LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


View Poll Results: How often do you scan your Linux Computer(s)?
I am so paranoid I scan it more then once a day... 0 0%
Once a day. 4 13.79%
Once a week. 0 0%
Once a month. 2 6.90%
A few times a year. 11 37.93%
Depends really on what I am doing. Can be often or not. 12 41.38%
Voters: 29. You may not vote on this poll

Reply
  Search this Thread
Old 10-21-2010, 06:33 PM   #1
Amdx2_x64
Member
 
Registered: Jun 2008
Distribution: Left LQ. Mods are too Rude!
Posts: 598

Rep: Reputation: 50
So How often does everyone scan their Linux Computers and what do you use?


I was just curious how many times the average Linux desktop user at these forums check their computer for virus', root kits, etc. I already know all the arguements about Linux being more secure, which is one reason why I use it. However I also believe that nothing is 100% and the worst things happen when you least expect them. Then internet always has a habit of doing that.

I have several security measures in place. For example I am using Firefox with the add-ons: NoScript, Redirect Remover, Adblock Plus, Ghostery, BetterPrivacy. I also have a Router Firewall as well as using Firestarter.

What I run often, but not nearly as much as Windows scans, is ClamAV via ClamTK, Rkhunter, Chkrootkit.

So How often does everyone scan their Linux Computers and what do you use?

Last edited by Amdx2_x64; 10-21-2010 at 06:37 PM.
 
Old 10-21-2010, 07:29 PM   #2
lostzinzthought
Member
 
Registered: Sep 2010
Location: USA
Distribution: Slackware13.1
Posts: 47

Rep: Reputation: 4
I actually don't scan my Linux boxes - I tend to reformat the drive and do a fresh install every half year or so on my linux machines, so I don't scan them much.
if I keep an OS (any, not just linux) on for over 6 months I'll run clamAV on it from a SystemrescueCD.
 
Old 10-22-2010, 04:45 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I don't typically 'scan' them for things in the same manner as you do a Windows machine. I just don't see the need. On my public facing machines (servers) I do run some security applications including network and host based intrusion detection and I do periodically audit the logs. I continuously watch for unusual activity and make note of any changes, such as updated applications or installed files. I watch when they were last accessed and by whom. I run virus scanning of all incoming and outgoing files that they process via email.
 
Old 10-22-2010, 07:11 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I've got AIDE set up to scan nightly and I look at those emails daily. I also look at log files every few days. I only run the rootkit detectors if I think something is amiss. I've also got the internet facing servers locked down reasonably well. SSH is by key only and Apache is running mod_security. I only open up FTP when someone needs to send me a big file.
 
Old 10-22-2010, 08:28 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
I don't scan at all anymore.

Before, I used to scan using non-host-based tools, such as Nessus and Nikto.

I also use Snort to sniff my LAN traffic on my home network and colo machine. Network-based IDSs are passive in nature, though.
 
Old 10-22-2010, 08:44 AM   #6
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301Reputation: 1301
A few times a year I scan with rkhunter and chkrootkit. Have not found anything yet.

Rarely I scan with clamav, and once it did find a trojan in some sites I had saved. I no longer save sites (of that type), but either way the trojan was inactive and could not work.
 
Old 10-22-2010, 09:00 PM   #7
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Don't Trust Vendors To Look Out For You

Amdx2_x64,

So nice to see someone who takes such minimal steps as using Firefox plus the add-ons you mentioned. I always clamscan any PDF I download; PDFs are one the major malware vectors for websurfers, as is Javascript, and some attacks do affect Linux boxes (or are platform independent), so these vectors DO impact Linux users. As you probably know. I also do some of the other things various posters mentioned, and more besides.

Little tip for those who use a recent Actiontek router: it seems that by default these all allow a user on your LAN to contact the router by http connection, and also allow anyone anywhere to contact it by telnet. Secure connections such as ssh or https are not supported. (Ugh!) You must use the web interface to disable the telnet interface and also to set a new password (and if the power to the router is interrupted, you'll probably need to do it again); otherwise by default your router will give up to anyone who asks the unique identifiers of the CPU in your router and the ethernet card of your computer! That is precisely the kind of personal information which Google recently got in trouble for snagging illegally using their StreetView vechicles. To say the least, Actiontek does not attempt to publically reveal this to their customers. Unfortunately, this kind of careless (deceptive?) attitude seems to be common. Especially frustrating since ISPs seem to be able to get away with declaring that their users must use a particular brand of router in order to connect to the web.

