So How often does everyone scan their Linux Computers and what do you use?
 

I was just curious how many times the average Linux desktop user at these forums check their computer for virus', root kits, etc. I already know all the arguements about Linux being more secure, which is one reason why I use it. However I also believe that nothing is 100% and the worst things happen when you least expect them. Then internet always has a habit of doing that.

I have several security measures in place. For example I am using Firefox with the add-ons: NoScript, Redirect Remover, Adblock Plus, Ghostery, BetterPrivacy. I also have a Router Firewall as well as using Firestarter.

What I run often, but not nearly as much as Windows scans, is ClamAV via ClamTK, Rkhunter, Chkrootkit.

So How often does everyone scan their Linux Computers and what do you use?

I actually don't scan my Linux boxes - I tend to reformat the drive and do a fresh install every half year or so on my linux machines, so I don't scan them much.
if I keep an OS (any, not just linux) on for over 6 months I'll run clamAV on it from a SystemrescueCD.

I don't typically 'scan' them for things in the same manner as you do a Windows machine. I just don't see the need. On my public facing machines (servers) I do run some security applications including network and host based intrusion detection and I do periodically audit the logs. I continuously watch for unusual activity and make note of any changes, such as updated applications or installed files. I watch when they were last accessed and by whom. I run virus scanning of all incoming and outgoing files that they process via email.

I've got AIDE set up to scan nightly and I look at those emails daily. I also look at log files every few days. I only run the rootkit detectors if I think something is amiss. I've also got the internet facing servers locked down reasonably well. SSH is by key only and Apache is running mod_security. I only open up FTP when someone needs to send me a big file.

I don't scan at all anymore.

Before, I used to scan using non-host-based tools, such as Nessus and Nikto.

I also use Snort to sniff my LAN traffic on my home network and colo machine. Network-based IDSs are passive in nature, though.

A few times a year I scan with rkhunter and chkrootkit. Have not found anything yet.

Rarely I scan with clamav, and once it did find a trojan in some sites I had saved. I no longer save sites (of that type), but either way the trojan was inactive and could not work.

Don't Trust Vendors To Look Out For You
 

Amdx2_x64,

So nice to see someone who takes such minimal steps as using Firefox plus the add-ons you mentioned. I always clamscan any PDF I download; PDFs are one the major malware vectors for websurfers, as is Javascript, and some attacks do affect Linux boxes (or are platform independent), so these vectors DO impact Linux users. As you probably know. I also do some of the other things various posters mentioned, and more besides.

Little tip for those who use a recent Actiontek router: it seems that by default these all allow a user on your LAN to contact the router by http connection, and also allow anyone anywhere to contact it by telnet. Secure connections such as ssh or https are not supported. (Ugh!) You must use the web interface to disable the telnet interface and also to set a new password (and if the power to the router is interrupted, you'll probably need to do it again); otherwise by default your router will give up to anyone who asks the unique identifiers of the CPU in your router and the ethernet card of your computer! That is precisely the kind of personal information which Google recently got in trouble for snagging illegally using their StreetView vechicles. To say the least, Actiontek does not attempt to publically reveal this to their customers. Unfortunately, this kind of careless (deceptive?) attitude seems to be common. Especially frustrating since ISPs seem to be able to get away with declaring that their users must use a particular brand of router in order to connect to the web.

Just one example of the kind of issue you have to look out for, on top of all the ones you've already heard about. Even if you are not running a server.

I've never used a virus scanner on my Linux machine but I've only been using it for 6 years. Never had a virus or any malware.

Well I was just going to let this thread go. But since I learned a few things from it I wanted to say thanks for that.

I use nessus and nexpose to scan my boxes at a minimum of once a week.
I used to use aide for the hids but have switched over to osiris.
I use snort to monitor the network.
All boxes log to a central log server with all boxes using ntp.

Also have a few self made tools watching boxes and traffic.

nomb

"I've never had any blood work done. Never had any problems with cholesterol." ;) Not saying you need AV software... there is more to detecting malware than AV software, but I hope you've done some other form of monitoring to be sure you've never been compromised.

Sounds interesting... exactly what do your self made tools do?

A bunch of different things. I have one that I kinda use as a swiss army knife. It is all plugin based and all the plugins can communicate and what not. So among other things it monitors the logs on my honeypots and when they get attacked it sends the IPs to all of my other boxes so they can drop all traffic from them. I have another that watches for failed ssh attempts and then after so many nats them to the ssh honeypot. I have another that watches traffic and compares IP and MAC to known good IP and MAC and alerts any changes or unknowns. Bunch of different stuff.

nomb

I need to get back into honeypots... that sounds like fun. :)

It is. Good way to learn.

Samhain is free. People should check it out and run it daily at night. There's no reason not to. You'll never even notice it's there unless something happens.

There's also no reason to use it, unless you're running a server.

Malware is only a problem on servers?

But I guess I can accept the argument that it might be a little overkill.

I rarely if ever perform a regular scan of the whole system. I do monitor the logs and look for unusual activity. Otherwise, e-mails on the server are the only things that get scanned on a regular basis.

Hi,

rkhunter and chkrootkit on a daily base works okay for me. AV software running on my mailservers, but not locally on my workstation. Never found anything not intented by myself to be there.

I can't. I think you should run a HIDS on all of your boxes.

Could audio files (mp3, flac, etc) or video files (avi, mpg, mkv, etc) contain exploits or trojans?

My external backup drives contain mostly media files and ofcourse you cant do a reformat or you lose all your stuff.

What is the best practice for protecting external backup drives?

From my understanding, yes. I also believe jpg's or other image formats can as well. Though I am not sure how this is done or for that matter how likely, even if possible, it would be.

Unless I've missed something, unless your media files are executable (and I have no idea why someone would let data be executable), they can't do damage. Simply opening a media file in its appropriate viewer shouldn't allow any damage.

Given the fact that some OS installations are not that well-protected out of the box (Ubuntu's Remote Desktop comes to mind, see for instance the reports on Ubuntuforums), some users not knowing or caring for any security and the amount of hosts being compromised through the web stack still, I disagree.

They most certainly can. In fact, as pointed out by Amdx2_x64, even image files can contain exploits.

Image example: CVE-2010-1205; Audio example: CVE-2007-6279; Video example: CVE-2009-3389.

Next to whatever basic hardening / logging entails I use GNU/Tiger or LSAT, Auditd, Samhain (daemon: active) or Aide (cronjob: passive), Snort, a slightly modified Chkrootkit, Rootkit Hunter with add-ons and some home-brewn scripts. If I run AV SW it'll mostly be to help determine stuff sent to me or found elsewhere.

...and next to that PHP scripts are often uploaded with image type extensions to bypass crude filters.

It's easy to get way off base here. Install as much security as you can and then back off based on usability and cost limitations. Sometimes extra security does not return anything given what is being protected.

Sometimes "Fort Knox" style is the appropriate path if what you are protecting is worth the investment. I like to see costs (processing, I/O, admin time), barriers (knowledge, time, training, etc.) and investment (research, setup, etc.) be so low that people can't help but be secure and make good choices.

I think we are moving closer and closer to that with Linux and options we have today. This forum also contributes to that greater good.

Define "extra security"?

I don't think so dude. Sorry. I'm not playing that game.

I'll make you a deal... you define "Reasonable Security" and I'll define "Extra Security".

Yes, well, I guess on Ubuntu, maybe. I think it would be better for Ubuntu to change, rather than having to do extra to keep it secure.

Reasonable security to me is:
1) Use strong passwords (not anything in a dictionary or a name).

2) Firewall (can be on a router, although usually not as configurable, or regular netfilter/iptables).

3) Disable any service that uses a port that you don't need, especially remote login.

4) Scan with rkhunter, chkrootkit, and maybe clamav.

5) If you use sudo, make sure you configure it in a sane manner, unlike Ubuntu.

6) Checksum packages (probably automatic).

I would think that on a non-Ubuntu desktop, this is reasonable security.

Now, on a server, you can and should do more than this.

P.S. I also know the motto of the Security forum: Too much security is never enough. This is also why I seldom reply to anything here.

Being a security freak, here is my setup, from power on:

bios password
(bootloader password when i need to edit or change something)
LUKS password
default boots to init 3
log in using standard user, then to root to init 5 if needed (most of the time I do)
log in standard user for gui

as far as scanning my system, I have cron scripts set up for both clamav and rkhunter
for firefox, I have noscript, redirect remover, adblock plus, ghostery, betterprivacy, user agent switcher, plus a few other tools and dev tools I use.

there is a lot more to my system, including my IDS (snort), and real-time alerting on my desktop via conky, as well as system stats through conky. I have screenshots in the "post your desktop" thread. I have a lot going on, and I love it. But once again, I am a security freak.

also to add - i am running a custom kernel, and custom iptables setup which drops everything that I don't initiate.

I'll share a quick story with you all...

I've been hacked once. It was years ago when the scripts for password guessing were first getting hot on the Internet. I used to have an account on my system called "guest" and the password was "guest" so visitors could get on and use my computer. It was guessed (imagine that?) and the person tried to install a spam relay with a PHP script. The visit was short and he didn't get anywhere. The IP was from Romania.

I was compromised but the damage was minimal because I was generally doing other things that were quite effective. Strong passwords for other accounts, the file system was reasonably locked down, I was running a firewall, services I didn't need were not running, etc. I know more now than I did then. But even in that case I had enough security for my system. Clean up didn't take very long.

So I learned not to keep that guest account anymore. I keep learning. There are even a few ideas I've gleaned from people's responses here. I love Luks to protect my mobile file systems. It's awesome and it works well. IP tables, awesome. I was able to write scripts to minimize and block those repeated attacks from script kiddies.

10 years ago things were not as good as they are now. We have tons of tools and things to help us out and make it easier. In addition, distros are generally doing better default installs than they used to. Nowadays it's easier for users to follow a few good guidelines and have a fairly secure system. It's really hard to exploit a Linux system. And even if that's successful, it's often not very useful to do so. Compare that to Windows. Our lives are way better than the common computer user.

The point of monitoring is to limit damage when prevention fails, and it appears to of saved you once before. :) There certainly isn't anything wrong with focusing on preventing attacks. However, there is something wrong with completely ignoring detection. Monitoring will always play a role in security, because there will always be residual risk.

As Bruce Schneier said, monitoring is the first thing you should do to determine what attacks you face, so you know what countermeasures to implement. It also lets you trust your computer by verifying your preventative controls are working.

OlRoy, are you aware that I maintain a monitoring and detection package? I hardly consider that ignoring.

I guess I'm sometimes disgusted with people just shooting their mouths off. I quit Slashdot years ago because of this. I mean this in all sincerity, go back there. We simply don't do that to people here.

I agree with the statement that there is something wrong with ignoring detection. I guess that's why I maintain that Samhain build. Did you really mean to direct it towards me? I'm really sorry to pounce on someone if it was simple misspoken language.

Yes, it was directed at you. However, I didn't notice you maintained Samhain so I guess I misinterpreted some of what you said. No need to get your panties in a bunch. :)

Ahhh nooo. Hell no. These panties are totally wrecked.

From H_TeXMeX_H:
I think you might be on to something with this.

No hard feelings OlRoy.

This is how I feel. Not from a paranoid angle but just because of how things are these days and the likely direction they will keep going in.

Edit: Plus it is fun to learn about security. There is so much it never gets dull.

So, how is that ? How are things these days ?

Here are a couple of things.

The fact so much user data/profiles/browsing history/etc is stored online by various companies and others alone is reason enough. And with Cloud computing it will get much worse (I have never been a fan of Cloud Computing anyways.) Not to mention the lack of concern many have about sharing personal information or clicking anything (flash games, Java Games and so on.) Facebook, MySpace are perfect examples of this. And some companies not caring about user privacy and even selling user information or having it "Accidentally Exposed," somehow.

Privacy is not the same thing as security, so if you're concerned about privacy, may want to start a new thread. For privacy, you mostly have to customize firefox to block all the BS they throw at you. I don't have flash installed, I download the mp4 instead from youtube.

For FF I have the very much needed Adblock, NoScript, Greasemonkey.

I also stay far away from Google and the Cloud (of doom).

I disagree. Privacy and Security can go hand and hand. For example the information that was stolen from users can help someone get a profile of that person, their habits, where they live, etc. Then it goes from privacy into security. If a person's privacy is at risk or stolen then someone could easily try and hack into that persons computer, which goes back to security. With all the information being stored on users habits and some actually giving it away freely, it has the potential of getting real messy, real fast.

Edit: My FF list is: NoScript (a must,) Redirect Remover, Adblock Plus, Better Privacy and Ghostery.

I can't speak for all "Cloud" (I hate buzzwords) solutions, but I use the Amazon Cloud in a business and it absolutely rocks! For those who don't know this latest, mindless technology cliche, Clouds are just virtualized instances for sale, at least as Amazon is provisioning it. There are other interpretations. Let's not fret over a word that is meant to be intentionally vague.

I would think the people here would generally embrace the cloud because they are generally provisioned as Linux instances and their default security preferences are better than most distros out of the box. Amazon has the majority of the Cloud market right now and the majority of those are running Linux. It's cheap and it can scale.

I also have a Slack box I've colocated for years, but that was before the Cloud was available. I still have it and I'll keep it out there for now, but cost wise, it is making less and less sense. I wouldn't go out and buy the hardware now. But that was then and now there are other options. When it dies, I'm going cloud with that box too.

If guys like the paranoid schizophrenics on this forum are administering it, I'd think it would be a pretty safe option. Cloud or not, companies misuse and mistreat customers. From a technology standpoint, the Cloud is awesome. You just get don't get to get out of doing the admin work that always goes a long with managing any Linux system. You get a free pass on hardware, initial investment, scaling, network infrastructure, and you get some handy dandy extra tools provided by Right Scale.

You should try it before you knock it. For the most part, it's just same Linux we have come to know and love. It's a really cheap way to run a server on the Internet.

Well, that's where I draw the line with privacy. I'm never using any cloud apps, I want my data to stay on my HDD. I'm not quite as paranoid about privacy as many on here, but I do know that they plan on turning computers into terminals, with your data being stored on their servers.

I also don't think the Cloud is anything but vaporware being marketed as a wonder of technology, with a diabolical scheme in the background. I have no use for the cloud.

I've also had enough of this thread.

I can't say anything to this. It's a really good and valid point.

Running Linux on a Cloud instance is just that. It's a tool to get something done. I find the marketing amusing too.

I couldn't have said it any better if I tried.

I agree with you on this. My data stays with me, not on some server half way around the world.

The only thing Cloud computing is good for is getting people use to Linux. Well sort of use to it. At least use to the name.