# (SOLVED) Gentoo & Trojans protection needed?

## Kasumi_Ninja

Virussen aren't really a problem for (Gentoo) Linux. On the other I am not convinced Trojan aren't a real threat to (Gentoo Linux users. I wonder:

1 If (Gentoo) Linux are threatend by Trojans and if so to what extent?

2 What is the best way to scan for and remove Trojans?Last edited by Kasumi_Ninja on Mon May 21, 2007 10:14 am; edited 1 time in total

----------

## kmj0377

Linux is threatened by holes in application code where they may allow execution of arbitrary code which can lead to an escalation in privileges.  Rookits are also a problem: http://en.wikipedia.org/wiki/Rootkit.

chkrootkit and rkhunter will check for signs of rootkits.  Also make sure you pay attention to security bulletins and upgrade your applications to prevent any security holes.

----------

## AllenJB

While it's true that viruses "aren't a big problem" on linux, I maintain the belief that one day they will be. One day someone is going to find a way to create an effective linux virus and they're going to create it with a really nasty payload, just because they can. Even for linux users I would always recommend installing antivirus software (such as clamav). Not only will it help you to protect yourself, but it'll protect any Windows users you pass files onto.

As said above, rootkits are the other problem. To prevent rootkits being installed in the first place, you want to secure any externally visible services you're running (such as webservers or SSH) as best as possible. You can use iptables (linux's built-in firewalling mechanism) and other software to prevent brute-force attacks, and switch to using more secure methods such as key-based authentication, or failing that just really long passwords (don't think words, think sentences).

Other than a rootkit checker,  you can also get programs such as integrit which are designed to allow you to monitor changes to the filesystem, so you can find out which files have changed recently and look for ones you weren't expecting.

----------

## Kasumi_Ninja

Thanks for the answer, now I understand the *nix security issues a lot better. From my understanding the situation with rootkithunters such as chkrootkit and rkhunter is a bit of a 'Catch 22'. Lots of rootkit program are known to edit these programs   :Shocked: .

I wonder how can you check software outside the default portage tree for rootkits? I regularly download software for *nix that is provided in binary form or in source. How do I check these for such malware?

----------

## anello

 *Aniruddha wrote:*   

> I wonder how can you check software outside the default portage tree for rootkits? I regularly download software for *nix that is provided in binary form or in source. How do I check these for such malware?

 

check the hash values for intergrity ...

----------

## Kasumi_Ninja

 *anello wrote:*   

>  *Aniruddha wrote:*   I wonder how can you check software outside the default portage tree for rootkits? I regularly download software for *nix that is provided in binary form or in source. How do I check these for such malware? 
> 
> check the hash values for intergrity ...

 

If I am not  mistaken this is only helpfully when the packager has no intention of harming your system. But what do you do with a genuine trojan horse? In short are there other ways to check packages?

----------

## anello

If you are this paranoid that you think that the packager wants to take over your system, then you don't have a choice besides looking at the source code yourself.

PS: I'd disadvise on installing packages especially binarys from uncertain sources on mission critical systems.

----------

## Kasumi_Ninja

 *anello wrote:*   

> If you are this paranoid that you think that the packager wants to take over your system, then you don't have a choice besides looking at the source code yourself.
> 
> PS: I'd disadvise on installing packages especially binarys from uncertain sources on mission critical systems.

 

Lol!   :Laughing:  I am just trying to understand. I don't see myself as paranoid. As an ex-windows user I know I can be wise to scan software for virusses and trojans prior installing. It is know to happe to Linux applications as well. For example a net-sniffing application that turns out to be a rootkit. How do I know beforehand if such a package is malware? Will scanning with clamav of f-prot suffice?

----------

## i92guboj

 *Aniruddha wrote:*   

>  *anello wrote:*   If you are this paranoid that you think that the packager wants to take over your system, then you don't have a choice besides looking at the source code yourself.
> 
> PS: I'd disadvise on installing packages especially binarys from uncertain sources on mission critical systems. 
> 
> Lol!   I am just trying to understand. I don't see myself as paranoid. As an ex-windows user I know I can be wise to scan software for virusses and trojans prior installing. It is know to happe to Linux applications as well. For example a net-sniffing application that turns out to be a rootkit. How do I know beforehand if such a package is malware? Will scanning with clamav of f-prot suffice?

 

Some rootkits come as kernel modules, so, disabling support for external modules in your kernel, you cut the root of the problem for some rootkits.

Clamav (or by extension any AV software, like Kaspersky's to name another one) are as limited as they always was, no matter the OS, Clamav is by no means different to, let's say, Norton AV or Panda's one. So, no, they can never guarantee you that your applications are totally clean. Only manual supervision of the source code of a given application can tell you what it hides into. Of course, that is virtually impossible (unless you are willing to disassemble a binary product, which in turn might or might not be legal...) when you use packages whose sources are not available.

That is why closed source products are, inherently, not capable of guaranteeing a decent security level, because, firstly, you can't even guarantee that they are not against you, so, let appart they being able to protect you.

No AV software can be enough, in fact, no software at all can.

You can only try to reduce the possibility of being infected or invaded with a combination of firewalls, rootkit hunters, AV, good log policies, hardened toolchain and kernel, elimination of buggy and binary software, limitation of the physical access to the box (the others are just crap without this one, since any livecd can leave your box totally unprotected) and a few more techniques. Of course, it is not just that. For example, good loging policies are an unvaluable tool when hunting for rootkits or invaders, but they are useless if you never look at them.

There are also many more advanced techniques like encryption), though those are oriented to personal security and not the casual virus/trojan infections.

----------

## Kasumi_Ninja

 *6thpink wrote:*   

>  *Aniruddha wrote:*    *anello wrote:*   If you are this paranoid that you think that the packager wants to take over your system, then you don't have a choice besides looking at the source code yourself.
> 
> PS: I'd disadvise on installing packages especially binarys from uncertain sources on mission critical systems. 
> 
> Lol!   I am just trying to understand. I don't see myself as paranoid. As an ex-windows user I know I can be wise to scan software for virusses and trojans prior installing. It is know to happe to Linux applications as well. For example a net-sniffing application that turns out to be a rootkit. How do I know beforehand if such a package is malware? Will scanning with clamav of f-prot suffice? 
> ...

 

I've done some more research and found the Gentoo security guide ver help full in securing my Gentoo box: http://www.gentoo.org/doc/en/security/index.xml From my understanding it's just a question of enabling the right options in order to get a more secure Gentoo box. I have one question left though; which logs do you recommend to review regularly in order to see if something is wrong?

----------

## i92guboj

 *Aniruddha wrote:*   

> 
> 
> I've done some more research and found the Gentoo security guide ver help full in securing my Gentoo box: http://www.gentoo.org/doc/en/security/index.xml From my understanding it's just a question of enabling the right options in order to get a more secure Gentoo box. I have one question left though; which logs do you recommend to review regularly in order to see if something is wrong?

 

Well, all the logs related to net services are always relevant if you are connected to the net. Additionally if you need support for modules in your kernel, the contents of /var/log/messages is very important while diagnosing a problem. The logs of clamav are also usefull. And, of course, the logs of any server that you might be running, like CUPS, Apache, ssh... You get the idea. Basically, anything using a proper port, might be vulnerable, even behind a firewall.

----------

## Kasumi_Ninja

 *6thpink wrote:*   

>  *Aniruddha wrote:*   
> 
> I've done some more research and found the Gentoo security guide ver help full in securing my Gentoo box: http://www.gentoo.org/doc/en/security/index.xml From my understanding it's just a question of enabling the right options in order to get a more secure Gentoo box. I have one question left though; which logs do you recommend to review regularly in order to see if something is wrong? 
> 
> Well, all the logs related to net services are always relevant if you are connected to the net. Additionally if you need support for modules in your kernel, the contents of /var/log/messages is very important while diagnosing a problem. The logs of clamav are also usefull. And, of course, the logs of any server that you might be running, like CUPS, Apache, ssh... You get the idea. Basically, anything using a proper port, might be vulnerable, even behind a firewall.

 

Thank you for you quick answer!   :Smile: 

----------

