as it can cause unexpected system behavior if your application is dependent on a specific version of the package. apt autoremove: This command is used to remove unused packages which are no longer needed by the dependent packages. This can be executed after apt upgrade Note that all of this discussion is with respect to packages that are already on the system. If you need new packages that are not already there, you need to use the apt install command. As you research and look for commands on upgrading, you will come across apt-get commands with similar options of upgrade/update etc. So, what should you use and what is the difference? Bothare package management command line tools and there is a bit of history as to how the command evolved over the years. The apt CLI is the more recent (made available since Ubuntu 18.04 and Debian 10), preferred and the officially recommended tool. It is clearer in explaining what exactly it is doing, the options that come with apt are considered to be more user friendly and covers the range of frequently used options for the average user. The apt-get CLI, on the other hand, is more low level and contains a lot more options that are for the advanced user. So how does one typically sequence these commands? Once you are comfortable with what each of these does, you can combine them together into a single command that can be set up for automated regular execution. More about that in later sections. Here are a couple of screen captures to illustrate what you would see for some of the above commands. apt update: Here you can see the various ubuntu sources that it is fetching the package information from. apt list –upgradable: Here you can see, that from that list of package information fetched from earlier step, the packages that are having new versions and can be upgraded: apt upgrade -y: This command upgrades all the packages from the previous step and shows a neat progress bar as it proceeds. The -y option installs it silently without you having to prompt again. (Side Note: This is one example of how the apt is more user- friendly than the apt-get . You would not see the progress bar in the apt-get ). How Can I Update Ubuntu via the GUI? Some users may prefer the UI way of upgrading packages as it gives neat visual steps that tells you details of the packages that makes easy reading and unlike the CLI, prompts you that a restart of the system is required after install (if needed). The GUI way of upgrading is easy to do if you have only one or two systems to manage, personal installations and only on systems which have gnome or alternative desktopavailable. In the above section, we had installed Ubuntu Desktop and connected to the system using a VNC Server/VNC viewer. Depending on your system - there are many different ways to get to the GUI. To upgrade via GUI, open the Ubuntu “Activities” folder and search for the “Software Updater” Click on Details twisty to check the listing and description of the packages that will get upgraded. A dialogue box will appear to ask you for permission to install the updates right now or later. You can also use the checkbox selector to check/uncheck the packages that you want to install. (The equivalent of this in the CLI is to upgrade only the required package instead of a general upgrade on all packages). Click “Install Now” to begin the installation. Once the updated version of Ubuntu and the updated packages are installed on your system, a window may appear asking you to restart your system in order for the changes to take effect. And after restart, you get confirmation that the computer is up to date! Update Debian via the CLI Updating Debian via CLI uses the exact same set of commands as already demonstrated in the Ubuntu section. Ubuntu is the newer operating system based on the older Debian. They are very similar in many aspects and in the context of this article, the same commands for upgrade can be used. Update Debian via the GUI In this section, we used the GNOME Desktop that came with the default installation of Debian 10. Depending on your system setup, there may be several ways of getting to the GUI. So, to get started for upgrades, press the “Super key” on your keyboard. (It is a key with Windows logo if you are on a Windows machine. If it is an Apple keyboard it is the Command key.) Type "gnome-software" and click on the software icon. Click on the Updates tab on the popup as shown in the image. If there are updates available, it will show here. Click on Download . Next, it will prompt you forupdate and restart. Once updated and rebooted you will see a confirmation as below. Extras & Tips How to block upgrades on specific packages Sometimes, there is a need to block specific packages from getting upgraded as your application may have some dependencies on the specific version and upgrading it may have a detrimental effect on the application behaviour. You still want to upgrade all other packages in the system except those specific packages. This is where the apt mark hold and apt mark unhold commands will come in handy. In the example below, we do not want to upgrade the Jenkins package as it will break the Jenkins jobs running, so we hold back its upgrade. apt-mark hold jenkins apt update -y apt upgrade -y Later when you are ready to upgrade the package, you can execute the following: apt-mark unhold jenkins apt update -y apt upgrade -y How to perform a dry run to test the configuration As the name suggests, this parameter that can be combined with (most of) the apt commands, is very useful when you want to check what would happen if you executed an upgrade, without actually running it. So, from the following output, it lays out what would happen: that one new package will be installed, one package will not be upgraded, and a few packages will be upgraded. This lets you do a quick sanity check to see if this is what you really want. apt full-upgrade --dry-run Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: libzstd1 The following packages have been kept back: logdna-agent The following packages will be upgraded: apt dpkg libapt-pkg5.0 3 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Managing kernels that build up in the system over a period of time A special note should be mentioned regarding kernel upgrades. Every time youupgrade a kernel, a new version of the kernel gets installed. Over a period of time, these kernels can accumulate on the system and consume significant disk space. Whenever a new kernel gets installed as part of the upgrade, you can clean up the old ones. As a best practice you can keep three kernels, the current active one plus two old ones – so that you can fall back to the old one if needed. The Debian package “byobu” has a script “purge-old-kernels” that can be used for this purpose. apt install byobu purge-old-kernels --keep 3 You can learn more purge old kernels . To see all the kernels installed on the system, check using: dpkg --list | grep linux-image To see the list of currently active kernel uname -mrs In the system below there are three kernels and the active one is the latest version Managing automatic upgrades in GUI Search for the “Software & Updates” application in the GUI Click on the Updates tab and in the option for “When there are security updates:” , from the drop down, click on the “Download and Install automatically” option. The corresponding steps in Debian are very similar: Click on Update Preferences : And set it up for automatic upgrade using these options: Managing automatic upgrades through scripts Using the "unattended-upgrades" package you can set up the system for automatic upgrades including optional reboot, email notification etc. You can check for details AutomaticSecuri . Again, the above works when you have a few systems to manage. When you are talking about hundreds of systems with live running applications that cannot be afforded to be disrupted, you have to come up with a more organized custom approach with regression testing and scheduled downtimes built into your automation scripts. Managing upgrades in the containerized world As more organizations move towards microservices and containerization of their applications, the adoption of Ubuntubased base images for running the microservices and other containers can become a common practice. Here too, updating the OS vulnerabilities periodically becomes imperative. The easiest way to handle this is to have a line of code, that does the upgrades, in the Dockerfile of your service. This way every time your Docker image gets built; it is automatically up to date with the latest OS packages. # full-upgrade' -> the function of upgrade is to install the newest versions of all packages, also intelligently handles changing dependencies with new versions of packages # 'autoremove' -> Remove packages that were automatically installed to satisfy dependencies for some packages that are no longer needed. # 'autoclean' -> Clears out the local repository of retrieved package files RUN apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean -y This same combination command can be used for automation on server systems. Managing vulnerabilities that cannot be remediated through upgrade Sometimes, you can run into situations when the packages do not get upgraded through any of these usual methods and yet your system is left vulnerable. (This can only get caught when you run vulnerability scans against the system). One such example would be when there are no more new versions available on the package, when the OS version has reached EOS/EOL. In such a case, you have to upgrade to the latest OS version and if you need to buy time, another option would be to manually remove that package and install an alternative, if required. Conclusion A typical application environment, whether a cloud or on-prem model, contains 100s or even 1000s of systems that need to be kept up to date with respect to operating system patches. Self-aware organizations should ensure that their security policies mandate timely application ofpatches that get released periodically from vendors. Keeping OS packages upgraded not only improves your security posture but will also improve the stability and performance of the system. This will take you one step closer to staying compliant to various regulatory certifications like HIPAA, GDPR, SOC2, ISO and so on. And finally, that makes your customers happy! About the Authors Mrudula Madiraju Mrudula Madiraju's technical career spans across multiple technologies, domains, customers, services and products. In her current role, she manages the Security Controls and Compliance of the Spark based Analytics Engine service on IBM Cloud. Whenever time permits, she loves to learn and share tidbits of epiphanies through sessions and writings. Connect with her on LinkedIn . Chetan Bhatia Chetan Bhatia is a seasoned DevSecurityOps consultant. He is an avid problem solver, and is skilled in Python, Unix scripting, Jenkins andTekton. Chetan is great at handling crisis situations, and never has to repeat a job more than once. “Automation Automation Automation” is his mantra. He currently leads the DevOps CI/CD pipeline development for the Spark based Analytics Engine service on IBM Cloud. Connect with Chetan on LinkedIn . . Ensure strong defense for your Debian and Ubuntu systems by following these steps for effective patch management and security upkeeping. Debian Updates, Ubuntu Security, Package Management, System Patching, Security Automation. . Brittany Day
Jul 12, 2021 • 
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More