Just one example of the kind of issue you have to look out for, on top of all the ones you've already heard about. Even if you are not running a server.

Last edited by Peufelon; 10-22-2010 at 09:13 PM.
 
Old 10-22-2010, 10:36 PM   #8
yancek
LQ Guru
 
Registered: Apr 2008
Distribution: Slackware, Ubuntu, PCLinux,
Posts: 10,446

Rep: Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474
I've never used a virus scanner on my Linux machine but I've only been using it for 6 years. Never had a virus or any malware.
 
Old 10-25-2010, 03:02 PM   #9
Amdx2_x64
Member
 
Registered: Jun 2008
Distribution: Left LQ. Mods are too Rude!
Posts: 598

Original Poster
Rep: Reputation: 50
Well I was just going to let this thread go. But since I learned a few things from it I wanted to say thanks for that.
 
Old 10-25-2010, 03:50 PM   #10
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
I use nessus and nexpose to scan my boxes at a minimum of once a week.
I used to use aide for the hids but have switched over to osiris.
I use snort to monitor the network.
All boxes log to a central log server with all boxes using ntp.

Also have a few self made tools watching boxes and traffic.

nomb
 
Old 10-25-2010, 03:59 PM   #11
OlRoy
Member
 
Registered: Dec 2002
Posts: 306

Rep: Reputation: 86
Quote:
Originally Posted by yancek View Post
I've never used a virus scanner on my Linux machine but I've only been using it for 6 years. Never had a virus or any malware.
"I've never had any blood work done. Never had any problems with cholesterol." Not saying you need AV software... there is more to detecting malware than AV software, but I hope you've done some other form of monitoring to be sure you've never been compromised.
 
Old 10-25-2010, 04:00 PM   #12
OlRoy
Member
 
Registered: Dec 2002
Posts: 306

Rep: Reputation: 86
Quote:
Originally Posted by nomb View Post
I use nessus and nexpose to scan my boxes at a minimum of once a week.
I used to use aide for the hids but have switched over to osiris.
I use snort to monitor the network.
All boxes log to a central log server with all boxes using ntp.

Also have a few self made tools watching boxes and traffic.

nomb
Sounds interesting... exactly what do your self made tools do?
 
Old 10-25-2010, 04:13 PM   #13
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Quote:
Originally Posted by OlRoy View Post
Sounds interesting... exactly what do your self made tools do?
A bunch of different things. I have one that I kinda use as a swiss army knife. It is all plugin based and all the plugins can communicate and what not. So among other things it monitors the logs on my honeypots and when they get attacked it sends the IPs to all of my other boxes so they can drop all traffic from them. I have another that watches for failed ssh attempts and then after so many nats them to the ssh honeypot. I have another that watches traffic and compares IP and MAC to known good IP and MAC and alerts any changes or unknowns. Bunch of different stuff.

nomb
 
Old 10-25-2010, 04:35 PM   #14
OlRoy
Member
 
Registered: Dec 2002
Posts: 306

Rep: Reputation: 86
Quote:
Originally Posted by nomb View Post
A bunch of different things. I have one that I kinda use as a swiss army knife. It is all plugin based and all the plugins can communicate and what not. So among other things it monitors the logs on my honeypots and when they get attacked it sends the IPs to all of my other boxes so they can drop all traffic from them. I have another that watches for failed ssh attempts and then after so many nats them to the ssh honeypot. I have another that watches traffic and compares IP and MAC to known good IP and MAC and alerts any changes or unknowns. Bunch of different stuff.

nomb
I need to get back into honeypots... that sounds like fun.
 
Old 10-25-2010, 05:51 PM   #15
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Quote:
Originally Posted by OlRoy View Post
I need to get back into honeypots... that sounds like fun.
It is. Good way to learn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iwlist scan - no scan results compu73rg33k Linux - Wireless Networking 6 05-29-2009 02:37 AM
LXer: The world's fastest computers are Linux computers LXer Syndicated Linux News 0 11-28-2008 06:20 PM
Nessus scan and no port scan possible? memo007 Linux - Security 1 09-08-2008 06:21 PM
LXer: FSF works with Los Alamos Computers to provide free computers LXer Syndicated Linux News 0 07-29-2008 10:12 PM
To SCAN or not to SCAN? HP750xi Suse 9.2 Pro newtwolinux Linux - Hardware 4 06-22-2005 04:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration