LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-26-2009, 03:46 PM   #1
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian Squeeze
Posts: 177

Rep: Reputation: 17
Help with antivirus for Linux


Hello.

Looks like my lan users are having a lot of problems getting infected with trojans and other viruses on spreaded inside the lan.

I would like to know if there's an Antivirus for linux routers/gateways that would scan all packets that pass through from internet to lan?

Thanks in advanced for your help.
 
Old 11-26-2009, 04:00 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by landysaccount View Post
Looks like my lan users are having a lot of problems getting infected with trojans and other viruses on spreaded inside the lan.

I would like to know if there's an Antivirus for linux routers/gateways that would scan all packets that pass through from internet to lan?
You could deploy HAVP as an HTTP traffic scanner. It uses ClamAV. If the problem is really bad, virus scanning won't be enough, though (due to its inherent limitations). What other measures are you willing to take?
 
Old 11-26-2009, 04:03 PM   #3
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian Squeeze
Posts: 177

Original Poster
Rep: Reputation: 17
I'm currently blocking all ports except for 80, 25, and 53. I also have squid running but, this only to save bandwidth. I don't know what else to try though. All I know I need to take action now before it gets any worse. Do you have any suggestions?
 
Old 11-26-2009, 04:14 PM   #4
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian Squeeze
Posts: 177

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by win32sux View Post
You could deploy HAVP as an HTTP traffic scanner. It uses ClamAV. If the problem is really bad, virus scanning won't be enough, though (due to its inherent limitations). What other measures are you willing to take?
Have you used HAVP? If so, does the bandwidth suffers when you have certain number of users connected?
 
Old 11-26-2009, 04:38 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by landysaccount View Post
I'm currently blocking all ports except for 80, 25, and 53. I also have squid running but, this only to save bandwidth. I don't know what else to try though. All I know I need to take action now before it gets any worse. Do you have any suggestions?
I would seriously consider taking the LAN offline, inspecting the Squid logs and cross referencing with firewall logs to find possible sources of the trojaned download(s). Then you could proceed to block those sites with an ACL (to reduce the chances of a repeat), implement some sort of larger block ACL of known bad sites, and install HAVP. Meanwhile, the compromised Windows hosts (I'm assuming they are Windows, please correct me if I'm wrong) on the LAN would need to be cleaned and hardened (there's only so much you can do on the gateway).

Quote:
Originally Posted by landysaccount View Post
Have you used HAVP? If so, does the bandwidth suffers when you have certain number of users connected?
No, I haven't used HAVP. That said, this type of software doesn't change the upstream bandwidth usage. Downstream delays are introduced while the data is scanned, though, so a faster CPU gets you less delays.

Last edited by win32sux; 11-26-2009 at 04:50 PM.
 
Old 11-26-2009, 05:24 PM   #6
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian Squeeze
Posts: 177

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by win32sux View Post
I would seriously consider taking the LAN offline, inspecting the Squid logs and cross referencing with firewall logs to find possible sources of the trojaned download(s).
That's a great idea in case the trojan is in the cache.

Quote:
Meanwhile, the compromised Windows hosts (I'm assuming they are Windows, please correct me if I'm wrong) on the LAN would need to be cleaned and hardened (there's only so much you can do on the gateway).
Unfortunately, yes these are Windows machines.

I'm going to read more about HAVP and test first on a separate machine first and see how it works. Thanks a lot.
 
Old 11-29-2009, 08:49 PM   #7
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
A sniffer will come in handy in finding the internally infected hosts (along with proxy and FW logs). In fact, several sniffers may work even better. The reason I'm saying sniffer is that, while an IDS will help, you won't have time to deploy a proper IDS...this isn't the time to be trying to deploy such a system. A sniffer is almost the same thing but is more or less adhoc. It won't be a dedicated system and can be moved more easily. Basically, it can be run on any system and can be as simple as using tcpdump.

I'd place a sniffer just outside of your gateway (to detect call-home traffic or botnet-related traffic, usually outbound) and one that is just outside of any internal subnets. If you're using three (3) internal subnets, I'd place three (3) sniffers right outside of those subnets (for a total of 4 sniffers).

The way we do it at work is that we look for any outbound traffic is using high ports. We catch a lot of IRC-related infections this way. We also look for anomalous spikes (higher than normal traffic on port 445, for example), but this requires that you already know your networks' nuances. Also, I've seen IRC traffic trying to hide or avoid specific FW rules by going outbound on port 80 (since a lot of companies still tend to not to filter outbound port 80 traffic). A lot of botnets are now reporting to web servers now (instead of IRC servers). This makes it easy to hide the infected machines reporting to C&C servers, but one red flag will be outbound POST commands to PHP-based sites within the packet trace.

If you don't know your internal network layout, ask for assistance from someone who's been around awhile. Ask for network diagrams and use them even if they're old (they'll be better than using nothing).

We've been seeing LOTS of Conficker infections across our customer base lately. I'd focus on any brute force attempts against 445 (and by association, ports 135, 138, and 139). This particular port/service for Windows-based OSs is notorious for being easily compromised.
 
  


Reply

Tags
antivirus, linux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Antivirus survey: Do you run an antivirus program on linux? atom Linux - General 29 09-03-2009 04:22 PM
antivirus in linux stasch Linux - Newbie 2 04-17-2005 11:19 AM
Antivirus for Lunix similar Norton Antivirus for Windows Chivozertsev Linux - Software 1 03-31-2005 08:56 AM
Antivirus for linux TheOneAndOnlySM Linux - Newbie 15 08-08-2003 11:54 AM
antivirus for linux Dups Linux - Software 6 06-21-2001 05:11 AM


All times are GMT -5. The time now is 07:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration