LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-21-2014, 08:57 PM   #16
touch21st
Member
 
Registered: Nov 2013
Location: Australia
Distribution: Linux Mint, CentOS, Suse,Android, Slackware, FreeBSD,Kali
Posts: 79
Blog Entries: 1

Original Poster
Rep: Reputation: 0

http://it.slashdot.org/story/14/03/1...uxunix-servers
 
Old 03-21-2014, 09:09 PM   #17
touch21st
Member
 
Registered: Nov 2013
Location: Australia
Distribution: Linux Mint, CentOS, Suse,Android, Slackware, FreeBSD,Kali
Posts: 79
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Wink

Quote:
Originally Posted by Gullible Jones View Post
Yes, Linux is as vulnerable as anything else.

Edit: BTW, for an example of AVs possibly being harmful sometimes, look around for a research paper by Tavis Ormandy called "Sophail".
backdoor or spyware in it?
 
Old 03-22-2014, 11:30 AM   #18
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,619
Blog Entries: 2

Rep: Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076
Quote:
Originally Posted by touch21st View Post
The malware in this case is a trojan. While an AV software may have alerted the admin, it was the admin the first place that installed the malware. This is why you should only use software from trusted sources.
 
Old 03-25-2014, 04:58 PM   #19
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 400

Rep: Reputation: 113Reputation: 113
Quote:
Originally Posted by touch21st View Post
See this topic about it: http://www.linuxquestions.org/questi...go-4175498662/

More to the point, that's a malware that targets mostly servers by hacking OpenSSH and spreading by hand (with stolen credentials from that hacked ssh)... Actually, the first method of getting that malware would be to use an already infected system in order to login to another (uninfected?) one.. An AV would probably just alert you (if it knows about that specific malware) and at the level it's deployed, it should be presumed that the owners of the system know how to keep it safe.. Basically, the infected systems are infected because "kids" try to play to big software and completely ignore their security documentation.. There is no AV against that..

Quote:
Originally Posted by LÚveillÚ
We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks,” explains LÚveillÚ. “Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line.”

Last edited by Smokey_justme; 03-25-2014 at 05:01 PM.
 
Old 03-25-2014, 05:05 PM   #20
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,390
Blog Entries: 1

Rep: Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109
Quote:
Originally Posted by TobiSGD View Post
The malware in this case is a trojan. While an AV software may have alerted the admin, it was the admin the first place that installed the malware. This is why you should only use software from trusted sources.
Actually no (the admin did not install it)

From the article: "No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged."

http://www.welivesecurity.com/wp-con...on_windigo.pdf

They had root to the box,.. so,.. aide or some other intrusion detection would have worked. But not a virus scanner.

Last edited by szboardstretcher; 03-25-2014 at 05:06 PM.
 
Old 03-27-2014, 09:37 AM   #21
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
"They had root to the box ..." There you go. A classical penetration technique second only to exploiting Plesk.

AV algorithms could be valuable ... perhaps, very valuable ... say in a document-storage application (or a blog) to detect suspicious content before it is disseminated for public use. However, it is both snake-oil and smoke to say that such tools are "necessary" or that they "protect you" from anything at all.
 
Old 03-27-2014, 09:49 AM   #22
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,390
Blog Entries: 1

Rep: Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109
For world-facing services, I used a few different techniques that rely on occasionally taking prod servers out of the LB group, doing some remote MD5/CRC checking on files/directories and some secret stuff, that lets me know if anything has changed.

The new way of doing things is to have a server that boots off of a read only BLU-RAY drive, that then brings up images in our cluster once a day. So even if you do find a way to break in, within 12 hours I will be putting out a new VM with new keys and passwords. The gold image BLURAY is modified, updated and secured on a daily basis according to security standards and alerts, in a sterile no-internet environment.

And of course the hourly AIDE checks, Firewalls, IDP appliances, and network monitoring help as well.
 
Old 03-27-2014, 10:14 PM   #23
touch21st
Member
 
Registered: Nov 2013
Location: Australia
Distribution: Linux Mint, CentOS, Suse,Android, Slackware, FreeBSD,Kali
Posts: 79
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Wink

Quote:
Originally Posted by szboardstretcher View Post
For world-facing services, I used a few different techniques that rely on occasionally taking prod servers out of the LB group, doing some remote MD5/CRC checking on files/directories and some secret stuff, that lets me know if anything has changed.

The new way of doing things is to have a server that boots off of a read only BLU-RAY drive, that then brings up images in our cluster once a day. So even if you do find a way to break in, within 12 hours I will be putting out a new VM with new keys and passwords. The gold image BLURAY is modified, updated and secured on a daily basis according to security standards and alerts, in a sterile no-internet environment.

And of course the hourly AIDE checks, Firewalls, IDP appliances, and network monitoring help as well.
and rootkit hunter's wonderful
 
Old 03-28-2014, 11:11 AM   #24
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Rep: Reputation: 53
AVG
 
Old 04-16-2014, 08:54 AM   #25
touch21st
Member
 
Registered: Nov 2013
Location: Australia
Distribution: Linux Mint, CentOS, Suse,Android, Slackware, FreeBSD,Kali
Posts: 79
Blog Entries: 1

Original Poster
Rep: Reputation: 0
How do you think of dr. web?
 
Old 04-16-2014, 10:03 PM   #26
ReaperX7
Senior Member
 
Registered: Jul 2011
Location: California
Distribution: LFS-7.6, Slackware 14.1, FreeBSD 10.1
Posts: 3,676
Blog Entries: 15

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
I run ClamAV with ClamTk as my main solution with cronjobs at targeted intervals. I also have RkHunter setup equally as a supplement.

I have used BitDefender before. It's nice, but I like ClamAV's daemon modes and background scanners better.

It would be nice if GNU/Linux got On-Access/Execution scanning via ClamAV. That way it could scan binaries, libraries, and configuration files and scripts upon access and execution. I might be mistaken, but BitDefender might have this now for Gnome, Xfce, and KDE desktops via a plugin now in the latest versions, or it's just a plugin to allow alt-click scanning options for files.

GNU/Linux and *BSD are starting to become a target anymore by malware and other bad software. Would be nice to gain a solid foothold in protection before they do.

Last edited by ReaperX7; 04-16-2014 at 10:06 PM.
 
Old 04-29-2014, 08:15 AM   #27
touch21st
Member
 
Registered: Nov 2013
Location: Australia
Distribution: Linux Mint, CentOS, Suse,Android, Slackware, FreeBSD,Kali
Posts: 79
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Question

Quote:
Originally Posted by ReaperX7 View Post
I run ClamAV with ClamTk as my main solution with cronjobs at targeted intervals. I also have RkHunter setup equally as a supplement.

I have used BitDefender before. It's nice, but I like ClamAV's daemon modes and background scanners better.

It would be nice if GNU/Linux got On-Access/Execution scanning via ClamAV. That way it could scan binaries, libraries, and configuration files and scripts upon access and execution. I might be mistaken, but BitDefender might have this now for Gnome, Xfce, and KDE desktops via a plugin now in the latest versions, or it's just a plugin to allow alt-click scanning options for files.

GNU/Linux and *BSD are starting to become a target anymore by malware and other bad software. Would be nice to gain a solid foothold in protection before they do.
Is ClamAV good enough for desktop users?
 
Old 04-29-2014, 08:30 AM   #28
wstewart90
Member
 
Registered: May 2013
Distribution: Arch Linux
Posts: 79

Rep: Reputation: Disabled
I use a combination of linux and trusted packages from the arch repository as my anti-virus. If I happen to be running windows then it's avg.
 
Old 04-29-2014, 10:25 AM   #29
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 400

Rep: Reputation: 113Reputation: 113
Ok, let me try exemplify what security in Linux-world is focused on vs. security in other OSs

Here's a current MS Internet explorer bug: https://technet.microsoft.com/en-us/...y/2963983.aspx
Basically, it a common memory overflow bug with very bad consequences that pretty much allows a remote web-side to execute code on your computer... This is a common thing amongst browsers or even important services (in one way or the other, with different levels of severity).. In Windows, the end-user (and sometimes even the professional) is battered with third-party security products that normally intervene after the system was compromised if a known malicious code was put in there..
Actually, because in Windows, most of the systems are using a day-to-day Administrator account, that penetration can have huge consequences on the whole system and maybe the whole network.. Thus making complicated heuristic based AVs or other security tool an important must-have in order to limit such invasion...

On the other hand, on Linux systems, people use normal accounts.. The whole security concept is started and based on proactive and protective approach..
Important services that are are actually started by root, only bind ports and drop the privileges themselfs.. And the system is build in such a way that normal accounts can't install dangerous stuff like keyloggers even if they would want to without proper permissions.
There is also a limited amount of power a process has to "hide" itself.. This basically means an AV solution will only provide redundancy for a limited number of possible infections.. It also means that, on a normal desktop system, if the AV catches some infection it's almost always possible to fix the system live and the malicious code is almost always contained.. On the other hand, Linux has by default many services, and a lot of the security talk has to do with configuring those services.. All infections I've seen until now are due to misconfigurations.. Unfortunately, AVs aren't really useful in that situation..

Please keep in mind that I'm not saying similar proactive security measures can't be taken in Windows.. I'm just saying that, coming from an OS in which AV tools have such a big influence because the imposed security model of the OS has such big flaws, it can be hard to understand why AVs in Linux are implemented and mostly used in way different setups than normal, day-to-day desktops..
 
Old 04-29-2014, 03:07 PM   #30
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,619
Blog Entries: 2

Rep: Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076Reputation: 4076
Quote:
Originally Posted by Smokey_justme View Post
Actually, because in Windows, most of the systems are using a day-to-day Administrator account, that penetration can have huge consequences on the whole system and maybe the whole network..
This isn't true anymore for Windows versions newer than XP.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anti-spam anti-virus dovecot + postfix mail system xuta Linux - Server 7 06-08-2012 06:31 PM
dual boot without anti-virus, virus now in linux gardner Linux - Security 7 03-09-2009 02:01 PM
Anti Virus/ Anti Spam for Linux? Sp@rticus Linux - Software 3 11-18-2005 03:17 AM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 03:35 PM
Creating an ultimate anti-virus and anti-spam email gateway markcc Linux - Networking 2 10-08-2003 04:10 AM


All times are GMT -5. The time now is 11:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration