# How protected am I?

## Galumph

As the guy who recently started using Gentoo, I don't have everything set up yet. Up until now I haven't been using an antivirus, and I was terribly careful about what enters my system. I did a a quick search and found that Portage has an antivirus package, Clamav.

I'd like to know how effective is this program. Usually when software is opensource it is much easier to find holes and exploit them. Is clam as effective as they say it is?

----------

## gerard27

Clamav is meant to find Windows viruses only afaik.

Linux is inherently safe unless you run a server.

There are two programs that can check for intrusions:

rkhunter and chkrootkit.

Both are in portage.

I've used Linux exclusively for years and never had any problem

that could have been caused by a virus or malware.

Gerard.

----------

## MacGyver031

As long as you "never" work as root, you do not need to care about virus. Despite windows, Linux is said to have a strict user-root differentiation.

Clamav is used to scan mails and other things where the server is a linux system and clients are Windows.

I have even forgotten that there are virus because I have been using Gentoo for such long time.

As you say open source is easier to find bugs but as long as there is a big community, those holes are closed even faster than the get found. A second theory says that every Linux system is unique (other kernel, other program composition etc) that makes a virus programmer hard to make one which could spread in a higher rate than it gets detected.

----------

## tomk

Moved from Other Things Gentoo to Networking & Security as it fits better here.

----------

## Galumph

So you guys are saying that Linux just doesn't /get/ viruses? I read that in a few other places, but it sounded too good to be true (Though, I'm a huge skeptic when it comes to these things). So, if I'm using Gentoo as a desktop, I don't require clam, or any other virus protection at all?

I'll look into rkhunter and chkrootkit anyway. Thanks. 

 *tomk wrote:*   

> Moved from Other Things Gentoo to Networking & Security as it fits better here.

 

Aye, sorry about that, I must have missed the security part.

----------

## gerard27

If you take the trouble to find out how Winows and Unix were designed

you'll find out why Linux is safe.

Gerard.

----------

## Jaglover

People strongly attached to Windows think viruses are something inevitable, they just come and infect your box. They don't realize for a virus to work there has to be a security flaw to exploit. Windows has a long (long-long) list of unpatched flaws, this is the very reason why there is some 2 million pieces of every kind of evilware written for it.

In fact, anti-virus is no good as a primary defense because it works by blacklisting known threats. That's why so many viruses go undetected.

The first line of defense is the strength of operating system, this is what is completely missing in Windows.

Short answer, try to forget how you protect(ed) your Windows box. A Linux box, in particular behind a NAT router does not need anti-virus. Just never ever run your box as root.

----------

## Jimini

There exist just a few viruses for linux systems, the chance to "catch" one, is really marginal. Then, linux systems - and Gentoo in special - are mostly custom-built. And, as already said, you usually do not work as root, but as a user with just a few rights and permissions. So it is _very_ difficult for a "mainstream"-virus, to 1) find a security hole to break in and to 2) gain enough rights to be able to destroy something or to steal data.

Just keep your system up to date, most of the security holes that are exploited today, come by foreign software (flash, browsers and so on).

Best regards,

Jimini

----------

## Galumph

Well in that case, I guess I can ignore threat protection. There is one thing I'd like to know though, how does working as root increase the chances of something messing with my system? I'm the one running root, not the virus. Does it access the root sessions or something?

 *gerard82 wrote:*   

> If you take the trouble to find out how Winows and Unix were designed 
> 
> you'll find out why Linux is safe. 
> 
> Gerard.

 

I might actually do that at some point.

----------

## Jaglover

 *Galumph wrote:*   

> Well in that case, I guess I can ignore threat protection. There is one thing I'd like to know though, how does working as root increase the chances of something messing with my system? I'm the one running root, not the virus. Does it access the root sessions or something?
> 
> 

 

When you are running a POSIX compliant operating system then you are not ignoring the threat.  :Smile:  On the contrary, you can say you are aware of threat and have taken measures.

If you run as root all processes you initiate run as root. For instance, a web browser run as root, when it has a security flaw, will install a malicious piece of software because it is permitted for root, etc. The strength of *NIX starts with policy - default denied. Over many decades the permissions system has been refined to protect you. Running as root you'll trash all this in one swell swoop.

Root account is not an user account. You'd say it is a butler. It will have the key when you, the owner of the mansion, don't have it. Just do 'su -' from terminal, do what's necessary and follow up with Ctrl+D.

----------

## NeddySeagoon

Galumph,

Linux has its security flaws just like any others. Its not immune to virii, its just that the installed userbase is small compared to Windows, so it is not targeted as much.

As others have said, most users run windows as the admin user.  So anything that does get in has the full run of the system. A lot of badly written windows software ill only run as the admin user. Linux has always been a mutil user system, so it has always been important to keep users apart.

Security comes in layers, it not designed to keep others and malicious software out, rather it makes it more difficult for intruders and malware, so they target other systems. Your first line of defence is your firewall, (IPTables) only allow things to go out that you need. Only allow things to come in that you have requested, unless you are running a server. This approach keeps bad things out and, in the event that the do get in, its difficult for them to phone home.

Install Snort and monitor your logs - along with firewall logs, you can see what the internet is trying to do to you.

If you run sshd, disable root logins, that makes password guessing scripts task harder, since they need to discover both a user name and a password.

Use strong passwords ... at least eight symbols, a mix of uppercase, lowercase, numerals and special symbols. No dictionary words. 

Lastly, linux does not 'helpfully' automatically run email attachments, if you want to run a script or an executable file attached to an email, you have to save it and chmod +x it before you can run it. That makes you think about what you are doing. If you do this as root, such a file can do anything. If you do it as a normal user, it can trash your user account but not damage your install.

The more paranoid can run a hardened system, which makes compromise harder still.

How many layers of the security onion do you feel you need?

----------

## Galumph

Neddy is at it again, is there a thread you answer?  :Smile: 

 *Jaglover wrote:*   

> When you are running a POSIX compliant operating system then you are not ignoring the threat.  On the contrary, you can say you are aware of threat and have taken measures. 

 

Heh, well, that's one way you can put it...

root's a powerful little bastard, I'll keep him (it?) on an even tighter leash then. This stuff is very good to know, I'm confident I won't trash my system now.

 *NeddySeagoon wrote:*   

> How many layers of the security onion do you feel you need?

 

Well considering the fact that this is just a plain desktop machine a 15 year old guy uses to learn programing/scripting, not much. I think I'll just stick to the little amount of security I have at the moment.

----------

## Jaglover

 *Galumph wrote:*   

> I might actually do that at some point.

 

http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/

Six years old, still makes good reading.

----------

## Muso

 *gerard82 wrote:*   

> If you take the trouble to find out how Winows and Unix were designed
> 
> you'll find out why Linux is safe.
> 
> Gerard.

 

++

----------

## Hu

To extend on the security advice given by NeddySeagoon: if you run sshd, consider disabling password-based logins entirely.  This sets an even higher bar for attackers, as now they must either find a bug to allow them to bypass authentication or obtain the private key of a user who has been granted login rights.

As a basic network security step, run netstat -ntl to see a numeric listing of all TCP listeners.  If you run netstat as root, you can add in -p to identify the program that owns the socket.  Loosely speaking, each listener is a potential attack vector.  Disable any listeners you do not need, so that you do not need to worry about whether a weakness is found in one of them.

----------

## mokia

Some additional:

 *Galumph wrote:*   

> 
> 
> Well considering the fact that this is just a plain desktop machine a 15 year old guy uses to learn programing/scripting, not much. I think I'll just stick to the little amount of security I have at the moment.

 

File permission. The most important thing by writing skripts.

Skripts that will be executed by the system as root, and are editable for normal users are the bigest security hole in a unix like system.

----------

## NeddySeagoon

Galumph,

Its worth adding IPTables to your defences ... its free in the kernel and there are any number of tools to help you write rules.

Be aware that it can be a double edges sword. When network things don't work, it may be IPTables (the firewall) blocking traffic.

----------

## aCOSwt

 *NeddySeagoon wrote:*   

> Install Snort and monitor your logs

 

BTW, which front-end would you advise ?

----------

## NeddySeagoon

aCOSwt,

Since before I had broadband in 2002, I've used Smoothwall on some old hardware.

That does it all for you, so I have never needed to write rules, just keep an eye on my logs.

Galumph,

Smoothwall is a distro that behaves as a network appliance.  When you install it it takes over the entire system. Don't try to install it beside your Gentoo.

I suppose you could run it in a Virtual Machine of some sort. I used to run it on a 200MHz Cyrix, with 64Mb RAM but its on a 600MHz Celeron now, since that was left over from something else and I couldn't get 4 network cards in the Cyrix box.

----------

## Galumph

 *mokia wrote:*   

> File permission. The most important thing by writing skripts.
> 
> Skripts that will be executed by the system as root, and are editable for normal users are the bigest security hole in a unix like system.

 

That's why I only chmod +x when in my user, if I've learned anything from this thread, it's this.

Ned, I'll look into firewall. I'm not a network type of person, I've never set a network up on my own, nor do I have any idea how they work. I liked the ease of setting a firewall up in Windows, hopefully it'll be the same in here.

 *Hu wrote:*   

> To extend on the security advice given by NeddySeagoon: if you run sshd, consider disabling password-based logins entirely

 

I don't see a need for sshd, but if I ever use it, I'd like to know what you mean by disabling password-based logins. I thought you can only log in with a username and pass.

----------

## mv

 *Galumph wrote:*   

> Ned, I'll look into firewall. I'm not a network type of person, I've never set a network up on my own, nor do I have any idea how they work.

 

The word "firewall" is a bit ambiguously used here. As I understand, Ned means to setup iptables. Well, if you do not listen to any ports (i.e. if you do not want to offer any services either to the internet or to your private net) you do not need such a script. To check that you did not start such services by accident, you can type (as root): 

```
netstat -tulpen
```

If it lists no services, or if all listed services have in "Local Address" only "127.0.0.1:some number", you are safe for this type of attack and need not care about iptables. If not, you should check how to setup the programs that they listen only to the local address 127.0.0.1 or how to avoid starting the programs you do not want to run...

 *Quote:*   

> I liked the ease of setting a firewall up in Windows, hopefully it'll be the same in here.

 

If you mean some of those unhappy "personal firewalls" programs: Most of them are rubbish, especially when they are easy to set up. To set up a reasonable secure system requires a lot of knowledge, especially under windows.

 *Quote:*   

> I thought you can only log in with a username and pass.

 

ssh has many other possibilites of authentification. The most important is using an rsa (or a dsa) key instead of a typed password: If you configure sshd to allow only such keys and no other authrentification method, then without the file containing the corresponding private key nobody can access your ssh (provided, of course, that neither ssh nor the kernel's IP stack has a bug allowing an exploit).

However, in practice, the most important security hole are things as your web browser or other tools by which you access the net: If you access a "bad" website (which can also happen by an attack to the dns lookup mechanism) then security holes e.g. in your browser or its plugins (if you have javascript, flash or even java or other similar things enabled) can give the attacker access as your local user. From there to obtaining root permissions it is often only a small step (by installing a troyan or even directly exploiting some bugs).

----------

## slackline

Overview of Linux malware

----------

## Jaglover

slack---line,

thanks, good reading. I recall I had a virus once, years ago. It was sitting in my browser cache, written for MS Java. 

http://www.linux.com/archive/feed/42031

----------

## Galumph

 *mv wrote:*   

> 
> 
> If you mean some of those unhappy "personal firewalls" programs: Most of them are rubbish, especially when they are easy to set up. To set up a reasonable secure system requires a lot of knowledge, especially under windows.
> 
> 

 

No, actually it comes with Windows. The application I was referring to is the firewall tool under the control panel, it asks you if you want to allow x to access the internet when you run it. They call it a firewall, and the icon looks like a big burning brick wall by default, so I'm guessing it is a firewall. 

 *mv wrote:*   

> 
> 
> However, in practice, the most important security hole are things as your web browser or other tools by which you access the net: If you access a "bad" website (which can also happen by an attack to the dns lookup mechanism) then security holes e.g. in your browser or its plugins (if you have javascript, flash or even java or other similar things enabled) can give the attacker access as your local user. From there to obtaining root permissions it is often only a small step (by installing a troyan or even directly exploiting some bugs).

 

This was actually my main concern, and the reason I started this thread. Is there something I can do about browser security holes?

 *Jaglover wrote:*   

> http://www.linux.com/archive/feed/42031

 

Entertaining. I didn't know people name their viruses.

I'll take a look at that malware article, and the rsa keys. Thanks guys

----------

## mv

 *Galumph wrote:*   

> No, actually it comes with Windows. The application I was referring to is the firewall tool under the control panel, it asks you if you want to allow x to access the internet when you run it. They call it a firewall, and the icon looks like a big burning brick wall by default, so I'm guessing it is a firewall.

 

A real firewall is more a concept and usually requires additional hardware. The windows-internal "firewall" you are referring to is a port filter and can indeed be recommended. iptables is not that easy to set up (but is also much more powerful): You need some knowledge about the protocols (not only about the TCP/UDP ports, which is essentially the part you can set with the windows "firewall", but also e.g. ICMP). Probably it is easier if you start with an existing script; there are also some frontends, but I know them only by name (to list them, see e.g. eix -cC net-filter). However, as mentioned, if you have no application listening to a port, you do not need to setup iptables, anyway: In contrast to windows you are not required to run a service listening to some port to have a single computer working.

 *Quote:*   

> This was actually my main concern, and the reason I started this thread. Is there something I can do about browser security holes?

 

Create an own user for the browser and other insecure things (and perhaps another user for a browser which you use for banking). Put that user only in groups which you definitely need. Do not put it in the "wheel" group and never login as that user: Only use a script which calls the browser with permissions of that user by sudo/su (you have to give that user access to your X - either use pam or some scripts to do this). Regularly clean the account of that user (in particular, remove ~/.profile and other files of that user to limit the risk of trojan's).

----------

## Angrychile

I'm new to gentoo and gnu/linux in general, so I was wondering about what vulnerabilities the system has to viruses. I can imagine viruses can really do no harm unless they can get root access, but if i catch one, it can use my system to send out viruses and spam to other machines, right? What else is known about them?

A quick google search yeilds that they are known linux "viruses" but they are mostly harmless to the host system since root access is needed to do real harm. Any other details you guys can enlighten me with?

----------

## BradN

First, don't count on user isolation (needing root access) being sufficient to prevent bad things happening.  Obviously an exploit running as your user will have access to all the data your user has, but in addition, privilege escalation bugs are found from time to time (most recent I remember is the ksplice bug).  So if someone has a neat exploit that gets access to a user account, they might wait until they have a privilege escalation bug to use in conjunction to maximize their return before they unleash it.

With Windows you usually face attacks on html rendering, pdf rendering, and other data types that are accessed from a browser/mail client (as well as plenty of social engineering attacks that target plain stupidity).

These kinds of attacks aren't very common at all on linux, but there is room for some cross platform action with browsers like firefox that share their internal architecture with the windows versions.  Since different programs are usually exploited in slightly different ways even if the underlying bug is the same, attackers are often forced to pick a most likely target program and confine their attack to that.  So, even if an exploit is possible on windows and linux, it's likely the payload will only operate on windows.

What is more common on linux is brute force password attacks against sshd (pick good passwords), and attacks against web servers (if you're running one, make sure you know about proper string escaping and be aware of security problems found in web applications you host).

Personally I believe things like selinux and aggressive system security policies are more of a defense against targeted attacks than the "path of least resistance" style ssh scanning and things like that.  Of course if you are comfortable setting up extra security precautions, there's probably a marginal gain to be had in doing so.

Remember, you don't need to have your computer compromised to have your passwords compromised - as a general rule, use different passwords for all the websites you access (at the very least, use different passwords for critical accounts like email and online banking type stuff).  An enterprising asshat webmaster might try using your account password with them on your email account or other services, or your account details could be stolen if their site is hacked.

----------

## mokia

Ther is a good thread in this theme: https://forums.gentoo.org/viewtopic-t-836675.html

----------

## tomk

Merged previous three posts.

----------

## blackpredator

Would some one please talk english with me   :Rolling Eyes:  :

What are/is:

IP Tables?

sshd?

chmod +x ?

please if some one can help me with :

How do i create a limited privilage user?

How do i check logs?

PS:@NeddySeagoon,@Jaglover: Very nice examples and explination.

----------

## Jimini

iptables:

The Linux-kernel is able to filter and to control TCP/IP-connections. These connections are listed in tables, and these tables can be controlled by a frontend named "iptables". For example, you can deny any traffic from your machine(s) to one specific IP-address or route traffic from one port to an other one or forward traffic from your router to a machine in your network. It is a complex, but very powerful thing. 

For ARP-connections, you can use "arptables".

SSHD:

SSH stands for "secure shell". SSHD is the name of its daemon, the program on a machine which is running in the background and listening to incoming ssh-connections. With SSH, you can open a shell on a remote pc.

chmod +x:

"chmod" is a small program to change the attributes and permissions of a file. "chmod +x" sets the "executable"-flag for a file - if you wrote a little script and want to execute it, you have to make this script executable first. Some scripts are executed as root, so they run with roots power. If these scripts can be edited by other users, some evil persons could add a destructive command to it.

For further information you can either browse through the Gentoo wiki and Wikipedia - many commands and terms are explained in detail there.

If you want how to create a user account, please look at the official Gentoo handbook. 

Logging is a more complex thing - there are many logging daemons and a huge number of methods how to analyze your logfiles. If you are running Gentoo only on a private machine, reading logs with your favorite editor can be sufficient, until you want to analyze them in a more practicable way. In my first months with Gentoo, I did it that way.

Please correct me, if I made a mistake :)

Best regards,

Jimini

----------

## blackpredator

Thank you very much for your reply and time Jimini.

after reading your reply i did some search and i did find interesting stuff.thanks to you.

but still i am a bit unclear like i want to program in C++?which software i use to write the script in?

i am new in programming to.i think gentoo is in c++ too,right?

i dont know what command to write to write to check logs and can you please suggest me me a good editor.thanks

P.S im uber noob i cant correct you (if that was for me  :Razz: )

THX

----------

## slackline

 *blackpredator wrote:*   

> Thank you very much for your reply and time Jimini.
> 
> after reading your reply i did some search and i did find interesting stuff.thanks to you.
> 
> but still i am a bit unclear like i want to program in C++?which software i use to write the script in?

 

C++ is a programming language rather than a scripting language (e.g. Bash/Awk).

 *blackpredator wrote:*   

> i am new in programming to.i think gentoo is in c++ too,right?

 

No, Gentoo is a GNU/Linux variant.  It has a package management system called Portage that is written in Python.  The kernel (that gets hardware working with each other) is written in C, many of the essential tools from GNU that make the system useable are written in various different languages (including C and C++).  There are desktop environments that use Qt libraries (e.g. KDE) or GTK+ (e.g. GNOME/Xfce).  Then there are other tools written in Perl/Python/Ruby/php etc. etc.

Basically its all very modular!

 *blackpredator wrote:*   

> 
> 
> i dont know what command to write to write to check logs and can you please suggest me me a good editor.thanks
> 
> 

 

It depends on what you want to check the log of, and whether you've enabled logging, but look in /var/log/ to start with.  You can get the kernel ring buffer (events in the kernel) by typing 'dmesg'

----------

