My answers

Story: Linux Malware: Should we be afraid?Total Replies: 39
Author Content
mikko353

Aug 13, 2013
6:37 AM EDT
>Are you afraid attackers break into your Linux boxes? Do you sniff and snort- ehr, your network, that is?

I am increasingly concerned. I run some network sniffing but interpreting its outputs is cumbersome. I try to have set of strong and frequently changing passwords even if maintaining and remembering those is laborous.

>Do you scan for rootkits from time to time, and check md5-sums of executables against your "trusted-list"?

I do scan this and that now and then. I dont use PPAs and I never proceed if ubuntu says "install these packages without verification y/n?"

>Do you consider one distro safer as another?

I have been wondering if its more secure to use less popular distros (and browsers) because they are less attractive targets for the attackers. I have still continued using the more popular ones because I think that once the more popular one is compromised then its higher probability that I hear about the problem more timely and also that there is somebody who addresses the problem somehow.

> What is your level of paranoidity?

Quite high. I have factored my system into paranoidity sectors where the most trustworthy machine is used only when the most sensitive work is to be done, I reinstall ubuntu in that machine once in a month or so. Additionally, that machine is one of the middleaged ones because my more recent machines have vPro (essentially "HW backdoor") which I consider another risk.
hkwint

Aug 13, 2013
7:00 AM EDT
Thanks Mikko, interesting comment.

Indeed, logging is one thing, like you say I think interpreting is more work than setting up the logging itself. I think it takes skilled persons to interpret the logs in the right way, and also to specify the right amount of logging. Like in syslogs error -- debug spectrum: Error is too less and you miss things, debug may be too much, you miss things because there's too much in the logs.

May I ask how you scan for rootkits? Do you run chkrootkit?

Not using PPA's and unverified packages also sounds like a good idea.

The comment about the less popular ones - I also contemplated the issue, at least about Firefox the vulnerabilities are well-documented and it's a well researched piece of software. When using more obscure ones you're basically in the dark.

Coming to think about it, Windows may as well be delivered by default with a script to reinstall the OS every month, ahem.
jdixon

Aug 13, 2013
7:08 AM EDT
> Coming to think about it, Windows may as well be delivered by default with a script to reinstall the OS every month, ahem.

That's pretty much the role imaging software and virtual machines fill.
djohnston

Aug 13, 2013
5:19 PM EDT
Quoting:Once more people use Linux, more attackers will try to write malware and exploits for it.


Of course. You go where the opportunities are. It's more applicable to web servers than home PCs. We live in an "insecure" world.

I admit that when I first read about the Hand of Thief exploit, alarm bells went off. It wasn't until I read that the author's suggested attack vector is social engineering that I felt some sense of relief.

(1) I am aware attackers might break into my Linux boxes.

(2) Yes, I occasionally scan the home network. The scanner(s) don't run all the time.

(3) rkhunter and chkrootkit are cron jobs on all my boxes that run once a day. I admit that I seldom run those tasks from a live CD, as I should. I also admit that I have ClamAV installed on all my boxes. I keep the definitions up to date, and occasionally run a full system scan. The effectiveness of doing so is debatable.

(4) No, I don't consider one distro as safe as another. Running a Puppy hard drive installation as user root is certainly not as prudent as running an OpenSuse or Mageia or Debian installation as a normal user. It can't be.

(5) I came to Linux full time as a result of drive-by infections in WindowsXP. Nothing downloaded and nothing installed. Just the result of visiting a web page hosting a Windows exploit. I simply got tired of dealing with them. The fully updated firewall/virus checker/browser hijack detector/etc. did not prevent all OS infections. I'm certainly not paranoid using Linux. But I don't throw caution to the wind, either. I know that a poorly written or configured app that faces the internet has every bit as large an attack vector as it would running on Windows, OSX or even OpenBSD. Nothing is 100%.

(6) The closest thing I have to a tinfoil hat is a cowboy hat with a metal band.

caitlyn

Aug 14, 2013
1:23 AM EDT
I've ended up using enterprise Linux distros at home and jazzing them up a bit with newer (often custom built) packages. I'm also about to play with the Fuduntu Enterprise Linux packages for the first time, again to jazz up the desktop. This desktop is the last holdout and I hope to have time to rebuild it tomorrow.

Why do I use RHEL clones? I don't need to worry about frequent updates. The tiny nine month support window for Ubuntu and derivatives is beyond insane. It's stable. Lately all three of the big ones (CentOS, Scientific Linux, Springdale Linux) have been pushing security updates out very quickly. Perhaps most important: I know how to lock it down good and hard because I do it for my customers all the time. Yes, I run SELinux everywhere now, yes I have network monitoring tools, and yes, I'm a security paranoid.

hkwint: I highly recommend a periodic run of chkrootkit. It's an excellent little tool.

djohnston: Excellent post. I also agree that all distros are not created equal. The incredibly lack of security in Puppy and some other Linux distros is alarming at best. Other distros have the right foundation, but if they fail to get security updates out in a timely fashion they are also problematic from my point of view.

At this point I recommend sticking with the larger distros. Yes, I know some small ones do a very good job but if a key developer disappears for a time (or, in some cases, the only developer) then support goes right out the window. Of course, large does not have to mean corporate. Community distros like Debian and Mageia are plenty large enough.

My questions, I guess for Hans: Is paranoidity even a word? Are you, like Shakespeare before you, expanding the English language?
hkwint

Aug 14, 2013
9:09 AM EDT
DJohnston: Thanks for the comment.

Drive by infections is also one of my reasons to use Linux. Moreover, in Linux it's easy to install high quality 'free' (as in beer) software without being hijacked into added malware, toolbars, or virusses (those you find in Freeware). So actually lots of free software easily available is also very good from a security point of view I guess. Not being able to download and run .exe's is a security feature of Linux I'd suggest.

caitlyn: Interesting! Yesterday, I did some searching on "Hardened Ubuntu", but there's no official page for it I think; maybe for CentoS and Scientific Linux there is?

I'm no Shakespeare I'm afraid, my word inventions come from muss less poetic sources.

Probably if you ever read "man nmap" you know about nmap timing policies you can set with the argument "-T", right? Those range from "5 / insane" to "0 / paranoid". So, I thought -T reflects the level of insanity, and if you negate it, the level of paranoidity. Never knew paranoidity is not a word yet. Interestingly, a Google-search shows up my own article on the first page! Who'd have thought...

kikinovak

Aug 14, 2013
2:01 PM EDT
"Paranoia" is sufficient. As in "sane level of paranoia".
caitlyn

Aug 14, 2013
8:04 PM EDT
I have yet to run into a client running Ubuntu. I have, tangentially, become aware of one or two businesses using it but, at least in the parts of the country where I have been, their penetration into the enterprise market or even small business is negligible. Red Hat is dominant, with smaller businesses and non-profits often choosing free Red Hat clones, mainly CentOS. SUSE is a distant second but is used very heavily by Texas government. Hosting companies and the like also use some Debian. For the enterprise that's it AFAICT in North America.

Regarding "Hardened (distro)", I'm not aware of off the shelf packages for anything like that. I think there was a Debian thing by that name that was really just Debian + a ready-to-go SELinux configuration and tools. What I meant to say was that with Red Hat I know what needs to be done to lock a system down from lots and lots of experience.
kikinovak

Aug 15, 2013
5:42 AM EDT
The french police force (Gendarmerie Nationale) is running Ubuntu LTS on their 90.000 desktop clients. Ubuntu Server LTS is also used by Online.net (a.k.a. Free.fr), one of France's biggest access provider and webhosting company.
jazz

Aug 15, 2013
10:55 AM EDT
Quoting:Red Hat is dominant, with smaller businesses and non-profits often choosing free Red Hat clones, mainly CentOS.


I kind of see the opposite: more Debian & Ubuntu than CentOS & RedHat.

Here are some webserver statistics: http://w3techs.com/technologies/details/os-linux/all/all

Also, keep in mind that RedHat doesn't have a desktop offering, unless you call the Gnome 3 abomination a desktop. They also have no clue whatsoever how to distribute basic software such as video and wireless drivers, mp3, dvd and flash support. For anything interesting you have to go outside the normal repositories. I am not sure how SELinux is going to help you when you download your executables from a repo you found on the web.

hkwint

Aug 15, 2013
10:57 AM EDT
kikinovak: Thanks for your comment, fixed the article by replacing for "Paranoia".

I guess which distro's are being run is also dependent on region. It's no big surprise in the US the US-based distributions are popular, and in France not. This besides being a government body or not, the municipality of München runs their own version of Debian.

Caitlyn: Very interesting there's no such thing as "Hardened from-the-shelf" as far as you can tell. I think my view was a bit distorted as I used Gentoo in the past: Usually, if Gentoo has a manual for something, than other distro's have that something "readily packaged" available for download and installation.

I looked it up, and "Hardened Gentoo" indeed is not a "product" or something you download, it's more a project with some hardened packages available and some guides about how to tighten security. That's why I thought other distro's might ship with a "hardened" or more secure variant. Please forgive my ignorance.

I would be interested to read how you lock down a Red Hat system!

Nonetheless, I still wonder what good it is to lock down my operating system and it's root / suid and such, if most of my sensitive data passes the webbrowser which runs as user and has JavaScript running. Hmm, guess you need both 'secured'.
jdixon

Aug 15, 2013
11:32 AM EDT
> Also, keep in mind that RedHat doesn't have a desktop offering...

That's not quite true: https://www.redhat.com/apps/store/desktop/

However, they don't offer it as a prepackaged product or advertise it to any extent. So your point is largely valid.

> I am not sure how SELinux is going to help you when you download your executables from a repo you found on the web.

Actually, from what I understand of SELinux, I'd expect it to help quite a bit, by locking down the network access and file access the application had. Now, if you give the application addition access over the defaults, then that's another matter. Being a Slackware user, I haven't played with SELinux though, so my understanding may be incomplete.
jdixon

Aug 15, 2013
11:35 AM EDT
> I would be interested to read how you lock down a Red Hat system!

A Google search on "hardening red hat" will give you more information than you'll probably want. :)
jazz

Aug 15, 2013
12:01 PM EDT
Quoting:Actually, from what I understand of SELinux, I'd expect it to help quite a bit, by locking down the network access and file access the application had. Now, if you give the application addition access over the defaults, then that's another matter.


OK, I am a Debian/Ubuntu user. I've just installed Fedora. The only place I can get Videolan Client (VLC) with all the codecs is some place on the Internet. It was referred to me by Google, nowhere on Fedora wesite the place is mentioned. The packages are executable code, lots of them. The SELinux profile is included in VLC package.

What is wrong with this picture? You run executables found by Google, much like Windows users clicking on files received by email. Is there any way to secure a distribution that is not distributing the software you need?
jdixon

Aug 15, 2013
12:40 PM EDT
> ... Is there any way to secure a distribution that is not distributing the software you need?

Sure. Compile from the source. While even that can be subverted, it's a much harder process.
jdixon

Aug 15, 2013
12:56 PM EDT
However, jazz, allow me to offer a more complete analysis of your question.

I'm assuming you Googled Fedora VLC and found this article: http://sayaksarkar.wordpress.com/2013/06/04/installing-vlc-p...

If so, that points you to rpmfusion as a third party repository. Rpmfusion is in fact mentioned on the Fedora website, as can be confirmed at http://fedoraproject.org/wiki/Third_party_repositories

So while Fedora doesn't explicitly endorse rpmfusion, it does mention it as a possible source of software.
jazz

Aug 15, 2013
3:11 PM EDT
Quoting:If so, that points you to rpmfusion as a third party repository. Rpmfusion is in fact mentioned on the Fedora website, as can be confirmed at http://fedoraproject.org/wiki/Third_party_repositories


I guess I've missed the fedora website last time I've installed fedora. This is why I prefer Debian, it has everything you need, mp3, dvd, flash, all supported in the standard repositories.
jdixon

Aug 15, 2013
3:53 PM EDT
> This is why I prefer Debian...

Well, it's hard to go wrong with Debian. If I ever have to give up Slackware, it'll be hard to choose between Arch and Debian.

kikinovak

Aug 15, 2013
6:02 PM EDT
> If I ever have to give up Slackware, it'll be hard to choose between Arch and Debian.

If I ever have to give up Slackware, I'd go with either CentOS or Debian.
Bob_Robertson

Aug 16, 2013
10:11 AM EDT
Debian: The Distribution on Everyone's "maybe" List.
Steven_Rosenber

Aug 16, 2013
12:23 PM EDT
I'm using Fedora now, and I'll grant that while RPM Fusion makes things easier from a multimedia/codec standpoint, it's not as easy to set up as Ubuntu or even Debian. Especially in Wheezy, Debian is easier to set up for multimedia than ever.

But Fedora can be set up for multimedia -- I have the RPM Fusion, Adobe and Google repositories in there to bring in the various bits (codecs and proprietary drivers; Flash; and the Chrome browser and Talk plugin, respectively).

Unfortunately my hardware "likes" Fedora more than anything else at the moment. However much you might hate the new Anaconda installer, it "understands" EFI better than anything else out there (or at least in terms of my HP laptop).
kikinovak

Aug 16, 2013
12:35 PM EDT
> Debian: The Distribution on Everyone's "maybe" List.

Debian is that slightly outdated pack of blueberry yoghurt that you can still eat in case you're too lazy going to the store and there's nothing else left in the fridge.
Steven_Rosenber

Aug 16, 2013
2:46 PM EDT
I regularly eat out-of-date yogurt, and it's totally fine.
hkwint

Aug 16, 2013
3:07 PM EDT
Hmm, I never had good experiences with Debian, I'm afraid Debian doesn't like me. Just like the yoghurt, it shouldn't remain unattended for too long. I mean, I give it the task to install say 30 packages, and then it asks all kind of stupid questions about programs you never chose to install in first place. Last time I looked, bringing in certain 'server'-programs as a dependency if you're not going to use those server-programs is not a good idea from a security standpoint. That's why I like Gentoo, compiling everything and distinguishing fires of programs who don't like each other is such a nightmare and tedious task, that you strip out everything you don't use.

I think my last-resort option in the fridge security-wise is BSD. The right turning variant.

OK, it also has some servers configured by default, but at least it doesn't ask you questions about servers you don't know yet, and it and just makes the safe choices for you. Besides, at least OpenBSD is much easier to install than _any_ Linux (and also FreeBSD) in my experience.
caitlyn

Aug 17, 2013
8:23 PM EDT
Wow, lots of misinformation, jazz. Let's start with your stats: most corporate servers are behind firewalls and can't be counted on the web at all. Debian has a significant presence in hosting companies as I've said before and that is what you are seeing. Do me a favor: look at any tech job board and tell me how many jobs there are for Red Hat, SUSE, Debian and Ubuntu. On a good day Debian and Ubuntu might add up to one in my area, while Red Hat has dozens. Web stats are totally useless for measuring the corporate market.

Also, Fedora is not Red Hat Enterprise Linux at all. It's the test bed masquerading as some sort of community distro. (There are community bits and pieces, but Red Hat's interest is as a test bed.) When I talk about free Red Hat clones I mean CentOS, Scientific Linux and Springdale Linux, not Fedora.

Red Hat Enterprise Desktop and Workstation use GNOME 2, not GNOME 3. I'll also put it to you that GNOME 3, as it exists today (not when it came out) is a decent desktop. Have you tried it lately, as in a really new version with the ability to operate like GNOME 2? Your confusing Fedora with Red Hat again, and they are about as similar as ice cream and turnips. Yes, both are foods. The comparison ends there.

For Red Hat and clones the EPEL (Extra Packages for Enterprise Linux) repository, maintained by the Fedora project (which is owned by Red Hat) adds the missing software quite nicely for most things. No need at all to go to miscellaneous repos in most cases. Others (like Atomic) have corporate backing and can be purchased with support and guarantees or used freely, your choice.

Ubuntu's support cycle (including LTS) is just way too short for most businesses. The main 9 month cycle is insane and has basically turned Ubuntu into a toy.
caitlyn

Aug 17, 2013
8:42 PM EDT
Quoting:The french police force (Gendarmerie Nationale) is running Ubuntu LTS on their 90.000 desktop clients. Ubuntu Server LTS is also used by Online.net (a.k.a. Free.fr), one of France's biggest access provider and webhosting company.
How nice for France. However, since my comment said: "For the enterprise that's it AFAICT in North America." it's kind of irrelevant.
kikinovak

Aug 18, 2013
1:09 AM EDT
irrelevant, adj.: 1) any technical decision not made by Caitlyn Martin 2) any Linux distribution not used by Caitlyn Martin 3) any country not inhabited by Caitlyn Martin 4) any political view not shared by Caitlyn Martin 5) more generally, any person not being Caitlyn Martin.
jazz

Aug 18, 2013
8:02 AM EDT
Quoting:Let's start with your stats: most corporate servers are behind firewalls and can't be counted on the web at all. Debian has a significant presence in hosting companies as I've said before and that is what you are seeing.


At least we're getting somewhere. We both agree there are more Debian & Ubuntu web servers out there than CentOS and RedHat. Do you have any statistics to substantiate your other claims? anything published? articles? maybe some blog posts? Google has difficulties finding them.

