LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-18-2003, 08:40 AM   #1
Kaashar
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
Spyware/Malware Content filtering?


My goal is to basically save people from themselves.....

I've setup a solid iptables firewall with NAT, my next problem is spyware/malware/porn dialers, etc. The problem comes in with the users. They're all various windows based machines using IE (this is something I can't change or I would have them on Firebird). and it's wonderful ability to help them install these wonderful programs.

Upping browser security levels won't work (another set of problems we won't go into) and as I've said changing the browser is out of the question.


In theory you'd be able to filter these things (using squid maybe??) but I haven't been able to find any information about people attempting this. Granted you'd never be able to catch them ALL, but even a few on a slient proxy filtering service would help these poor people. My question is if anyone has information about people trying this. Google searches on the subject doesn't point me in the right direction unfortunately.

Thanks in advance
 
Old 12-18-2003, 09:53 AM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Try installing something like "Spybot - Search and Destroy" on the Windows clients. It's a pretty decent tools for detecting, removing, and blocking these types of things. You might also consider putting in a proxy like squid or privoxy to help out.
 
Old 12-18-2003, 10:17 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596
I think the first step would be "educating" your users, if you're in the position to do that of course. I mean, pr0n dialers don't sneak in tru reading the news or Googling around.

Next to that you should look at coverage for different "popular" infection vectors. Web traffic is one, email, P2P and IRC are other variants. I agree having workstation AV and malware scanning should be mandatory.

If you decide on using Privoxy, post rule or filter questions in Linux - Newbie or Linux - General, I've gotten quite used to making them. Also there's some sites out there that make pretty good blocklists in all sorts of formats. Make sure you LOG and block unwanted in and outbound traffic at the firewall, and force web traffic tru the proxy. Next you will want signalling caps for when all hell breaks loose: add an IDS like Snort.
 
Old 12-18-2003, 10:31 AM   #4
Kaashar
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Original Poster
Rep: Reputation: 0
Putting spybot/adaware/hijack this! on the client PCs would be "a bad thing(tm)" IMHO. The average person wouldn't know which reg entries to delete, keep, etc. Besides, let's be realistic. The average joe won't run the things until it's too late. Trust me, it's easier to reinstall the OS than try slugging it out with 30 or 40 different malware proggies running in the background.

Unfortunately educating people won't work either, trust me. I've tried this already, heck getting people to understand the concept of malware/spyware alone made me feel like I was explaning nuclear physics to a rat terrier.

I'm planning on doing privoxy (man I love that thing) as well, that's going to be a fine tuning nightmare.

I was just curious if anybody had seen a few blocking setups or the like. I suppose I could write them manually, but assumed this was a road already trodden. I may be oversimplyfing it but this just seems to me to be something more people would want. Email spam isn't anything compared to these "offical" looking activeX programs that people are unwittingly installing on their PCs. The average public doesn't understand why their "PC is running real slow lately" while 4 proggies are in the background playing swap the homepage.

Suppose I'll build a '98 box and start looking at these things on purpose (shudder).
 
Old 12-18-2003, 01:22 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596
Putting spybot/adaware/hijack this! on the client PCs would be "a bad thing(tm)" IMHO.
No, that SW ain't bad. It's the wetware :-]


The average joe won't run the things until it's too late.
AV runs in the background, right?


Trust me, it's easier to reinstall the OS than try slugging it out with 30 or 40 different malware proggies running in the background.
Usually I don't suggest this, and I don't know your setup, but if you're into, uhhh, buying stuff, you could settle for the stuff they use in schools? You know, the "uncrackable" stuff that restores the system to a pristine state when rebooted? Except for them infecting remote hosts and the central fileserver, you'll loose all local problems at once.


I'm planning on doing privoxy (man I love that thing) as well, that's going to be a fine tuning nightmare.
Also don't forget to get on the Privoxy mailinglist. Lots of helpful ppl there.


I was just curious if anybody had seen a few blocking setups or the like.
If you Google for "blocklist privoxy" I'm sure you find a lot of resources like http://pgl.yoyo.org/adservers/ , http://www.riverofdata.com/tools/blacklist.txt , http://www.unixhub.com/block.html ,
http://home.earthlink.net/~briankass/adshield/ , http://www.spamanti.net/rogues.txt .
Some are old, but if you crosscheck lists I guess it's a good start on the domain part.
I haven't seen scripting against BHO's since that's MICROS~1 territory, but if it's retrievable by the browser it shouldn't pose problems to build filters.


Email spam isn't anything compared to these "offical" looking activeX programs that people are unwittingly installing on their PCs.
I don't see why you should differentiate between BHO's, SMTP-selfpropagating "goodies" or "plain" viruses higher as the other: they're all bad. I think letting down your guard thinking some are "less worse" than the other would be like enforcing strong passwords on Linux but letting users log in tru telnet.


//WTF? Why am I discussing measures protecting MICROS~1 boxen?..
 
Old 12-18-2003, 03:18 PM   #6
Kaashar
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Original Poster
Rep: Reputation: 0
Heh thanks Unspawn.

I'd googled the last few days looking for this, and found aforementioned sites earlier.

My overall goal is to try and protect 5 or 6 different small business DSL connections through a iptables based firewall setup on some inexpensive hardware. I'm planning on layering it on top of the (pathetic) software firewalls that the companies have now. The amount of script kiddie attempts on these businesses have risen to the annoying level lately.

Some of these business are using the built-in NAT of the DSL modems, others have crap like wingate (YECH).

I figure I can setup one of the smaller distros up, configure PPOE, IPTables, Privoxy, Squid, DHCP, etc into decent little "first line defense" boxen. Granted I'm not going for "DOD" style protection here, but adding a layer to try and keep things down to a mild roar for them. One has to balance things inbetween user-friendly and security gustapo.

With Privoxy blocking the known dubious cookies and it's built-in POP up protection I'd gotten the idea into my head that perhaps it's possible to make a "signature" of some of the more common agents. I'm not planning on blocking them all (of course) but just *try* and save them from themselves.

//WTF? Why am I discussing measures protecting MICROS~1 boxen?..

Heh because unfortunately some of us still have to deal with the things. I honestly wish I could at the minimum talk them all switching over to Firebird. It alone would solve 90% of the problems I have with these people.

I've gotten everything else done but this. I'll sit down this weekend I suppose and investigate it further. I'm now at the point I think I could setup the blocking once I nail down the installers.

I don't see why you should differentiate between BHO's, SMTP-selfpropagating "goodies" or "plain" viruses higher as the other: they're all bad. I think letting down your guard thinking some are "less worse" than the other would be like enforcing strong passwords on Linux but letting users log in tru telnet.

A little off topic...but its an interesting comment....

It's a matter of importance to the customer and how much it impedes them. Email spam can be siltently ignored (if not filtered). Not being able to get onto the 'net because of winsock replacement due to malware isn't so easy.

Deleting a few "penis enlargement" emails doesn't take near as long as getting C2.lop off a PC no matter how you look at it.

It falls back to the old security/usability addage. I figure if I can silently filter out even 5% of the malware installers that's better than either breaking their business softare by switching browsers or breaking other stuff by disabling all activeX.

Besides, I love doing all this at the entry point with Linux. It's just too darn much fun. >
 
Old 12-18-2003, 03:45 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
Well one of the first steps you could take to prevent Malware/Spyware from being able to "phone hone" is to block all outbound ports by default, and only allow those that you need. You can redirect all outbound connections to port 80 or 443 to your Squid proxy (I assume this is possible using iptables) so that no matter how traffic tries to egress the network, as long as it's heading for an http(s) port, it will go to the proxy (no client changes, either).

You might also consider looking into Hogwash or Snortsam to provide active defense against instrusions.

Personally, I like the idea of default deny any traffic crossing the firewall. It's a great way to save users from themselves. BTW you should be able to accomplish this on an inline firewall using a bridge when sitting behind already NAT'd devices (to avoid double-NAT).
 
Old 12-19-2003, 08:06 AM   #8
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by Kaashar
Putting spybot/adaware/hijack this! on the client PCs would be "a bad thing(tm)" IMHO. The average person wouldn't know which reg entries to delete, keep, etc. Besides, let's be realistic. The average joe won't run the things until it's too late. Trust me, it's easier to reinstall the OS than try slugging it out with 30 or 40 different malware proggies running in the background.
I don't understand why adding another helpful tool is "a bad thing" as you put it. Spybot is not complex or difficult to use, and the immunize feature will prevent downloads of common malware. Given that malware developers are employing new tricks (ie like reading IE's proxy settings) to get around firewalls and proxies, it's best to prevent them from from being installed. If you had a virus on your network, would you clean it or just prevent it from spreading to other computers not on your network?

In addition, you need to educate you users. You don't need to go into technical details for them to understand the negative affects that malware can have. Users understand that when corporate data is leaked it puts their company in a vulnerable position. Reinstalling an OS may be the quicker way to get a computer back to a pristine state, but it isn't going to fix the damage that has been done. It's hard to make private data private again when it has been seen by an untrusted third party.

Personally I like adding multiple layers of protection wherever possible just in case.

Last edited by stickman; 12-19-2003 at 08:09 AM.
 
