viruses/malware etc: Is my Debian GNU/Linux system protected?
 

Reading a current thread from forums.debian.net about multiplatform viruses and malware, I am becoming preoccupied that my Debian system is vulnerable. The problem is accentuated even further because I use Gnu/Linux exclusively for all my computing needs. In other words I access my bank accounts online, I pay my bills online, etc.

The State of My System:
a) I make regular updates to keep up with any security updates
b) I have arno-iptables firewall enabled
c) I have all ports closed
d) I use privoxy to filter unwanted web-content (ie ads, etc.)
e) I use Add Block Plus
f) I use iceweasel aka Firefox.

Is my system protected against multiplatform scumware because the shivers I used to have when I still used MS Windows are starting to haunt me again?

I believe the malware you're referring to is Java related. Of course, you can always install an anti-virus app.

GNU/Linux is different from Windows, I don't imagine it requires the same scanning regimen like Windows. This should mean there are other more suitable solutions.

Paranoia sems to be the biggest problem here don't you think? The thing with "multiplatform" malware is it is exactly that, "multiplatform". If you travel around the internet doing stupid things you will get stung but it will most likely just infect the application that it was designed to enter the system through. If you run as root without need you will allow things to enter your system even easier. The trick is not to do stupid things and only run as root for things like updating etc. Keep your system up to date (daily) and you can be 99% (this is a figure of speech not a gaurantee) that your system is as secure as it can be. There is always more you can do but being careful is the best protection.

I was of the opinion expressed in this post, but a thread in offtopic on forums.debian.net, argued that a compromised executable may lead to an escalation of privileges, and to stress his point, the poster insisted that this should not be very difficult to accomplish. So, definitely, it is not paranoia on my part, but on forums.debian.net, and I am becoming preoccupied because that forum is renowned for good quality threads.

Edbarx, when I say don't do stupid things that also means only use trusted packages. If you go and do the "typical Windows thing" and install packages of unknown quality you can indeed install a compromised package. The thing is with Debian you have everything available that you will most probably need. There is, for the most part, no need (unless of course you want to go beyond a simple Debian system) to install things outside of Debians repositories. There are some repositories that are trustworthy, Debian Multimedia is a good example, but it is always a good idea to only use trusted sources.

Why don't you use a live cd?

If you need to protect the system then don't connect it to the internet and don't use an untested media in it like usb or cd.

Since, the threat, apparently, is java related, an application which monitors, and if necessary blocks java executables from running, should be enough.

I opened this thread because I would like to know how realistic the claim that GNU/Linux can be compromised by malware, viruses and any form of scumware, in reality is. I only install packages from debian.org, from debian-multimedia and from an official debian mirror situated in France. Moreover, I install packages through apt (requiring the root password) and I don't do desktop or window manager root logins. I only have sudo enabled for a single script I created myself placing it in /sbin. I changed the script's permissions to match those of the executables found in /sbin adding the limitation that only root can read and write to the script.

I have a very stringent policy of keeping with reliable sources and I don't judge a source's reliability myself.

If you need antivirus and antimalware tools for Linux, ClamAV and RKHunter are the best tools you can use. Linux isn't as prone to getting malware because it's a minority OS and has hundreds of varied distributions, but that doesn't mean that it's completely invulnerable to being attacked in the future.

Your best bet if you feel the need, is to just get protection tools, run them regularly to scan for problems, and be active in your system's security administration.

Lets give it a less negative spin and say it's a problem of knowing your enemies?


That's only partly true.

Take for instance the cases of compromised sources. Distribution maintainers use upstream sources to create distribution packages. In more than a few cases (tcpdump (2002), Sendmail (2006), Unreal IRCd (2010), ProFTPd (2010), kernel.org (2011)) but excluding the kernel.org case attackers got away with injecting foreign code in source archives. Most of this boils down to a different kind of stupidity: developers, distributors and end-users placing implicit trust in something or somebody or imagining trust relationships where there aren't any. Running Open Source Software means everybody has the chance to examine and validate the source they run. By choosing not to do so or by choosing to defer responsibility to a distribution you should be aware of the potential risk. Still there are developers, distributors and end-users who shrug off providing or mandating source package verification as unnecessary. (And I'm not talking MD5 or SHA1 hashes but GPG signatures.)

Another example. While this should not draw away attention from other distributions having had similar problems, Debian machines got compromised in 2003 and again in 2006 by attackers exploiting kernel bugs. And sure such remotely exploitable vulnerabilities can only lead to a compromise if an attack surface is or remains available, and sure it's stupid if you don't update to a kernel version the moment it's released if it fixes known vulnerabilities but it's got nothing to do with "traveling around the Internet doing stupid things".

Yet another example: centralized advertising distribution services. A lot of sites use them because it takes away the need for individual sites to spend time on configuring for target audiences, acquisition, billing and other administrative tasks. And while scrutiny at reputable distributors is good at most times it has occurred on several occasions bad ads got through. Sure you can defend yourself against this by disabling unnecessary or unwanted browser features, disabling plug-ins, selective filtering and content scrubbing but the point here is you don't have to do "stupid" things to be involuntarily exposed to such risks.

While the final problem currently is more the focus of networked hardware like routers, smartphones and tablets running certain other Operating Systems, nefarious activity doesn't limit itself to easily identifiable, cross-platform attempts at malware like Koobface. Certain Operating Systems harvest information and share it with the vendor without the owner being able to limit or combat this (much?). Applications that are not or appear to be vendor-approved hunt for and siphon off credentials, financial information, Intellectual Property or just run new versions of old dialer scams via SMS, etc, etc. (As for the stupidity part: one of the tenets of common sense, and this lesson unfortunately has to be re-learned again and again on-line and off-line is that if something looks to good to be true then it is too good to be true.)
Sure. The above is a problem with other OSes. And while the Microsoft-induced definition of "malware" may not apply due to OS architecture, what delivery methods like the GNOME "Waterfall" screensaver of 2009 (command execution), Firefox plugins like "Master Filer" (Microsoft only) and various other ones like PDF, Flash, Quicktime have in common (apart from problems due to licensing, laxity wrt distributor responsibilities, scrutiny, hardening and updates, unsafe browsing practices, gullibility) is that when subversion takes place solely in unprivileged user space (maybe just even within a browser, its plugins, Javascript or Flash action script) this may transcend protection offered by some traditional (or traditionally deployed) defenses. (Similar to the shift from rootkits requiring escalation of privileges to web stack-based malware that happily runs as the user the web server runs as.) UNIX-like separation of privileges (capabilities, accounts) provides enough isolation for an unprivileged user to have a dependent library cause a segfault and still be able to use the Desktop Environment, blow up a web browser or file manager and still be able to use X11 / Xorg or blow up X without having to reboot the machine. So a mix of measures like staying secure by updating software (does not thwart social engineering or keep plugins from running), running a Live CD (may lack unprivileged accounts which would mean running software as root), DAC rights (does not protect against browser attacks), using an unprivileged account (protects the system but nothing else), scanning with antivirus (would only work if scanning continuously, with up to date signatures and if it can actively halt activity), scanning with RKH (it's a post-incident tool and not meant for such malware), blocking certain applications from running (so what about the other apps or the ones needing only a browser?) may protect the user from running (into) certain forms of malware but do traditional defenses and listed measures protect the user well enough? And how would one know? And would that still hold true when confronted with new, less easily identifiable malware?..

Ok let's and let's consider the OPs initial post while we are at it. He specifically mentions Windows, I am suggesting there is a WIndows mindset still happening.

In the context of the Windows reference it is pratically 99.9% accurate. However, people who travel around the internet doing stupid things will get stung no matter what type of OS they are on.

Having said that vulnerabilities occur with any system, with Linux it is much harder to introduce them if you follow good security practices. As you mentioned. Yes distros like Debian and some packages have problems but what OS doesn't have that and how many (percentage wise) of Linux machines are compromised compared to the same percentage of Windows machines? I agree with the crux of what you posted but taking the OPs last sentence at face value it seems there is a certain level of fear (a nicer word if you will than paranioa) that is not really justified considering the infection ratio as a % of OS type.

Sure but I'm trying to move beyond infection rate, focus on Linux and explore which security practices would actually help combat malware. Maybe I should have posted what I wrote in a separate post. Mostly I've been using your line just as a hook, everything from "Take for instance .." on isn't really a reply.

There is no secure OS. Some of the main threats are the applications on it. I would assume any system to be vulnerable.

The world is full of automated hackers with nothing to do but steal. Their country won't do anything to stop them and may encourage them. They have turned their attention from Windows systems to unix and linux. Everyday we read about sites that have been hacked. They were both linux and windows sites.

Any OS that has best practices applied to it would be less vulnerable. That doesn't make it secure.

Hardened Gentoo and OpenBSD may be some very secure operating systems but they are FAR from being 100% invulnerable to attacks and malicious software.

Security isn't something you have out of the box, it's something you have to administrate and manage continuously through tests and checks to ensure everything is safe for the time being.

So, the obvious question to ask, would be: What should I do to prevent java-related attacks?

To elaborate a little on possible answers, a respondent may say that I should not enable java on my system, or worse, that I should turn off my computer, or that I should not use the internet. However, these are not solutions because the internet has become an indispensable resource without which one will be at a great disadvantage. Moreover, many businesses, assume that one has access to the internet. Therefore, refraining from using the internet, is not an answer.

I would add NoScript and HTTPS Everywhere and call it good, keep in mind Quantum on forums.debian.net is known for being almost as paranoid as Alhaz(sp?) was.

I use ufw with the default 'deny' profile.
# ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)

I use 3 lists with Adblock Plus; Easy, Easy Privacy, Antisocial.

On Chrome I have AdblockPlus, Flashblock, and HTTPS Everywhere, with the same adblocking lists.

Most so called 'malware' on Linux needs to be either installed or like the Java exploit in the thread at fdn needs user approval to run. You really can't stop the average user from doing stupid things. All I can say is in the eight years I have ran Debian not once have apps like rkhunter, chkrootkit, lynis, tiger, tripwire, clamav, debsums, ever found anything that didn't turn out to be a false positive.

The answer to the question is: It is as protected as you make it.

Is it possible to find some software which monitors remote connection attempts and unauthorised local programs sending information to a remote location?

I have all ports closed.

I tried ufw and arno-iptables-firewall but both of them are failing to block pings from the outside. I would like to have my machine refusing to reply to pings. I used dpkg-reconfigure for both ufw and arno-iptables-firewall.

I have ran the scan at grc.com on my laptop from numerous locations and every time it passes with Stealth. I do not mess with manually closing or opening ports, I just use the Default Deny setting on ufw.

I never get stealth on Linux and I used to get it all the time on Windows. It doesn't bother me anyway, if my ports are closed I'm not worried.

I reinstalled arno-iptables-firewall and chose to close all ports.

This thread had drifted from the proper argument of viral and malware infections although there is an overlap with security.

Is a running antivirus daemon a must nowadays?
 

Since multiplatform viruses/scumware are designed to work on any OS, and I use a Web-browser (iceweasel) everday I turn on my computer, I would like to know whether these days it is a must to run an antivirus daemon like Windows users do.

Systems Used:
Debian (Squeeze)
Debian (Wheezy)

Hey Edbarx.

In answer to your question my answer, others may and probably do think differently to me, would say a resounding NO. You are much better off being a wise surfer/user of the net than to add something that most of the time looks for Windows malware. Yes you can get infected, I don't think anyone who is serious would say it is impossible, but if you follow some simple safe practises then the chance is extremely slim. I think we have been through this before haven't we? If you are worried then just install ClamAv or something similar, or follow the suggestions in the other thread, and be done with it, the peace of mind you will get just from this simple installation must be worthwhile.

For what it's worth I tend to run tiger and take a look at the email it sends me to make sure I'm not running any servers I don't know about. I have to admit that that's partly to ensure I've not accidentally installed httpd or something as well as looking for compromises -- in other words it's more for awareness than any sense of worry.
Other than that it's AdBlock No-Script and all the other safe surfing advice.

I have run my home systems exclusively on Linux for over 7 years with no anti-bad-stuff SW. Our only issue is that my wife excels at getting herself on junk-mail lists.....;)

A daemon that scans for suspicious java script would probably offer enough protection.

Generally speaking, you will be more than adequately protected if you observe three things:

(1) Ensure that you do not run with elevated privileges of any kind.

(2) Keep your system up-to-date, especially with regard to security related updates.

(3) Use and maintain current backups. (Use a tool that takes backups automatically and continuously to an externally-attached disk device.)

Run-of-the-mill Windows installations suffer from malware attacks because, for some inexplicable reason, they are set up to run as password-less Administrator users. Always remember that the computer is merely a machine, and that it knows exactly two things: "Yes (1)" and "No (0)." Despite the clever marketing campaigns run by the snake-oil people, this is not the world of biology, in which any properly-configured strand of RNA could introduce itself into your cells unless it is constantly and vigilantly defended-against by your immune system.

nope.

disable any unneeded services/processes.
keep your system updated
keep your browser updated
use AdblockPlus and NoScript in Firefox/Iceweasel
I would also suggest using QuickJava to be able to enable/disable plugins, so you only enable them when you need them.
QuickJava

At one time I had a ton of security apps installed, but in eight years of running Debian not once have they ever found anything.

These days all I have is tripwire and rkhunter.

The only real reason for an AV is to keep from sending malware to Windows.

Thanks for your replies. Maybe the post below is only serving the purpose to make Linux users feel uncomfortable with their system.
Thanks

Well, of course, Microsoft's continued deployment of such an intrinsically-secure system in a completely non-secured manner is, in and of itself, something that is absolutely and completely beyond my comprehension. (Maybe Peter Norton has some really-bad blackmail karma on Gates and/or Ballmer? Oh well, let's not go there ...)

To me, the most serious problem with "anti-virus" is, aside from the mis-placed biologic metaphor, that it wrongly suggests that you can accomplish system security by means of a product purchase ... which is fundamentally a passive act.

Maintaining a system is not a particularly difficult thing to do, as long as you have not been lulled into a position of perceived "security" that is, in fact, deceptive. The inexcusable part of the whole "anti-virus" thing is that it ... for obviously considerable profit ... willfully does precisely that.

It doesn't really matter what operating-system we are talking about: "the beast is the beast is the beast."

As I see it, the major security threat I have to face everyday I use my computer is the Web-Browser. The latter is, as far as I can understand and imagine, an extremely complex piece of software made of several parts that work together to give a dynamic and interactive web experience. Interactivity and dynamic web-content require one to use custom code, always as far as I can reason and imagine. Custom code, as its name clearly indicates can be maliciously used as a vehicle of attack on any operating system once it is executed on the host machine. The latter, obviously, does not depend on the type of operating system one uses.

The above is why I am preoccupied and there seems to be a very logical reason for my worries. The thread on forums.debian.net I referred to earlier in this thread, says that any executables produced by malicious code, can be made to run from the /home/user directory, which as far as I can remember, allows the execution of executable code. Using /tmp for the temporary storage of executables also suffers from the same vulnerability.

Ooops, duplicate post. Removed.

As I see it the issue is the browsing practises of the user. If you are connected to the net you are at risk it is as simple as that, if you visit suspicious sites you are more likely to get malicious code infecting your system. So it boils down to you the user and what you do with your machine. Yes there is cross platform malware, if it really is of concern to you then you the user needs to either change your browsing practises, install something that will actually check for the malware you are concerned about, or forget about it.

The logic you are using to base your worries on is developed, and you hint at this in a previous thread, from using windows and dealing with infections in it. Linux is very different and you cannot think of Linux in the same way you think of Windows. Keep your system uo to to date, including using the latest browser you can or at least Debian's excellent security patches on older versions, adhere to safe browsing practises, don't download code from sources you do not trust etc etc etc. Where did you mention forums.debian.net in this thread? It is probably best if yoy keep the one issue to one thread instead of having 2 threads dealing with the same issue.

I am basing my arguments on the way a GNU/Linux operating system works, at least, because Windows is not known to have /home/user or /tmp. Moreover, I have been practically a full time GNU/Linux user since the Summer 2007 and before.

Before that I tried knoppix 3.7 and then being very interested in it, I installed it permanently on my machine. Being unable to handle knoppix as I wished, I dumped Linux altogether for a whole year. In the meantime, I did a lot of reading about Unix and Linux, especially the CLI. The fact that after installing knoppix 3.7 permanently on my machine the desktop didn't work and the CLI could work, made me realise that desktops and window managers were just a superstructure on the base system. I also appreciated and understood that Linux was modular and yearned to learn how the various parts worked together. In particular, I wanted to know how Linux booted, what the kernel did during its initialisation phase, why there was an initrd, what was the role of init and how to read and understand the manpages.

In short, I was eager to understand the system to empower myself with the ability of modifying the it as I wished.

As I understand it, anti-virus software for GNU/Linux is mainly aimed at scanning for windows viruses - presumably on servers which may be hosting files/mail/whatever for windows clients...?

For a desktop user is it worth it? I would say not, but I suppose it depends on you and what you do with your system.

You posted this from a Windows 7 machine, furthermore every one of your posts in this thread is done on a Windows 7 machine. Windows actually has a user files and settings folder in which things like MyDocuments (now Documents library) etc are located. I used to always make that my D:\ drive.

Modifying? or adding things that you don't really need? Modifying is fine and in Linux is encouraged, adding a myriad of things that you don't really need (virus scanners etc) just adds more process' and takes up more disc space and RAM. By all means empower yourself and try things out but understand what you are doing and see the results for yourself.

And this, too, is a Faustian quest. You can't recognize every rogue that's trying to get in through the front gate, and you can't keep the rogue from climbing over the wall. But the Windows machine can be "hardened" so as to refuse the rogue's instructions.

In fact, this is particularly the case with Windows, which almost-constantly refers to "policies" and which in general provides a policy for just about everything ... even though almost none of this is documented for anyone except MSDN folks, and even though the policy-editor tool is omitted (or provided without its online documentation!) on some designed-to-be-vulnerable editions.

@OP: this thread is temporarily closed while it's being moved to the Linux - Laptop and Netbook forum for merge with your previous same topic thread. While you are free to create new threads it is more efficient to keep posts on the same topic together. I also would like to add, since you claimed to be not a new Linux user, that actually reading the links you've been given previously could help gain a better understanding of the security aspects of using Linux software.

Also be aware that personal observations are only meaningful in the context of that respective users system(s). They are no measure for the amount of (ab)use inflicted slash seen on the 'net and people should not mistake personal observations for security best practices to follow.

(This post was sponsored by the numbers 3, 24, 19, 7, 31, 14 and 87. The numbers 42, 4 and 18 were found behind the shed trying to smoke something while the numbers 8, 9, 10 and 11 tried to point at something else.)

Merged and reopened.

I was posting from a public library where I have no authority to decide which operating system they use. At home, it is a totally different story because I have the freedom to decide which operating system to use.

If I am constrained, I modify the system as I did with grub-pc, the bootloader.
http://forums.debian.net/viewtopic.p...rub+pc#p352368

Having wicd and network manager randomly but frequently dropping my wifi connection, I did away with both of them and used a manual method to connect.
http://forums.debian.net/viewtopic.p...t=wifi#p445518

I found the approach from Debian wifi wiki and enriched the procedure after reading the manpage for ifup to enable myself to use more than one wifi point by using several interfaces files. I also created a script to bypass the backlight bug and another script to start my wifi without root privileges. I saved this script in /sbin and used the same file permissions and ownership as the executables found in it. I used /sbin because I wanted more stringent file permissions than /home. Moreover, I modified the sudoers file to enable an unprivileged user to run the script but without the vulnerability of having a readable and/or editable custom script.

More howtos:
http://forums.debian.net/viewtopic.p...438862#p438862
http://forums.debian.net/viewtopic.p...424203#p424203
http://forums.debian.net/viewtopic.p...232803#p232803
http://forums.debian.net/viewtopic.p...207499#p207499
http://forums.debian.net/viewtopic.p...247639#p247639



This post was posted from within Debian Squeeze with iceweasel.

edbarx, forgive me please, yu say one thing and then seem to do something completely different.
Why did you edit a sudoers file in Debian? either use the root terminal (not always advisable) or use the regular terminal and type in su.

Please read about su, sudo, and Debian to find out why Debian has not gone the Ubuntu way and used sudo as the default method to elevate user privilidges.

There is a difference in using sudo the "Ubuntu way" or using it the way it was intended: giving single users well defined access to run scripts as a different user. sudo used in that way is not a security risk (if you do it right), in opposition of the "Ubuntu way".

I feel I ought to point out that there is at least one Debian installer which gives the option of not allowing root login in the "Ubuntu way". It's not set by default but it is there and I don't recall any frightening warnings.

As hinted by TobiSGD, I edited the sudoers files to allow ONLY the custom script to be run by a non-privileged user. I also saved the custom script in /sbin and changed its permissions and ownership to match those of the executables found there. This to make sure that only root can run the script by invoking its name without sudo. The script does not take parameters and if any are passed, they are ignored. Besides that, the script owned by root and can only be viewed and edited by root.

As Debian recommends, I use su and I don't do root logins. I use vim whenever modifying a configuration file requires me to take root privileges.

Finally, I installed no-script to aid my security on the web. Before that I only had ad-block plus, privoxy and arno-iptables-firewall.