Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
in light of yet another windows virus, i am hoping some of you
can shed some light on the level of security provided by my
home-net configuration.
I have a linux 2.4 (debian) system running as an internet gateway. I run stateful firewall (iptables) which does NAT for other machines behind 2nd NIC. Normally *unless i temporarily 'open' a port* the firewall basically drops all packets that do not match an 'established' connection. Everything is hardwired (no wireless) with static IPs, etc.
Is there any way that I can be vulnerable to worms, viruses, etc. on the home LAN?
Can i safely run windows machines behind this firewall?
Is there any difference between my configuration and say, a windows machine serving the same firewall purpose - ie. running a windows machine with internet connection sharing, plus a firewall such as provided by microsoft or perhaps sygate or other 3rd party?
I am confused regarding all the claims that linux is inherently more secure at the network layer.
Is there any way that I can be vulnerable to worms, viruses, etc. on the home LAN?
Of couse. If you get one in your email or download one off the net yourself (eg. from a dodgy site) the firewall won't stop that.
Quote:
Can i safely run windows machines behind this firewall?
You can't run Windows safely anywhere
But yes you should be pretty safe.
Quote:
Is there any difference between my configuration and say, a windows machine serving the same firewall purpose - ie. running a windows machine with internet connection sharing, plus a firewall such as provided by microsoft or perhaps sygate or other 3rd party?
Not on the face of it no.
Quote:
I am confused regarding all the claims that linux is inherently more secure at the network layer.
Linux generally has fewer remote vulnerabilities, less services run as a priveleged user, there is more scope for locking down the machine with things like chroot and SELinux, Linux distros usually enable the firewall by default, Linux users don't run as root, Linux email clients don't execute attachments, etc. etc. However your Windows box serving the same purpose may do the job just as well and be just as secure if you set it up carefully and properly.
There is nothing magically more secure about having a Linux box do a particular task instead of a Windows box , after all security is a process, not a product. However you'll find a lot of people (incl. me) feel that Linux is easier to secure and more reliably secure and offers much more scope to enable you to lock it down.
Quote:
I have a linux 2.4 (debian) system running as an internet gateway. I run stateful firewall (iptables) which does NAT for other machines behind 2nd NIC. Normally *unless i temporarily 'open' a port* the firewall basically drops all packets that do not match an 'established' connection. Everything is hardwired (no wireless) with static IPs, etc.
This sounds like an excellent setup, as long as you're keeping up with updates for that Debian box. Keep going with it.
Lastly, I am interested in any package that might help to detect possible infections, trojans, etc., by logging suspicious LAN-side requests out to the internet. I have learned that when surfing the net, many-many-many connections are 'established' over time and i suppose if they are initiated from 192.168.etc.etc. then the firewall is not bothered. Is there any way to detect connection requests that are made (for example) by a rogue program, and log them?
..Or any other generic package that could be run to further harden the box?
..Or any other generic package that could be run to further harden the box?
Three great security tools that I personally use and recommend for increasing security on a Linux box are chkrootkit, Rootkit Hunter, and Bastille. The first two are excellent utilities to check for rootkits on Linux and Unix systems. Bastille is a wonderful little utility that aids in locking down a Linux or Unix system as well as providing some newly integrated vulnerability-assessment tools.
Two good system integrity tools are Tripwire and AIDE. You can do various things with both of those tools, but I've used them to monitor file changes on my server. My machine will email me if/when certain critical files are touched/moved/modified/etc.
If you're concerned about viruses, Clam AntiVirus is a great virus scanner. Although I'm not too concerned about contracting a virus on my Linux machine, I do use Clam to scan files/email that pass through my Linux server to Windows machines to ensure that I'm not part of the virus distribution chain. There are nice graphical front-ends to Clam such as KlamAV if you prefer the QT/KDE look, or if you're comfortable with the command line, plain old ClamAV is great for that too. You can set up cron jobs to scan your machine, integrate it with other programs such as email daemons, etc.
I don't know much about debian but that looks correct.
Quote:
Lastly, I am interested in any package that might help to detect possible infections, trojans, etc., by logging suspicious LAN-side requests out to the internet. I have learned that when surfing the net, many-many-many connections are 'established' over time and i suppose if they are initiated from 192.168.etc.etc. then the firewall is not bothered. Is there any way to detect connection requests that are made (for example) by a rogue program, and log them?
Programs like chkrootkit and rkhunter will look for rootkits (http://en.wikipedia.org/wiki/Rootkit), you can't do any harm setting them to run every night.
AIDE is an example of a host-based intrusion detection system and Snort a network based IDS. Network based IDSes are designed to log any suspicious traffic. However generally IDSes are a bit overkill for a home user - they can be complex and time consuming.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.