So How often does everyone scan their Linux Computers and what do you use?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: How often do you scan your Linux Computer(s)?
I am so paranoid I scan it more then once a day...
0
0%
Once a day.
4
13.79%
Once a week.
0
0%
Once a month.
2
6.90%
A few times a year.
11
37.93%
Depends really on what I am doing. Can be often or not.
So How often does everyone scan their Linux Computers and what do you use?
I was just curious how many times the average Linux desktop user at these forums check their computer for virus', root kits, etc. I already know all the arguements about Linux being more secure, which is one reason why I use it. However I also believe that nothing is 100% and the worst things happen when you least expect them. Then internet always has a habit of doing that.
I have several security measures in place. For example I am using Firefox with the add-ons: NoScript, Redirect Remover, Adblock Plus, Ghostery, BetterPrivacy. I also have a Router Firewall as well as using Firestarter.
What I run often, but not nearly as much as Windows scans, is ClamAV via ClamTK, Rkhunter, Chkrootkit.
So How often does everyone scan their Linux Computers and what do you use?
I actually don't scan my Linux boxes - I tend to reformat the drive and do a fresh install every half year or so on my linux machines, so I don't scan them much.
if I keep an OS (any, not just linux) on for over 6 months I'll run clamAV on it from a SystemrescueCD.
I don't typically 'scan' them for things in the same manner as you do a Windows machine. I just don't see the need. On my public facing machines (servers) I do run some security applications including network and host based intrusion detection and I do periodically audit the logs. I continuously watch for unusual activity and make note of any changes, such as updated applications or installed files. I watch when they were last accessed and by whom. I run virus scanning of all incoming and outgoing files that they process via email.
I've got AIDE set up to scan nightly and I look at those emails daily. I also look at log files every few days. I only run the rootkit detectors if I think something is amiss. I've also got the internet facing servers locked down reasonably well. SSH is by key only and Apache is running mod_security. I only open up FTP when someone needs to send me a big file.
A few times a year I scan with rkhunter and chkrootkit. Have not found anything yet.
Rarely I scan with clamav, and once it did find a trojan in some sites I had saved. I no longer save sites (of that type), but either way the trojan was inactive and could not work.
So nice to see someone who takes such minimal steps as using Firefox plus the add-ons you mentioned. I always clamscan any PDF I download; PDFs are one the major malware vectors for websurfers, as is Javascript, and some attacks do affect Linux boxes (or are platform independent), so these vectors DO impact Linux users. As you probably know. I also do some of the other things various posters mentioned, and more besides.
Little tip for those who use a recent Actiontek router: it seems that by default these all allow a user on your LAN to contact the router by http connection, and also allow anyone anywhere to contact it by telnet. Secure connections such as ssh or https are not supported. (Ugh!) You must use the web interface to disable the telnet interface and also to set a new password (and if the power to the router is interrupted, you'll probably need to do it again); otherwise by default your router will give up to anyone who asks the unique identifiers of the CPU in your router and the ethernet card of your computer! That is precisely the kind of personal information which Google recently got in trouble for snagging illegally using their StreetView vechicles. To say the least, Actiontek does not attempt to publically reveal this to their customers. Unfortunately, this kind of careless (deceptive?) attitude seems to be common. Especially frustrating since ISPs seem to be able to get away with declaring that their users must use a particular brand of router in order to connect to the web.
Just one example of the kind of issue you have to look out for, on top of all the ones you've already heard about. Even if you are not running a server.
I use nessus and nexpose to scan my boxes at a minimum of once a week.
I used to use aide for the hids but have switched over to osiris.
I use snort to monitor the network.
All boxes log to a central log server with all boxes using ntp.
Also have a few self made tools watching boxes and traffic.
I've never used a virus scanner on my Linux machine but I've only been using it for 6 years. Never had a virus or any malware.
"I've never had any blood work done. Never had any problems with cholesterol." Not saying you need AV software... there is more to detecting malware than AV software, but I hope you've done some other form of monitoring to be sure you've never been compromised.
I use nessus and nexpose to scan my boxes at a minimum of once a week.
I used to use aide for the hids but have switched over to osiris.
I use snort to monitor the network.
All boxes log to a central log server with all boxes using ntp.
Also have a few self made tools watching boxes and traffic.
nomb
Sounds interesting... exactly what do your self made tools do?
Sounds interesting... exactly what do your self made tools do?
A bunch of different things. I have one that I kinda use as a swiss army knife. It is all plugin based and all the plugins can communicate and what not. So among other things it monitors the logs on my honeypots and when they get attacked it sends the IPs to all of my other boxes so they can drop all traffic from them. I have another that watches for failed ssh attempts and then after so many nats them to the ssh honeypot. I have another that watches traffic and compares IP and MAC to known good IP and MAC and alerts any changes or unknowns. Bunch of different stuff.
A bunch of different things. I have one that I kinda use as a swiss army knife. It is all plugin based and all the plugins can communicate and what not. So among other things it monitors the logs on my honeypots and when they get attacked it sends the IPs to all of my other boxes so they can drop all traffic from them. I have another that watches for failed ssh attempts and then after so many nats them to the ssh honeypot. I have another that watches traffic and compares IP and MAC to known good IP and MAC and alerts any changes or unknowns. Bunch of different stuff.
nomb
I need to get back into honeypots... that sounds like fun.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.