Virus, worms, etc. in Slackware.
 

First, I'm running Slackware 11, kernal 2.6.18.
It seems that almost every time I make the DSL connection from within XP Norton's pops up and tell me it has blocked a Worm intrusion.
What protection do I have as a Slackware Linux user from worms, virus, keyloggers, etc., etc.
I have Clam set up to scan my e-mail, but is they anything available similiar to Norton's for Linux, or is it necessary?
Thanks.

If you don't run as root all the time, it isn't necessary. You can also use clamav to scan directories for the safety of users and set up the firewall.

"worms, virus, keyloggers, etc., etc." are designed to run on Window$. They will (in general 99.999 % of the time) not run on Linux or BSD or UNIX or Mac, much like a '.exe' will not run on your Linux machine (except under wine). The very few that can affect you are usually blocked by a firewall. You should note that the only purpose of clamav is to secure Window$ machines on any network you might be on, from perhaps getting a virus from you unknowingly. The virus would not affect your system, but when it passes onto a Window$ machine it begins incubation and wreaks havoc ... muhahahahah :)

Under Linux you should have a firewall set up and probably also something to check system integrity.

For the firewall I recommend:
Alien Bob's easy firewall generator

That'll stop most attacks. You can customize it further if you want. Of course, firewall has more to do with hackers / crackers than viruses or malware.

One thing which you should be aware of are rootkits. There are chrootkit and rkhunter, which can protect your system.

Yeah, that's useful too. Remember after installing rkhunter to run 'rkhunter --update' then do 'rkhunter -c' to check all or whatever else you might want.

Some survey taken in 2005 said that there were fewer than 100 true viruses for Linux, as compared to the 70,000 for Windoze, so you don't have to worry about those too much in Linux. It would still be a good idea to follow the advice of the others though :)

Ahh ... and one more, where you can zap those pesky viruses manually :) ... the hard way ;)
http://www.parallelrealities.co.uk/virusKiller.php

Things in 2007 are quite a bit different than 2005. You'd be surprised what has developed the last two years, malware-wise. There may have been less than 100 viruses out there, but there were tons of exploits that targeted faulty/buggy software. I'd say that he still has to worry, if for nothing more than protecting himself from himself (ever expose port 22 to the internet and then peruse your auth logs maybe a week later?).

Forget antivirus or firewall programs. Just protect the root account.

If you can prevent malware from running as root, you can prevent any permanent damage to your system. It's your last line of defense, but it's a very strong one if you know what you're doing.

Conversely, if your root account is compromised, then it's game over. So keeping in total control of the root account, and programs that run with root priveleges, should be your top priority if you're really serious about security.

Familiarize yourself with your system's "baseline" by checking 'ps -e u' and 'netstat -ap' often, and you should be able to spot when something is fishy.

Realize that the most common way Linux boxes get hacked is through weak user passwords and SSH.

True story: I once stupidly created a 'test' user (username: test, password: test) and within an hour, those random SSH logins you probably see on your logfiles actually got through this time and my computer started running a daemon that tries to propagate more random SSH logins as part of a botnet.

But since this was not a root user, eliminating it was trivial. Just delete the 'test' user, its home directory, kill all processes it owns and make sure it owns no other files elsewhere in the system. ('find -uid 555 /')

As a precaution, I changed the root password anyway, just in case they were able to rip passwords from my system during the time they were able to run their program on my system (I don't think they did, since I didn't change my user password and I haven't been hacked yet =).

The main lesson is, as long as you can protect your root access, you can protect your system. If not, then forget about it.

I'd protect ALL accounts.

If someone from the outside successfully gains access to the system by compromising a non-root account, they've still gotten into the system. Once that happens, there are local exploits that could then be used to gain access to the root account (or any account that has escalated privileges). A person following "the path of least resistance" can get in via someone's acount, then keep attacking accounts and services locally until he has the privileges he needs/wants to do serious damage.

Worms and viruses are usually a lot dumber than the average human being that has the desire and know-how to get what he/she wants. A worm may get into a non-root account then just sit there because it doesn't have the privileges to follow a pre-determined path. Humans can get into a non-root account and then be able to move around the system and find/do what they want.

Thank you..thank you..

especially for arcanex. I learn new important command here:
'ps -e -u' I usually just do ps -A | grep something
'netstat -ap' I usually do netstat -an
'find -uid 555 /' this is completely new to me. is that 555 is same with 'chmod 755'?
and can i find files using the name of the user 'test' instead of number?

thank you very much...

I have to say that as a newbie i ask the same questions about security myself.
The last two comments I have read (by arcanex and unixfool) Have to be some of the most intelligent impacting writitings I have seen to date on this site. That is good advice for all.

I currently use rkhunter and chkrootkit to scan for hacking attempts. Does anyone have another security utility that they employ? Just curious:-)