Old 03-25-2005, 09:33 AM   #9
despujols
LQ Newbie
 
Registered: Mar 2005
Location: boston
Posts: 1

Rep: Reputation: 0
An easy, simple, solution you look for?

What about using this host file. But not on each Host. Could not you use it at the firewall??

http://www.mvps.org/winhelp2002/hosts.htm


What do you think??
 
Old 03-29-2005, 02:40 AM   #10
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
Ad-Watch form Lava soft has automatic mode
 
Old 03-29-2005, 02:49 AM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Re: An easy, simple, solution you look for?

Quote:
Originally posted by despujols
What about using this host file. But not on each Host. Could not you use it at the firewall??

http://www.mvps.org/winhelp2002/hosts.htm


What do you think??
yeah, you can use any of the thousands of host files available on the web... just install a dns daemon on the firewall and configure the machines on the lan to use the firewall as their dns server... that way the firewall's /etc/hosts file will affect the entire lan...

http://thekelleys.org.uk/dnsmasq/doc.html
 
Old 03-29-2005, 10:57 PM   #12
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
for cases like, i recommend doing the filtering on the server as the primary solution.

http://www.privoxy.org is ok. you can also try http://dansguardian.org/ its free for non-commercial use.
 
Old 03-30-2005, 12:06 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by born4linux
you can also try http://dansguardian.org/ its free for non-commercial use.
i wanted to ask you guys about this "free for non-commercial use" thing... i mean, take a look at this (from the DG page):
Quote:
DansGuardian 2 is:

* free for non-commercial use
* not free for installation by 3rd parties charging for installation or support
* not free for commercial use
* licensed under the GPL
* copyright Daniel Barron
* is a registered trade mark of Daniel Barron
complete license info here: http://dansguardian.org/?page=copyright2

i'm confused by the conditions the author places upon dansguardian...

is there really no conflict between his conditions and the GPL license??

i mean, it's supposed to be "GPL software" but if i install it at my friend's cybercafe and charge him a couple bucks for the installation i'm violating the license?? it doesn't make sense to me... could someone please explain how someone can place so many restrictions on something with a GPL license??
 
Old 03-31-2005, 12:33 AM   #14
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
take a look at the preamble of the GPL. also, the GPL itself does say that a program author may add limitations to the program even if it is distributed under the GPL.
ah, why i'm i explaining this?
 
Old 03-31-2005, 01:40 AM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by born4linux
take a look at the preamble of the GPL. also, the GPL itself does say that a program author may add limitations to the program even if it is distributed under the GPL.
ah, why i'm i explaining this?
really? could you show me where it says that? what limitations does it say can be added? i read through the license and couldn't find anything mentioning these optional limitations you speak of... AFAIK, you can't make your own modifications to the GPL and still call it the "GPL"... it just doesn't work that way...

i was indeed wondering how this "free for non-commercial" BS could be for real when dansguardian is in debian trees and debian is known for being the most FREE (as in FREEDOM) distro on the planet... it makes no sense that a GPL app couldn't be used commercially...

on the DG page i found this which sorta sums-up the situation:

Quote:
So, if Debian puts DG on their website, they have to restrict downloads to non commercial users, right?

No, not right. Once you have a copy of a GPL app, no one can put any (non-GPL) restrictions on it - not even me the author. I can ask people to pay for downloading DG, but once its left this site it is under the GPL which means it is free (as in freedom) and free (as in beer - provided they want to give it away for free).

GPL means GPL which means no restrictions can be imposed on redistribution so the Debian would treat it as any other GPL app. Of course, should a commercial user want to upgrade his copy of DG he got with Debian by downloading from my site, he would have to pay unless he waited for Debian to release their version.
so YES, i can apt-get dansguardian at my friend's COMMERCIAL cybercafe and charge

<Dr. Evil voice> ONE MEEEEEEEELLION DOLLARS </Dr. Evil voice>

and i wouldn't be violating any licenses...

what that DG guy tries to do is get people to pay for downloading the software from his site - which is fine by the GPL... i just hate how he tries so hard to obfuscate the whole license issue... i don't think you need to use those kinda tactics to make money with GPL software - even if the tactics are totally legit...


Last edited by win32sux; 03-31-2005 at 06:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Spyware / Malware Threats? carlosinfl Linux - Security 5 11-24-2005 08:57 AM
Content Filtering using Squid toraghun Red Hat 3 11-10-2005 10:42 PM
Possible to get around content-filtering software? servnov Linux - Security 2 09-27-2005 07:11 AM
Content Filtering in linux? dwarf007 Linux - Security 4 07-01-2005 02:38 PM
iptables and content filtering evan1821 Linux - Security 1 06-09-2004 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration