Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian,Free BSD but Currently Using PCLinuxOS
Posts: 32
Rep:
Virus on network
Hi allz,
We have a 30 PC network with a software development central server.Which have the main software.Our Network is infected by malware which I think came from a users USB.How to secure our network from viruses.All the PC's running windows.Now I want to install a linux gateway/firewall.
Which is the good one.Smoothwall,IPCOP or IPfire.Please suggest.And how to scan for viruses and detect them before they infect the systems.
The best firewall/gateway is one you write yourself, one that you understand.
What a lot of people do is run a transparent proxy with content/AV filtering. There are howtos around the net.
But it is not clear how you can use this to stop a virus loaded from a usb key to a client machine. You need to secure the client! There are solutions for this on windows that can be deployed across a network... but they'll cost you.
Distribution: Debian,Free BSD but Currently Using PCLinuxOS
Posts: 32
Original Poster
Rep:
Quote:
Originally Posted by Simon Bridge
But it is not clear how you can use this to stop a virus loaded from a usb key to a client machine. You need to secure the client! There are solutions for this on windows that can be deployed across a network... but they'll cost you.
Well out of 50 users here I have 2 that need to use USB flash drives the rest do not need them to do their job, so I disabled USB Storage devices on their PC's.. (registry edit and a reboot is all that is required) This inexpensive utility from Intelliadmin will let you do all the PC's on your network at once from your desk.. IntelliAdmin they also have afree utility to do this one PC at a time .. Free remote USB Drive disabler
Or if you are into manually editing the registry instead of making use of a convenient tool How to manually disable USB Drives How to manually disable USB Drives MICROSOFT KB
A More comprehensive solution that will allow specific users to use specific USB drives such as a company supplied USB flash drive, but NOT one they found in the parking lot would be from Checkpoint. This product is called Pointsec.
Desktop firewalls configured properly on all your PC's would help prevent malware from spreading inside your network.
A firewall, only on your internet connection, will give your network a hard and crunchy Shell, but without a product like pointsec to harden your windows PC's the inside of your network is still soft and chewy..
And I have to ask, if malware spread inside your network. Are you running Desktop Anti-virus on your Workstations ? A centrally managed AV solution is a must. Something that notifies you if a user isn't updated, and also will not allow the users to disable the AV to improve their workstation performance.. Kaspersky, Trend Micro, Symantec, Mcafee, ComputerAssociates, other... ??
You realize that most of the money made by security consultants is for setting this up for people who didn't think they needed to.
Rethink your security policy - seriously. Security is important. Try to avoid product-centered thinking.
AV on each machine, firewall on each machine. There are free versions - but a commercial deployment will still cost you if you are not prepared to understand it and is useless if you don't have a clear security policy.
Distribution: Debian,Free BSD but Currently Using PCLinuxOS
Posts: 32
Original Poster
Rep:
Hi,
What if i place a linux machine for the employees to check their USB for viruses and than can use it for office work ? Coz here viruses transfering through USB.
Why rely on employees using it?
Why not put AV on all the hosts?
Why not upgrade all work machines to linux? - problem solved.
Do employees need to use usb keys for work?
Like I said, sort out that security policy.
You know, one of the advantages of not getting paid for this is that I get to tell people what's good for them instead of what they want to hear. When I am getting paid, I charge double when a customer insists on ignoring good advise.
If this has got people worried, and you've been asked to come up with something... the best approach is to do a report on securing individual hosts... spell it out: they need firewall and AV on each computer. It must be kept updated. Cost it out.
Do the same analysis costing out free software solutions for the same thing.
As a foot note, point out that these systems were designed for a free OS. Suggest that a migration should be considered, especially in light of a near-term prospect of a very costly migration to Vista. (Only a few sentences - you main thrust is to get the network secure).
If this is just you as joe-worker... get linux on your own system. Every time something happens just smile and say: "what malware".
What if i place a linux machine for the employees to check their USB for viruses and than can use it for office work ? Coz here viruses transfering through USB.
Desktop Antivirus can be configured to SCAN the USB drive on access.. so if they plug it into their PC it gets scanned so it can not infect the workstation or the network.
I'm currently running Symantec Client Security 3.0 on my windows network and the cost for this centrally managed solution is about $23.00 PER PC FOR 1 YEAR. This solution is a centrally managed Antivirus/anti-malware/with managed Client Firewall.
Cleaning up one virus that spreads throughout the entire network would cost more than that in labor and lost productivity so Why would I bother chancing it ?
Bite the bullet and install desktop protection. If you are going to run windows you have to play in the windows security world and secure the workstations at the extra expense and be willing accept the hit to your PC performance these solutions will cause.
Distribution: Debian,Free BSD but Currently Using PCLinuxOS
Posts: 32
Original Poster
Rep:
Ok development is being done on PHP and Mysql so which Distro is good so can employee can also leave the XP on that distro's first glance and what about that version controlling of that development environment.This software is being used cs-rcs.So in place of this which linux version controlling can be used which to be easy for me.
Remember, a network cannot be "infected" by anything. (And the entire biological-metaphor is, altogether, completely misguided in reference to any form of silicon!)
Windows networks traditionally have serious problems because nearly all of their users run with administrative privileges: they can "do anything" with their machines, and therefore, so can any program that finds its way into their machine. You cannot reasonably stop "a program," or "a script," or a "what-have-you," from arriving on your computer. But you can strictly limit what it can do.
The very first thing to do is to make sure that every single user on your network is not an Administrator... even if that person's regular day-to-day job responsibilities are "administrative."
You, yes, even (and especially!) you, must not "routinely" run with Administrator privileges, no matter how "convenient" it might be for you.
The next thing you need to make sure of is ... backups. Windows has had a great backup-tool for centuries. So does OS/X (especially now!). So does Linux. USB or FireWire hard-drives are cheap. Backups can be totally automatic. It's easy.
When you do very-simple things, you can easily protect your network and its contents from the effects of rogue-programs. And that simple prudence is vastly easier than cleaning-up after the damage.
No matter what Mister Norton may tell you, you don't need their products and they don't make you "safer."
Uh huh... the first thing that I did to my latest Windows-XP box was to remove and disable all of Mister Norton's offerings. Zero problems since... and there never will be any. Yessir, of that I am quite sure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.