Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
While it's fun to feel panicky and say you need "anti-virus", "anti-spyware" or a firewall (to burn up most enemies right?) it just doesn't make sense on (desktop) linux.
Unless i'm way off mark, anti-virus and anti-spyware simply have a cache of "signatures" of files reported by other users / testers that say BugXYZ puts a file in /tmp/axcv with a sum of d379c69fcb3534d9fb539ff1d177ee51. If it detects that, great it'll delete it.
Sometimes they include potentially useful features like looking in /tmp for executable files or looking for "common patterns" like perhaps a hidden rm -r --no_preserve_root / buried in a script
... But this can be unreliable. I can think of a bunch of ways to conceal such a "detection" method.
This really does not work well. If your computer has malicious self-replicating code on it, it can hide itself in a large number of ways, perhaps wholly undetected by anyone so far - but only in areas it has permission to write to. The real maneuver is to backup everything, delete the whole $HOME directory of that user (and anything it has write access to) and start afresh, then restoring slowly as you examine everything. All good.
If it was installed with root, god help you. It's time to reformat everything that computer has access to (and hopefully it didn't brick it).
Use a adblocker and/or noscript to minimize javascript loading in web pages. Be super cautious about using executable files from the web, make sure other files (media) are not executable, use and install software from repositories you trust (repositories are signed - not software), don't be liberal with world permissions (you know, the last 7 in chmod 777) and simply have a check for yourself, "Is this safe to run?".
Now.. for firewalls. Get the image of a big burning wall out of your mind. It's packet filtering. Your router (that thing that gives you wifi) by default will DROP incoming packets. If you forward incoming packets to your computer, or you are using a laptop in public wifi and are running services that might have a vulnerability (everything does), you can then use the firewall in your computer (iptables or front-ends for iptables if linux) to DROP or have conditions before accepting packets from those particular ports those vulnerable services are listening to (like steam ).
In my opinion, 90% of any malware on computers will be the user loading it themself (running software from email from whoknowswho, suspicious websites)
9.99% will be users who have their ssh port web accessible and have plain-text passwords enabled
0.01% will be actual exploits
So don't be part of the top two and you'll be fine - without anti-virus, anti-spyware or a firewall.
Say something 'bad' got in [github/xyzBank/...] a year ago; it modified more&more over time, but wasn't detected [til now].
What backup date to restore, for each item? What changes were valid vs. corrupt? Infinite journal analysis? (there isn't one 'source': it replicated/mutated/'indirectly' acted/...!)
I'd give up. How would you UNDO this? [rhetorical; *my SiFi imagination*?; don't answer that]
Yup, backed up data is just that, data as it was at a given date (assuming malicious code didn't have write permissions to it later on).
Linux does have a bump though. Don't bother backing up any executables. Any software can be re-obtained later for free or if it cost money, freely available from a vendors website. Make a list and run a long apt-get install code (or whatever your package manager is)
Everything else (text files, media) could still be malicious, but there's less of a risk as it's not executable. There could be a exploit in the program to display the media (video / music player) of course.
But unless you've encoded all the media yourself.. you're running this risk anyways.
While it's fun to feel panicky and say you need "anti-virus", "anti-spyware" or a firewall
I'm with you on anti-virus/spyware, but every box should be running a properly configured stateful firewall to protect itself, especially e.g. laptops which tend to connect untrusted networks, etc.
Also I'm not sure I'd trust the NAT router supplied by my ISP either (likely running some out of date (Linux based) firmware and often with no newer firmware being available).
Quote:
Originally Posted by Sefyir
This really does not work well. If your computer has malicious self-replicating code on it, it can hide itself in a large number of ways, perhaps wholly undetected by anyone so far - but only in areas it has permission to write to.
And then there's privilege escalation. Your browser and in particular JS (as discussed) is one possible vector for this.
Quote:
Originally Posted by Sefyir
9.99% will be users who have their ssh port web accessible and have plain-text passwords enabled
0.01% will be actual exploits
That's probably an oversimplification. Not many boxes will have PermitRootLogin allowed as a default in recent times, (unless someone was running out of date/unpatched/misconfigured software).
...
That's probably an oversimplification. Not many boxes will have PermitRootLogin allowed as a default in recent times, (unless someone was running out of date/unpatched/misconfigured software).
Definitely. My point wasn't to describe how to maximize security, rather to minimize FUD about "needing this and that for protection"
In most cases, the outdated firmware will be enough of a firewall and zero-day exploits will not be used on the home user (privilege escalation tends to be fixed quickly from what I've noticed.)
While PermitRootLogin is typically key-based only by default, how many times do you see users explaining they're using plaintext passwords for their computer?
I had a account "hacked' because I had a misc account with a easy username / password and plaintext passwords enabled with ssh forwarded... oops. Lesson learned.
My advice stays the same, if you're at the stage of considering whether anti-virus is "needed", focus on more easier methods of securing yourself.
Once you do that and understand what you're doing, feel free to secure yourself from possible but less likely threats.
While it's fun to feel panicky and say you need "anti-virus", "anti-spyware" or a firewall (to burn up most enemies right?) it just doesn't make sense on (desktop) linux.
And the way to keep it that way is by educating people about the most likely attack vectors and making security as easy as possible for users. We aren't doing the best job of the latter right now, at least with the tools I've seen available on Debian.
As far as I know, there's no firewall frontend that autodetects the ports a user probably needs to keep open, asks them about it, and then blocks the rest, with easy settings for turning email ports off and on, etc.
The other big problem is Chromium (which I prefer to Firefox for speed). In addition to its inherent privacy issues, it depends on a patchwork of quasi open source addons to give users necessary security options. Ublock's security filters should be installed by default, with an additional option to make it block ads as well. I haven't tried using noscript, etc, in a long time, but I'd like to see a "middle way" that only blocks more substantive javascript, though I'm not sure if this is possible.
Also a host firewall is prudent for multiple reasons -
- Newbie distros often install 10gb of packages the user never needs, often several that start listening to ports unless they're disabled.
- Newbies are often young and install games from unreliable sources.
- Newbies often decide to experiment with Apache and SSH and forget (or don't know they need) to disable it
- Ubuntu in particular is trying to normalize extra-repo software. I'm not saying this is a bad move, but it moves things in the direction of Android, and multiplies the amount of vulnerabilities.
- As I said before, you often have multiple smart phones behind the router with you. I see traffic coming at my computer from uninfected smartphones all the time. I don't want them talking to each other.
I'm not as confidant in the state of Linux security as Sefyir. It's perfectly secure if you stick to the repo, avoid shady sites, use the correct plugins, and don't leave misconfigured software sitting around. This is probably between 33%-66% of users.
Of course, it's also important to point out that security solutions like anti-virus software are all either scams or overkill at the desktop level. If you want to install, say, Pioneer (which is open source but not in the repos), then you can upload the executable to virustotal before running it. This will provide the same check that something like ClamAV would. After that point, when you get into software that watches what running executables are doing, you're really shooting yourself in the foot. Such things have no place on non-corporate Linux, and probably not in an enterprise environment, either, in my opinion. If your workstations are being used by people who can't be trusted, restrict their privileges.
Edit: I should backtrack on that last point a bit. Not only do I not have experience administering an enterprise environment, but the users you don't trust probably outrank you a lot of the time. In a perfect world maybe my point would stand.
Last edited by crazy-yiuf; 12-01-2016 at 04:41 PM.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by sundialsvcs
Basically, there are exactly three things that Linux (and Windows!) users must always be aware of, and must always do.
If you do these things, then you will remain safe from malware:
(1) Do not install "anti-virus" or "anti-malware" software!
Because these tools are designed to be very invasive ... able to read anything on your system, ostensibly to check to see if it has malware in it ... they are a favoritevector for the installation(!) of malware.
(2) Do not allow your "everyday login account" to be an Administrator.
In Win-doze, that's literally "Administrator." In Linux, that's "a member of the wheel group." Your ordinary, everyday account should be incapable(!) of "becoming Superman." This is a variation of the Principle of Least Privilege. If you "wear many hats," then set up an (ordinary ...) separate user-id for each one of them. Set aside exactly one user-id to be capable of becoming Root.
(3) Regular, thorough backups, running all the time.
Apple made this very easy for Macintosh users with their Time Machine, but Linux solutions (also based on rsync) also exist or can be fairly-readily made. Backups are made automatically and frequently, and stored in a directory on a separate external drive which cannot be directly accessed (at least, not in read/write mode) by anyone.
Windows users actually do have access to a very fine(!) backup utility, although Microsoft has fairly-buried it and has never made it easy to use. Don't ask me why.
- - - - -
Always remember that digital computers are not 'biological!' They cannot "catch" things, or "become infected."
Computer intrusions are almost always a crime of opportunity. "The mischief-maker doesn't know you from Adam/Eve, but their automatic 'bot caught you with your pants down." A classic analogy is the "pizza-box cat burglar," who walked through tony neighborhoods carrying a pizza box. He simply tried the front door ... finding, in a useful number of cases, that it was unlocked! And so on ...
While I could not agree with you more on your last 2 points; how would you actually come to know if you are infected in the first place, without any anti-virus/anti-malware software installed to check with??
While I could not agree with you more on your last 2 points; how would you actually come to know if you are infected in the first place, without any anti-virus/anti-malware software installed to check with??
First of all, since you are a "powerless user" (your name is not Clark Kent ...), and because you know (of course you do ... don't you ...) that none of the software you run is capable of "updating itself" without requiring elevated privileges ...
... the only thing that any "malware" can touch is those files that you can modify, because it can never find a way to gain elevated privileges.
And furthermore, the only thing that any such files, even once surreptitiously modified, can actually do, is "nothing more or less than what you can do ... which is 'basically nothing.'"
And... all of those files are (of course they are, right?) continuously being backed-up to a repository that youcannot(!) modify.
Of course you run "ad blockers," so that software can't just come waltzing in to your system to do who-knows-what (albeit, still constrained by your own privilege level), ostensibly just to entertain and pester you.
So ... you've pretty much shut-down the possibilities here. "Opportunistic" malware isn't going to find much opportunity.
Always remember(!): "There is no digital analog to the biological process of 'infection.'" The only thing that we have are "rogue programs," executing necessarily, 'as "you",' but without your knowledge or consent." Due to your continued vigilance, these programs cannot gain elevated privilege, and will not found a barn gate unlocked.
Always playing the odds against millions of equally-accessible internet targets, they will move silently on to their next potential victim.
Last edited by sundialsvcs; 12-02-2016 at 08:22 PM.
How would you actually come to know if you are infected in the first place, without any anti-virus/anti-malware software installed to check with??
This is a fair question.
The answer is to know what your system is like when it's normal, and to notice if "unusual behavior" occurs.
After all, you shouldn't be worried about a lot of traffic on a webserver, nor worried about cpu spikes when playing games.
But cpu spikes on a webserver or a lot of traffic when playing games could be a indicator that something is up (please don't mention traffic with online games).
If you've configured a lot of cronjobs with a lot of different users, having a lot of cronjobs in /var/log/auth.log is ok. But if some old user suddenly starts running cronjobs every hour.. something is up.
There are of course a lot of tools to help you identify what's going on.
Most of these are not newbie friendly and expect you to know what the output is. There are of course, an approaching infinity of guides for every tool online.
Which I suspect is why anti-virus and just hoping everything is ok.. is such a common method.
However, if you won't take the time monitoring what's happening, at least be aware of that when you make decisions like "should I open this executable binary file" rather then thinking.. "Oh, I have anti-virus, I'll be ok".
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by sundialsvcs
First of all, since you are a "powerless user" (your name is not Clark Kent ...), and because you know (of course you do ... don't you ...) that none of the software you run is capable of "updating itself" without requiring elevated privileges ...
... the only thing that any "malware" can touch is those files that you can modify, because it can never find a way to gain elevated privileges.
And furthermore, the only thing that any such files, even once surreptitiously modified, can actually do, is "nothing more or less than what you can do ... which is 'basically nothing.'"
And... all of those files are (of course they are, right?) continuously being backed-up to a repository that youcannot(!) modify.
Of course you run "ad blockers," so that software can't just come waltzing in to your system to do who-knows-what (albeit, still constrained by your own privilege level), ostensibly just to entertain and pester you.
So ... you've pretty much shut-down the possibilities here. "Opportunistic" malware isn't going to find much opportunity.
Always remember(!): "There is no digital analog to the biological process of 'infection.'" The only thing that we have are "rogue programs," executing necessarily, 'as "you",' but without your knowledge or consent." Due to your continued vigilance, these programs cannot gain elevated privilege, and will not found a barn gate unlocked.
Always playing the odds against millions of equally-accessible internet targets, they will move silently on to their next potential victim.
While I see your point (and for the most part, do agree with it) their is still no 100% secure system in the world (including Linux), therefore there is no guarantee that, say for example (as was the case for Linux Mint, from memory) that someone would not hack into an official download site and install malware into the ISO image/software package for example (but not limited to).
A better example of the point I'm trying to make would be a virus found on the Gnome-Look.org site, which was masquerading as a screen saver. See http://www.omgubuntu.co.uk/2009/12/m...ver-for-ubuntu if you don't believe me.
I do agree with you that, Linux is a LOT more secure than other systems (it's one of the main reasons I use it, in the first place) but if it's designed by humans, it's never going to be prefect.
But the point remains the same. So once again, if you did not have any protection installed, how would you know until it's too late? The idea of malware protection software is to catch malware, BEFORE it has a chance to infect your system/on the way IN!
As it's too late once it already has infected your system!
Well, the download images and packages and so-forth are digitally signed, which is why the "public key" used by a distro is updated from time to time. The integrity of the package is verified before its contents are used.
You continue to use the word, "infect." That's a biological term. It implies that, if I send a piece of malicious software to you, your computer will install it, without your knowledge, unless you run software that's supposed to act like a digital "immune system." That is not a valid analogy.
Easily, the most convenient way to install software on your machine and to have it be running is to embed it within the JavaScript that is running an innocuous-looking advertisement. (Which is why I block every advertisement from a web-site.) But, even so, that software "runs as you."
The most critical thing that you must ensure is that rogue software cannot gain elevated privileges. "Windows Home Edition" users are administrators, and it is difficult for them to be otherwise, and Microsoft never says a thing about the potential danger. Many Linux users are by-default members of the wheel group, which means that "root access" needs only their login password. These are vulnerabilities that no "scanner" can prevent: it is intrinsic to the way that they have set up their machines and their own access privileges.
"Anti-virus software" is sold just because it "feels good." Because it makes you somehow feel that you are doing something that is both necessary and prudent. And yet, what one piece of software "has access to everything?" You got it: the "anti-virus software" itself. These packages have been exploited to create vectors on many occasions.
I guess it's the same reasoning that enables pharmacies in the United States to sell "flu shots" to get a quick $25.00 profit from an 8¢ injection that won't do you any good anyhow.
Last edited by sundialsvcs; 12-06-2016 at 08:57 AM.
But the point remains the same. So once again, if you did not have any protection installed, how would you know until it's too late? The idea of malware protection software is to catch malware, BEFORE it has a chance to infect your system/on the way IN!
I agree that we should be cautious about the possibility of malware sneaking into the repos, as I mentioned earlier in this thread. However, I completely disagree that this is any argument for anti-malware software. The cure is worse than the disease - degrading performance that is likely to (either directly or indirectly) lead to more vulnerabilities and a false sense of security, and rarely does much good.
The repos already get scanned for viruses, and there are security experts out there watching the behavior of common packages with state of the art tools. We will know fast if malware makes it into the testing repos. If the malware is so insidious that the experts don't detect it, then your own personal antivirus sure isn't going to catch it, either.
The best medicine is:
- Secure defaults
- Tools that keep those defaults from causing newbies grief
- Easy to use tools for more advanced users who need them (firewall, configuration auditing, etc.)
Quote:
I guess it's the same reasoning that enables pharmacies in the United States to sell "flu shots" to get a quick $25.00 profit from an 8¢ injection that won't do you any good anyhow.
I hadn't heard anything about flu shots being ineffective, but I skipped getting one this year. I've noticed an annual doubling in price - ridiculous.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.