So How often does everyone scan their Linux Computers and what do you use?
 

I was just curious how many times the average Linux desktop user at these forums check their computer for virus', root kits, etc. I already know all the arguements about Linux being more secure, which is one reason why I use it. However I also believe that nothing is 100% and the worst things happen when you least expect them. Then internet always has a habit of doing that.

I have several security measures in place. For example I am using Firefox with the add-ons: NoScript, Redirect Remover, Adblock Plus, Ghostery, BetterPrivacy. I also have a Router Firewall as well as using Firestarter.

What I run often, but not nearly as much as Windows scans, is ClamAV via ClamTK, Rkhunter, Chkrootkit.

So How often does everyone scan their Linux Computers and what do you use?

I actually don't scan my Linux boxes - I tend to reformat the drive and do a fresh install every half year or so on my linux machines, so I don't scan them much.
if I keep an OS (any, not just linux) on for over 6 months I'll run clamAV on it from a SystemrescueCD.

I don't typically 'scan' them for things in the same manner as you do a Windows machine. I just don't see the need. On my public facing machines (servers) I do run some security applications including network and host based intrusion detection and I do periodically audit the logs. I continuously watch for unusual activity and make note of any changes, such as updated applications or installed files. I watch when they were last accessed and by whom. I run virus scanning of all incoming and outgoing files that they process via email.

I've got AIDE set up to scan nightly and I look at those emails daily. I also look at log files every few days. I only run the rootkit detectors if I think something is amiss. I've also got the internet facing servers locked down reasonably well. SSH is by key only and Apache is running mod_security. I only open up FTP when someone needs to send me a big file.

I don't scan at all anymore.

Before, I used to scan using non-host-based tools, such as Nessus and Nikto.

I also use Snort to sniff my LAN traffic on my home network and colo machine. Network-based IDSs are passive in nature, though.

A few times a year I scan with rkhunter and chkrootkit. Have not found anything yet.

Rarely I scan with clamav, and once it did find a trojan in some sites I had saved. I no longer save sites (of that type), but either way the trojan was inactive and could not work.

Don't Trust Vendors To Look Out For You
 

Amdx2_x64,

So nice to see someone who takes such minimal steps as using Firefox plus the add-ons you mentioned. I always clamscan any PDF I download; PDFs are one the major malware vectors for websurfers, as is Javascript, and some attacks do affect Linux boxes (or are platform independent), so these vectors DO impact Linux users. As you probably know. I also do some of the other things various posters mentioned, and more besides.

Little tip for those who use a recent Actiontek router: it seems that by default these all allow a user on your LAN to contact the router by http connection, and also allow anyone anywhere to contact it by telnet. Secure connections such as ssh or https are not supported. (Ugh!) You must use the web interface to disable the telnet interface and also to set a new password (and if the power to the router is interrupted, you'll probably need to do it again); otherwise by default your router will give up to anyone who asks the unique identifiers of the CPU in your router and the ethernet card of your computer! That is precisely the kind of personal information which Google recently got in trouble for snagging illegally using their StreetView vechicles. To say the least, Actiontek does not attempt to publically reveal this to their customers. Unfortunately, this kind of careless (deceptive?) attitude seems to be common. Especially frustrating since ISPs seem to be able to get away with declaring that their users must use a particular brand of router in order to connect to the web.

Just one example of the kind of issue you have to look out for, on top of all the ones you've already heard about. Even if you are not running a server.

I've never used a virus scanner on my Linux machine but I've only been using it for 6 years. Never had a virus or any malware.

Well I was just going to let this thread go. But since I learned a few things from it I wanted to say thanks for that.

I use nessus and nexpose to scan my boxes at a minimum of once a week.
I used to use aide for the hids but have switched over to osiris.
I use snort to monitor the network.
All boxes log to a central log server with all boxes using ntp.

Also have a few self made tools watching boxes and traffic.

nomb

"I've never had any blood work done. Never had any problems with cholesterol." ;) Not saying you need AV software... there is more to detecting malware than AV software, but I hope you've done some other form of monitoring to be sure you've never been compromised.

Sounds interesting... exactly what do your self made tools do?

A bunch of different things. I have one that I kinda use as a swiss army knife. It is all plugin based and all the plugins can communicate and what not. So among other things it monitors the logs on my honeypots and when they get attacked it sends the IPs to all of my other boxes so they can drop all traffic from them. I have another that watches for failed ssh attempts and then after so many nats them to the ssh honeypot. I have another that watches traffic and compares IP and MAC to known good IP and MAC and alerts any changes or unknowns. Bunch of different stuff.

nomb

I need to get back into honeypots... that sounds like fun. :)

It is. Good way to learn.