So I could recommend a distro, as you asked (which would be Ubuntu) but instead I believe what’s better is making the switch… small!
In practice that means safety net and familiarity all around :
backup your data
backup your data… and not, that’s not a mistake, truly do it, now. Before you try something new, and scary. In fact… don’t touch your computer, get another one, a cheap one like a RPi4 or a relatively old laptop that a colleague hasn’t used for years.
copy, don’t move, your data to whatever distribution you picked
ideally have a dedicated hard drive in there for JUST the data, NOT the OS
play… have fun, truly. Try to use YOUR data, I mean the copy you have now that you don’t even care if you lose, and try to use them with the stock software that comes with your distribution, e.g OpenOffice or Blender or Kdenlive, or whatever you are into
delete it all! Don’t be afraid, you can do it, you have copies anyway
do it, again, again, keep a logbook or wiki or .doc file where you write down what you learn
rinse and repeat
this way you should find YOUR distribution in no time and you won’t be afraid of messing up!
Honestly it’s a fun adventure. I’ve been learning Linux and CLI tools decades ago and I’m still learning to this day so do not assume there is one solution you can find today and move, it’s a process, a long one, but a really empowering one IMHO.
That’s really what I’m doing on my debian server where I host my docker containers.
I don’t care if I brick my system while playing arround because every day at 00:00 a crontab job dumps all my database and saves all my docker volumes and docker-compose to an external HD and saves most important dotfiles and wireguard configuration.
Back Up and running in 30 min !
2 years in, still going strong and learning everyday something new, keeping everything I learn in a markdown file.
Personal CA with self-signed certificate by an intermediate CA chain
Wireguard tunnel routing all my devices traffic to protonVPN
Alot of docker stuff
Alot of networking stuff (DNS, cryptography…)
LVM, bash…
…
Wild ride, sometimes alot of frustration, but what an empowering experience !
Yup. I think I needed to manually install the touch keyboard. But once installed, it works as expected. Touch the screen or remove the physical keyboard, and touch mode gets activated. Whenever touching a text field, the soft keyboard pops out. It’s massive, though (well, about the same size as the one for Windows).
I have a Surface Laptop 5 as my work laptop. I hate it with passion, it’s one of the worst laptops I ever used.
Beyond the lack of IO (not even a fucking hdmi port) and the piss poor cooling, the USB C display isn’t connected to the integrated GPU, it uses a different display adapter that is so bad the mouse stutters on high res displays.
The built-in display has a 3:2 aspect ratio. I wanted to use a lower resolution so I could disable scaling (having different scaled monitors is annoying to use), none of the “supported” lower resolutions are 3:2 and they all have ugly black bars.
It has a touch screen, but the lid only opens about 120 degrees, making it completely useless.
And it uses “special” locked down hardware that is very hostile to other operating systems like Linux.
I don’t think surface would make for a good work laptop, but I have amazing experience so far with using it for the ocassional traveling, or just as a carry-on.
I just Parsec into my desktop at home, and can comfortably work without having to deal with performance, and Surface is amazing for that.
I also really like the pen support, so I can make notes or draw bascially anywhere.
And I also use it for DJing, where it works pretty well and is compact enough to not be a bother carrying it around.
I guess this is to figure out what is also possible on Linux, and getting to know that not all problems or missing features apply to other distros.
Sometimes you can lwarn amazing stuff, like a KDE distro can be customized to your liking while a Gnome desktop is a nearly forced workflow and design but can be slightly changed with buggy extensions.
Distro Hopping seems to be such a big part of the “Linux experience.”
It’s not, it’s just a way to find the distro that suits you best.
If you’re already satisfied with what you have, there’s no reason to change and you’re not missing out on anything. If you’re ever curious about other distros, install Virtualbox and try them in a VM.
I stopped distro hopping years ago when I started using Linux MX (Debian based), I’m so happy with it that I have no intention to change ever again.
The only other distro I really like is LMDE (Mint based on Debian instead of Ubuntu), so I put that one on my laptop (MX on my gaming desktop).
Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always (and even being extremely specialized, I would still enable a firewall. :-P)
Operating systems nowadays are extremely complex with a lot of moving parts. There are security relevant bugs in your network stack and in all applications that you are running. There might be open ports on your computer you did not even think about, and unless you are monitoring 24/7 your local open ports, you don’t know what is open.
First of all, you can never trust other devices on a network. There is no way to know, if they are compromised. You can also never trust the software running on your own computer - just look at CVEs, even without malicious intentions your software is not secure and never will be.
As soon as you are part of a network, your computer is exposed, doesn’t matter if desktop/laptop, and especially for attacking Linux there is a lot of drive by attacks happening 24/7.
Your needs for firewalls mostly depend on your threat model, but just disabling accepting incoming requests is trivial and increases your security by a great margin. Further, setting a rate limit for failed connection attempts for open ports like SSH if you use this services, is another big improvement for security. (… and of course disabling password authentication, YADA YADA)
That said, obviously security has to be seen in context, the only snake oil that I know of are virus scanners, but that’s another story.
People, which claim you don’t need a firewall make at least one of the following wrong assumptions:
Your software is secure - demonstrably wrong, as proven by CVEs
You know exactly what is running/reachable on your computer - this might be correct for very small specialized embedded systems, even for them one still must always assume security relevant bugs in software/hardware/drivers
Security is a game, and no usable system can be absolutely secure. With firewalls, you can (hopefully) increase the price for successful attacks, and that is important.
You may also want to check up on regulations and laws of your country.
In Belgium, for instance, I am responsible for any and all attacks originating from my PC. If you were hacked and said hackers used your computer to stage an attack, the burden of proof is upon you. So instead of hiring very expensive people to trace the real source of an attack originating from your own PC, enabling a firewall just makes sense, besides making it harder on hackers…
That’s a strange law. That’s like saying one should be held responsible for a thief stealing their car and then running over someone with it (well, perhaps an argument could be made for that, but I would disagree with it).
Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always
In what capacity, though? I see potential issues with both server firewals, and client firewalls. Unless one wants their devices to be offline, there will always be at least one open port (for example, inbound on a server, and outbound on a client) which can be used as an attack vector.
oh, sorry about that, I didn’t realize this could be bad for mobile users. All I needed was a command that could display all system info like distro name and version, kernel version, DE version, etc, I didn’t necessarily need the distro logo and some other useless info in there.
the little effort involves taking the piss, just taking ourselves less seriously, we’re only messing around online. And btw no info in neofetch is relevant :P
Surface Laptop 3 running Kubuntu, such an improvement over what it was “designed” for.
I’m sure it is an improvement until… you’ve to use Wine to run something Windows only or a VM and end up on the exact same spot as initially but with extra steps and less performance. 😂 😂 😂
Except battery lasts more on Linux. Not to mention suspend ACTUALLY works, and won’t wake at random times while in your backpack and kill your battery before you can actually use it when you need it. Which Windows does. And yeah, most people do NOT need anything specific from Microsoft to be productive.
If every day is 1 min faster and 1 day a week is 5 min slower, that’s still a net gain. And that’s assuming that they need to run a windows-only app which a surprising amount of people don’t.
Like what, what format would this be? Regardless every company I have ever worked for issue me a laptop with windows anyway, so why would the OS I choose to use on hardware I own be a factor for work? Even then, if they didn’t I don’t know of any format that I would need that would be an issue.
Not sure about your life, but I don’t count things I enjoy as “work” especially when its not work. I enjoy using Linux, I enjoy my home lab why should I need to justify it when it brings me joy? Linux works for me and my workflow, just because it doesn’t work for yours, don’t try to shit on other people.
No no, no justification required :). It isn’t also about working or not for me. It is just that there’s a bunch of people arguing around here that Linux (desktop) is great for every use case be it work or play under any circumstance, while it isn’t.
I never made such a comment. Gaming, for me is a big reason why I only have windows installed on my PC (and adobe) there are games which work on Linux (either natively or with Proton) but some games I play, don’t. Theres no point in me dual booting as, let’s be honest, dual booting just adds more steps and overcomplicates things. I use Linux on my laptop as the alternatives I use (Darktable and Kdenlive) are more than good enough for when I’m on my laptop (its not exactly a powerhouse) but when I’m on my desktop I want to use Lightroom, Photoshop and DaVinci Resolve as they are more refined and fit my workflow better.
Unraid on my server is just because its exactly what I need.
You’re in a Linux community here man, you’re going to be outnumbered. I think people here genuinely don’t rely on Windows stuff as much as you think.
Last time I needed Windows was a few years ago when I wanted to do a firmware upgrade to my guitar processor. In the meantime I upgraded to one that itself runs Linux :)
I think lots of people exaggerate their need for certain apps. I understand if you need Photoshop for work because it may be the best tool for the job and an industry standard, but some people swear they “need” it when all they do is apply blur or red eye reduction to a picture once every 3 years. Nowadays you can probably do that in dozens of other ways.
I’ve been Linux only since late 2015 and in this time I “needed” a Windows VM ~ 2 times, but ofc personal experiences can vary greatly.
I don’t need it for windows applications, its basically something I can use for light photo and video editing and uploading to my server, all the heavy lifting is done on my PC which has windows because of adobe and better support for X264 and X265 when video editing.
Well in that case; My windows PC falls back to a server running Linux as that’s where all my files are, where my docker containers and VMs all run off… I can spin up a new PC in minutes (windows or Linux) as everything is done off the server, including staging my devices.
…yes, but that’s a minority of the time. Cumalitively the slightly bad experience averages out with the 99% of the time better experience to be solidly superior
It doesn’t. If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?
Who is “they”? What about all the other ports?
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Obviously you shouldn’t have insecure things listening there in the fist place but you don’t always get to choose whether some thing you’re hosting is currently secure or not or may not care too much because it’s just on the local network and you didn’t expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.
#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access
Mostly addressed by the above but also note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.
#5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
I’d rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they’re known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
This is a fair point that I hadn’t considered for the mobile use-case.
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Fair point!
note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.
Interesting! In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
It could also be malicious software that simply makes a request to a remote server – perhaps even siphoning your local data.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?
That’s exactly the kind of thing I meant :)
These are likely for things like in-house streaming, LAN game downloads and remote music playing, so you may even want to consider explicitly allowing them through the firewall but they’re also potential security holes of applications running under your user that you have largely no control over.
The time I spent “distro hopping” back in high school was because I didn’t have the balls to commit to a single distro. Even then the only time I actually switched was when I made a config change that blew up in my face so badly I needed to reinstall anyway.
If you’ve found a setup you’re happy with, by all means, stick with it. You’re not missing out on much by not voluntarily erasing your boot drive and installing an entirely new OS every week or so for no reason other than it looked cool.
(If you’re about to suggest dual booting multiple Linux distros, no. Just stop. I tried that once. You would not believe how many issues are caused by sharing a ~/.config between two systems with slightly different versions of the same software.)
For me, it’s primarily #5: I want to know which apps are accessing the network and when, and have control over what I allow and what I don’t. I’ve caught lots of daemons for software that I hadn’t noticed was running and random telemetry activity that way, and it’s helped me sort-of sandbox software that IMO does not need access to the network.
Not much to say about the other reasons, other than #2 makes more sense in the context of working with other people: If your policy is “this is meant to be an HTTPS-only machine,” then you might want to enforce that at the firewall level to prevent some careless developer from serving the app on port 80 (HTTP), or exposing the database port while they’re throwing spaghetti at the wall wrestling with some bug. That careless developer could be future-you, of course. Then once you have a policy you like, it’s also easier to copy a firewall config around to multiple machines (which may be running different apps), instead of just making sure to get it consistently right on a server-by-server basis.
So… Necessary? Not for any reason I can think of. But useful, especially as systems and teams grow.
linux
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.