LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-28-2006, 08:59 PM   #1
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Rep: Reputation: 30
Question Linux Keyloggers -- How to defend ?


How do you defend yourself against Linux keyloggers? I do occassionaly see something in Synaptic that supposedly protects you from Linux keyloggers, but I really don't know how trustworthy they are.

Your thoughts, opinions, etc on good anti-keylogger programs (and practices) would be greatly appreciated.

FYI: I use a Debian based distro known as "MEPIS."

Thanks!
 
Old 10-29-2006, 01:34 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Something like this: http://gentoo-wiki.com/Keylogger ?

... as with all spyware, what you can do depends on how it operates and where you are and so on. Hardware keyloggers, for eg, are unlikely to be detected by software.

However, like all malware, it is difficult to infect your own computer without your permission.

Simply not using the keyboard (for sensitive typing like passwords) would be effective where you are sure you are being logged. OR, use a live distro - so you have your own RO operating system.

Of course, you can completely remove all spyware by completely reinstalling the OS

So what are the circumstances, and how paranoid are you?
 
Old 10-29-2006, 07:42 AM   #3
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
The key thing is preventing it from being installed to begin with. If you watch what is going on it should not install anything without your knowledge. Watch the sources where you get programs and such and you should be safe. Example, if you are going to install a Mozilla extension, make sure you have gone to the Mozilla site to get it.

 
Old 10-29-2006, 07:24 PM   #4
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
No specific situation....just looking for

Quote:
Originally Posted by Simon Bridge
So what are the circumstances, and how paranoid are you?
No specific situation....just looking for information on what is out there. I know in Windows keyloggers are a big deal, so I figured it wouldn't hurt to check the issue in Linux.

I can't think of any "dumb" behavior I do online...I try to be careful regardless of my OS / Web Browser. Still, I would like some programs for Linux that I can occassionally run to check for known keyloggers. Everyone makes mistakes....catching and correcting them is what is important.

Anyone reading this can reply. Thanks again!
 
Old 10-30-2006, 12:07 AM   #5
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
Keep in mind that windoze can/somtimes will install software without you knowing it is doing it. Also keep in mind that most things you install are precompiled so you really have no idea what is in the program. Admittedly most Linux distros are precompiled to but you can go look at the source code for it, windoze is closed source. There are also a LOT of volunteers that participate in the process of making say Mandriva. If someone was putting a keylogger in there, it wouldn't be secret for very long. Linspire may be different. I'm not sure what they do with their code. I have not looked into that one.

As long as you are not installing stuff from unknown sources you should be fine. Linux is a lot more secure than windoze can even dream of, unless you unhook the windoze box from the net and disable CD and floppy drives.

If you have a constant connection like cable modem, make sure you have really good passwords, especially root, and check to make sure someone is not hacking in and installing a rootkit. Other than that, I wouldn't worry to much.

 
Old 11-01-2006, 07:44 PM   #6
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
How do

Quote:
Originally Posted by dalek
check to make sure someone is not hacking in and installing a rootkit.
How do you do that?
 
Old 11-01-2006, 09:14 PM   #7
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
Quote:
Originally Posted by MBA Whore
How do you do that?

Install chkrootkit.

http://www.chkrootkit.org/

 
Old 11-02-2006, 07:47 PM   #8
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
Is a rootkit

Quote:
Originally Posted by dalek
Install chkrootkit.

http://www.chkrootkit.org/


Is a rootkit the same as a keylogger? If not, would "chkrootkit" find both rootkits and keyloggers?

Thanks for the link. . .I'm looking it over.
 
Old 11-02-2006, 08:28 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
In general any command or process that accepts keystrokes from you could log those keystrokes. Generally that wouldn't be such a big deal, say if you were doing ls and the ls command had been modified to log your command arguments. In some cases it is a big deal, such as when you type in a password or passphrase. A very old example of this is in the ancient days of UNIX a user would complain to the admin that there was a problem with their account, and could they please come over to the terminal and check it out?

What would happen is that the admin would physically walk over to the user's terminal, poke around a bit, and find something with messed up permissions or some other problem that required root to fix. Then the admin would type su root and enter root's password, thinking it was safe because the input is hidden. What they didn't know is that the user had created their own script to call su and tucked it in the bin directory, or created an alias to it. The admin would type their root password, the fake "su" would record it to a file, then it would call the "real" su with the password, which would succeed and admin now has root as if everything worked properly. Another variation is dropping fake versions of passwd at various public places on the file system hoping the admin would be in that directory when they typed passwd since root's .profile usually included "." in the path.

Any way, those are some examples of simple tricks that can read input. Now days it's more likely that a LKM (loadable kernel module) would hook the input, and the most common way for that to happen would be a rootkit, hence why protecting against rootkits can give you some defense against keystroke loggers.
 
Old 11-04-2006, 09:05 PM   #10
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
Wow....just...

Quote:
Originally Posted by chort
In general any command or process that accepts keystrokes from you could log those keystrokes. Generally that wouldn't be such a big deal, say if you were doing ls and the ls command had been modified to log your command arguments. In some cases it is a big deal, such as when you type in a password or passphrase. A very old example of this is in the ancient days of UNIX a user would complain to the admin that there was a problem with their account, and could they please come over to the terminal and check it out?

What would happen is that the admin would physically walk over to the user's terminal, poke around a bit, and find something with messed up permissions or some other problem that required root to fix. Then the admin would type su root and enter root's password, thinking it was safe because the input is hidden. What they didn't know is that the user had created their own script to call su and tucked it in the bin directory, or created an alias to it. The admin would type their root password, the fake "su" would record it to a file, then it would call the "real" su with the password, which would succeed and admin now has root as if everything worked properly. Another variation is dropping fake versions of passwd at various public places on the file system hoping the admin would be in that directory when they typed passwd since root's .profile usually included "." in the path.

Any way, those are some examples of simple tricks that can read input. Now days it's more likely that a LKM (loadable kernel module) would hook the input, and the most common way for that to happen would be a rootkit, hence why protecting against rootkits can give you some defense against keystroke loggers.

Wow....just wow....I had no idea it could be that complicated.

Regarding your example: a "normal" user could create some script that would essentially record the root password if it is typed in. Then, the normal user could have the root password. Then the normal user could do as he pleases.

Is that correct?

How can you protect yourself from something like that?

Would rootkit searchers / key logger searchers still help? Or would you need to do something that prevents the normal user from creating script (Would that even be possible???) in the first place?

Do you recommend any particular rootkit / key logger searchers?

Thanks for the insight. The more I learn, the more it seems like Linux can be manipulated into something unsafe just like Windows can be manipulated.
 
Old 11-05-2006, 01:45 AM   #11
argh2xxx
LQ Newbie
 
Registered: Nov 2006
Posts: 18

Rep: Reputation: 0
No matter what OS, if a user lacks knowledge on handle one, then he/she tends to get hack.
 
Old 11-05-2006, 12:47 PM   #12
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by MBA Whore
Wow....just wow....I had no idea it could be that complicated.

Regarding your example: a "normal" user could create some script that would essentially record the root password if it is typed in. Then, the normal user could have the root password. Then the normal user could do as he pleases.

Is that correct?

How can you protect yourself from something like that?

Would rootkit searchers / key logger searchers still help? Or would you need to do something that prevents the normal user from creating script (Would that even be possible???) in the first place?

Do you recommend any particular rootkit / key logger searchers?

Thanks for the insight. The more I learn, the more it seems like Linux can be manipulated into something unsafe just like Windows can be manipulated.
The way that you would secure against this particular problem is fairly straightforward. First, the system administrator would set up a path for all users that does not include the current directory. Thus, no user can execute a program or script by just typing the name (unless that name is found in a directory that IS in the path); he has to type ./thename or /thedirectorypath/thename in order to execute something.

Second, the system should be secured so that no user except root has write access to any directory that IS in the path. Thus no one but root can put a file into /usr/ /bin/ /usr/bin/ /usr/local/bin/ and so forth.

Third, users should not be allowed to set the path, and users should have no authority to change permissions on anything that is not in their home directory.

This will stop the problem described here.
 
Old 11-05-2006, 05:51 PM   #13
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
Sorry to nag again.....

Quote:
Originally Posted by jiml8
The way that you would secure against this particular problem is fairly straightforward. First, the system administrator would set up a path for all users that does not include the current directory. Thus, no user can execute a program or script by just typing the name (unless that name is found in a directory that IS in the path); he has to type ./thename or /thedirectorypath/thename in order to execute something.

Second, the system should be secured so that no user except root has write access to any directory that IS in the path. Thus no one but root can put a file into /usr/ /bin/ /usr/bin/ /usr/local/bin/ and so forth.

Third, users should not be allowed to set the path, and users should have no authority to change permissions on anything that is not in their home directory.

This will stop the problem described here.

jiml8 (and anyone else reading):

Sorry to nag again, but could you possibly help me out here? I noticed you listed three (3) steps. Would I have to follow each step, or would I be ok if I only follow one (1) or two (2) of them?

Here is my current set up. How safe am I?

I have two (2) user accounts. Only root and the individual user can change individual account permissions. Each account has full read / write access to whatever content is in its own home directory.

More account details:

Account #1 is my main account with private info and mp3s, but I do not use that account very frequently. Account #2 is for "everyday" use. Account #2 has read only access to the mp3s on Account #1. However, Account #2 can not read, write or even view the private info I have in Account #1.

Am I safe from the original problem we discussed or could I do more?

Thanks!
 
Old 11-06-2006, 02:54 PM   #14
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
The best way to avoid being tricked into running a local copy of a system command is to never su to root from anyone else's account. There are other ways to accomplish that trick besides having the fake program in the current directory. Many distributions of Linux include ~/bin in the path, so a user could put the fake su command in their ~/bin directory so it would work even though . isn't in the path. Another way is to use the shell alias, or function capabilities to override the default behavior. You can defeat those by using the "builtin" directive to get the "real" version of a command, but that is an aweful lot to remember. It's much more difficult to remember all the things you must do to avoid being tricked than it is to remember: don't su when you're logged in as someone else.

If you are on a system that is owned by you (as in possessed, not as in hacked) and contains only accounts for yourself, then you're pretty safe from stupid user tricks like I described. All you really have to watch out for in that case is falling victim to a rootkit that would install an LKM that hooks keyboard input. As described by others, there are utilities that will check for such rootkits. The real goal is to not provide an opportunity for a rootkit to be installed on your system in the first place, which means keeping up to date with security patches (yes, Linux needs these too, not just Windows), turning off any network services that you don't need (do you need IPP, or ftpd, or httpd, etc?), and making sure your firewall is enabled and has a tight default-deny configuration. Also, do not open any files or install any software that you are not sure comes from a safe & trusted source.
 
Old 11-06-2006, 06:12 PM   #15
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
If I do not su while in

Quote:
Originally Posted by chort
In general any command or process that accepts keystrokes from you could log those keystrokes. Generally that wouldn't be such a big deal, say if you were doing ls and the ls command had been modified to log your command arguments. In some cases it is a big deal, such as when you type in a password or passphrase. A very old example of this is in the ancient days of UNIX a user would complain to the admin that there was a problem with their account, and could they please come over to the terminal and check it out?

What would happen is that the admin would physically walk over to the user's terminal, poke around a bit, and find something with messed up permissions or some other problem that required root to fix. Then the admin would type su root and enter root's password, thinking it was safe because the input is hidden. What they didn't know is that the user had created their own script to call su and tucked it in the bin directory, or created an alias to it. The admin would type their root password, the fake "su" would record it to a file, then it would call the "real" su with the password, which would succeed and admin now has root as if everything worked properly. Another variation is dropping fake versions of passwd at various public places on the file system hoping the admin would be in that directory when they typed passwd since root's .profile usually included "." in the path.

Any way, those are some examples of simple tricks that can read input. Now days it's more likely that a LKM (loadable kernel module) would hook the input, and the most common way for that to happen would be a rootkit, hence why protecting against rootkits can give you some defense against keystroke loggers.
chort:

Based upon some of your other posts, I gather that I could prevent this from happening if I do not su into root while in someone else's account.

Would that be a correct, though admittedly simplified, version of what you said (sorry, I'm not very tech smart)?

I am the only one who uses my computer, but I want to set it up as if multiple people used it, because I figured that "learning by doing" would be the best way to learn.

Thanks again for all your input!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Rotate passwords to avoid keyloggers in workplace jago25_98 Linux - Security 12 05-24-2009 05:06 PM
LXer: Free Software Advocates Defend GPLv3 LXer Syndicated Linux News 0 08-04-2006 06:54 AM
Keyloggers installed on all new laptops! DaBlade General 11 10-06-2005 02:06 PM
spyware, keyloggers and wine mifan Linux - Software 6 08-19-2005 07:48 AM
Keyloggers and spywares crazy diamond General 4 10-07-2004 11:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration