Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been a microsoft user since before windows 95. I had a virus in windows and had trouble removing it a while ago.
I have Slackware 12 and wanted to install check install. I went to the website and found that there are problems with using check install in Slackware 12. An older version had reportedly worked better. I googled checkinstall 1.5.3 and found a ftp site with that version. I downloaded, untarred, and installed. Nothing happened. It was not working. I could not locate any of the installed files. It made me quite concerned. I deleted the tgz file and actually found the older version on the check install website. Installed it and it worked.
I started to wonder if I had a virus from the first installation of so called checkinstall.
What is it about linux that makes it relatively impervious to viruses or malware?
So clamav works? There is a free windoze version but I don't care for it. It is included in the ultimate boot cd 4 win (UBCD4win) Besides clamav, Benjamin Burrows has done great work by the way! http://www.ubcd4win.com/
I still have not found out why Linux is less susceptible then windows. Is is because Linux has a much smaller market?
On the other hand, linux seems to be a crackers haven.
So why is there less focus on av for linux?
As a newbie I would like to know what makes linux more secure.
The question "Why is Linux more secure than Windows?" is asked here on LQ on a regular basis.
If you use the "Search" button atop the page, and enter a query like "Linux virus" or "Linux Windows virus" or something like this, you should find LOADS of threads about this very question.
After perusing several of these threads, you should have a pretty good idea about the security differences inherent in the 'average' installations of Linux vs. Windows.
Through its history, Windows has for the most part installed itself and been operated in 'Admin' mode so to speak, like running as root on Linux. While Linux, to the contrary, is generally run (by anyone who follows basic recomendations) as a USER most of the time, and not as root. This scenario, over time, has contributed to the ridiculous number of ways and means for malicious code to be used against the average Windows installation, while trying to do the same thing to a properly run Linux installation results in little or no damage, because the core of the system is for the mot part 'off-limits' to any malicious code that it might encounter.
With Linux, the practice of downloading your software from trusted sources, and using such tools as GPG signature verification and Checksum verification, make for a FAR SAFER software procurement scenario on Linux.
Generally speaking, for malicious code to have the ability to ruin a Linux system, it must pretty much be knowingly (or unknowingly) installed onto the system by some means with root priveleges. This isn't necessarily an easy feat on a well admin'd Linux machine, while on 98% of Windows machines, the system is ready and willing to executa pretty much anything that comes in contact with it.
The layered security model of Linux is much different than in Windows, where the core of a Windows machine (besides the kernel) is "Internet Explorer". This piece of crap is woven into the very fabric of everything that comprises a Windows system. When you consider this, you can imagine how easy it is for a malicious piece of code to enter a Windows machine through IE, and rapidly compromise every other area of the operating system freely, until the machine is rendered useless (as though it weren't useless to begin with )
Anyhow, do some searching on LQ, and you will find scores of info on the same subject. People will probably add to what I've said, or make other comparisons, but whatever gets said in THIS thread, has already been posted in dozens more.
even though linux has a differnt layout to windows operating system thats not the main reason there arnt many viruses for linux if a hacker wanted to make deadly virues for linux they would soon get around the whole non root privilages and differnt layout. also one of the major reasons there are less virues for linux then there are for windows due to teh fact that linux is n't run by evil money making origanisatation like microsoft, this factor makes MS a target
I've created this megathread as an attempt to stabilize the ever-increasing amount of "Do I need an antivirus/antispyware program on GNU/Linux?" type threads which keep popping up over and over again. It seems to be an extremely common question posed by people coming-over from the Windows world. Most of the discussions in those threads follow quite similar, repetitive patterns. This makes it a topic well-suited for a megathread IMHO. One thing you need to understand if you are the one asking these type of questions is this: There is no consensual answer. What we do have is a lot of varied opinions and passionate discussion regarding the matter, and this megathread will serve as the place for that.
even though linux has a differnt layout to windows operating system thats not the main reason there arnt many viruses for linux if a hacker wanted to make deadly virues for linux they would soon get around the whole non root privilages and differnt layout. also one of the major reasons there are less virues for linux then there are for windows due to teh fact that linux is n't run by evil money making origanisatation like microsoft, this factor makes MS a target
I do agree with the evil corporation angle on the thing, that's a good point
However, as for circumventing root privileges, well, the virus then would again only be able to target whose-ever privileges it had assumed.
E.g. if a 'virus' does not have "root:root" priveleges then there is simply no way (that I'm aware of) for it to totally bork a system to the point of total destruction.
E.g.2 - If the 'virus' let's say has elevated itself to "user:group" whatever, then it may only bork stuff associated with these user & group priveleges. This is akin to targeting a single user account on a system. On my home machine, if I were to acquire a virus that ran with my USER account's full priveleges, I would be looking at risking my user account, my home folder, my desktop, etc. But the virus would not be able to render my whole SYSTEM inoperable, because my USER account does not have enough priveleges.
When files & folders are of the "root:root" level, and the permissions of these items are rwx-rx-rx or less, and there is NO OTHER USER on the machine who has the group :root, then it's simply not possible to corrupt the running system, unless there's an overlooked hole in the security model or an unckecked SUID binary to take advantage of.
I'm definitely no expert on this, but this is the best I know about how this concept works. Feel free to correct or add to (or point out glaring oversights on my part) what I've said.
_sasha
Last edited by GrapefruiTgirl; 10-06-2007 at 08:23 AM.
Reason: Win32sux - EXCELLENT IDEA! A MegaThread for this has been a long time coming. Can you merge the rest of the threads??
preamble:
I've been using Slackware linux as my primary operating system since March of 2007. Right now I'm using Slackware 12 (of course I've added several packets not included in distribution - MPlayer, for example. Most of them I've compiled myself.) Since the first time I've tried to use Linux I believed that this OS doesn't need anti-virus software - because :
1) every distribution is different.
2) every installation can be different even on same distribution.
3) well-behaved linux user have a good habit of working as a non-root user, and most programs he uses won't be writable during working session - there is no way to infect executable unless virus uses some kind of rootkit.
4) Also, there is no easy way for virus to get into system - unless user will download binaries from untrusted sources.
situation:
Right now there are folks on some of my local forums, that claim "linux became popular, there are new viruses appearing for Linux, so now you need Anti-Virus software for Linux!". For me it looks like an attempt to trick me into buying useless software, a marketing move of AV software develpers, etc. And, by the way, the fact that my information about Linux doesn't match with what they say, really puzzles me. I didn't find an english mentions about huge Linux virus epidemias, for example.
So, the question:
Do I really need an antivirus for my Linux system or not ?(taking in account that I'm behind proxy, ISP-provided packet filter, ADSL router and simple ip-tables-based packet filter and rarely download binaries?) And should I trust? My knowledge, or their information? (those guys doesn't seem to be professionals, anyway...)
You're probably fine, but of course, some may argue with that. I've been using various Linux versions for almost 10 years and never a problem. Not many could say that running WIndows with no AV protection.
1 - No, you probably don't need one.
2 - Use and administer your system properly. Don't run as root just on a usual basis, use a user account.
3 - If they're trying to sell you AV software for Linux, don't buy it.
4 - do some reading about "chkrootkit" and "rkhunter" and install a half decent firewall.
4.5 - download trusted sourcecode with md5 checksums and/or GPG signatures, and USE them.
5 - Please contribute to the MEGATHREAD which you found and help us make it HUMUNGOUS so people can't possibly miss it in the future
Thanks a lot for the answers.
I've just finished reading
Quote:
Originally Posted by http://www.linuxquestions.org/questions/linux-security-4/gnulinux-antivirus-megathread-589866/
MEGATHREAD
, most of the answers were found in links posted in there. Problem solved, now I'm really sure that I don't need AV-software on Linux, if I follow safety procedures listed by GrapefruiTgirl (and, thanks to the links, I now have good arguments to prove that). I'll try to add some thoughts/clarification in the Megathread.
Quote:
Originally Posted by GrapefruiTgirl
4 - do some reading about "chkrootkit" and "rkhunter" and install a half decent firewall.
5 - Please contribute to the MEGATHREAD which you found and help us make it HUMUNGOUS so people can't possibly miss it in the future
Thanks a lot for useful information (I've initially posted same question here, all problems were solved using links posted in this thread). There are several thoughts (to summarize everything):
What about making this thread sticky? (that's the only reason why I haven't noticed it)
The most useful link for me was this link to Linux mafia article. The article was updated recently (other links were dated by 2003..2004), and it certainly worth reading from the beginning, because it explains why Linux viruses have never spread, and also gives a lot of info about "secure" behaviour of user on the system.
Reading all the information above, I think that AV-software isn't needed on Linux, if user doesn't use untrusted software, doesn't use root account for ordinary tasks, and updates system with security fixes. I thinks that same scheme can be useful on other operating systems as well. Of course, AV-software can be useful if WINE is used on the system, and to check windows-related files (on other machine, for example).
Concerning discussions about injecting "rm -rf /" into source code (several pages before). This is not a virus. "virus" is a computer program (or script), that modifies other programs to make them produce virus or infect other programs. So, "rm -rf /" isn't a "virus", but a script that will infect other programs is a virus. (i.e. if the script will modify program to make it infect other programs and execute rm -rf /, it is a virus, otherwise it is something else).
This kind of virus is easy to create, but it won't do anything on linux, unless started under root privilegies - because all system-wide binaries are write-protected for ordinary users, or unless some system-wide files are world-writeable (which certainly means, that system administrator should be replaced). With those restrictions virus must have built-in rootkit, or exploit a know vulnerability. Article on linux mafia mentions several attempts to create virus that uses vulnerability, and all those attempts have failed, because security hole was fixed before the day the virus was released. Of course, there are some programs, that (for some reason) stil doesn't support multi-user installation - they can become infected.
So, the only enterance left for viruses and malware is user (social-ingenering, etc).
It looks like in some cases mounting /home as noexec is a good practice, but it isn't possible to do in all cases (for example, I'm developing software on my PC, and I have to run several scripts from within my home directory).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.