Quoting:Do me a favor: look at any tech job board and tell me how many jobs there are for Red Hat, SUSE, Debian and Ubuntu.


If it was so obvious, why aren't more people talking about it? Google must be broken.

Quoting:Red Hat Enterprise Desktop and Workstation use GNOME 2, not GNOME 3.


I guess everybody knows that, and it doesn't mean anything as far as this discussion is concerned. You are off topic.

Quoting:Also, Fedora is not Red Hat Enterprise Linux at all.


Off topic again. Who said Fedora and RHEL are the same thing?

Quoting:It's the test bed masquerading as some sort of community distro. (There are community bits and pieces, but Red Hat's interest is as a test bed.)


Who cares? I definitely don't. They can call it whatever they want. It is like the TV commercials.

Quoting:I'll also put it to you that GNOME 3, as it exists today (not when it came out) is a decent desktop. Have you tried it lately, as in a really new version with the ability to operate like GNOME 2?


It failed to get any kind of traction with the large public, this is why they reverted to classic mode. It is a monumental failure, they spent 3 years developing it, and it was for nothing.

Gnome 3 doesn't come close to Gnome 2. It has less features than even XFCE or LXDE. Nobody in his right mind will run his business on Gnome 3. RedHat figured that out, people will not pay for Gnome 3, this is why they brought in Mate in F19.

Quoting:Ubuntu's support cycle (including LTS) is just way too short for most businesses.


I would not presume to know what is short or what is not short for businesses. 12.04 is supported until 2017, I think it is reasonable. https://wiki.ubuntu.com/LTS

jdixon

Aug 18, 2013
11:20 AM EDT
> We both agree there are more Debian & Ubuntu web servers out there than CentOS and RedHat.

I doubt that's true. I'd guess that at best it's a 50/50 split. Anyone have any actual studies to point to giving the actual percetages?
caitlyn

Aug 18, 2013
5:56 PM EDT
The only numbers I have are sales numbers, and, of course, they show Red Hat way out front because you don't buy Debian. However, contrary to jazz's claim, I gave a very clear way to substantiate what I said, which is to look at tech job boards. Now, try looking at them directly, rather than through Google and you will see precisely what I mean.

The rest kind of falls to the level of trolling and baiting. jazz said that Red Hat has no desktop unless you count GNOME 3 and I pointed out that Red Hat doesn't use GNOME 3. Suddenly that's "off topic". Hmmm... I talked about Red Hat, jazz responded with facts about Fedora, I pointed out that Fedora is not Red Hat and then jazz asks who ever claimed they were the same. Hmmm.... As far as presuming what's long enough for business, Red Hat went to ten years support because seven was just too short. SUSE did the same. I'm not presuming, but the real enterprise distros certainly are. It's called customer feedback. Five years simply does not cut it in the joke.

kikinovak: Sorry to tell you this, but despite what French people think, France is not the center of the universe and it is irrelevant to the North American market. I realize anytime I don't post a Slackware commercial it bothers you, but, sorry, some of us have to live in the real world.
jazz

Aug 18, 2013
6:44 PM EDT
OK, we are discussing security here, at least this is the subject of the article. So, according to caitlyn, RedHat is the most secure distro in the world because:

1. RedHat makes lots of $$$

2, If there are jobs, who cares about statistics.

3. Gnome 3 is a desktop.

4. RHEL is supported for 10 years.

5. French people are whatever...

This is supposed to make RHEL a very secure distro, and her arguments are definitely on topic.
jdixon

Aug 18, 2013
8:31 PM EDT
>The only numbers I have are sales numbers, and, of course, they show Red Hat way out front because you don't buy Debian.

The perennial problem for community distros. :( I expect Debian has a significant market share, even in businesses, but I have no idea what the percentage might be, or how to determine it.
kikinovak

Aug 19, 2013
2:22 AM EDT
Caitlyn: When the peacock spreads its feathers, what do you see in the middle of all this colorful glory?
kikinovak

Aug 19, 2013
3:10 AM EDT
@admin: Does this forum have a functionality to filter out selected posters? While I do enjoy reading most of the articles and posts on LXer, I'm growing tired of Miss Caitlyn Martin's toxic rants. I fear this won't stop until every single reader on LXer a) switches to RHEL b) activates SELinux c) despises Slackware for its lack of seriousness and d) agrees Edward Snowden should be court-martialled for high treason. Chances this happens anytime soon are rather thin.
notbob

Aug 19, 2013
10:01 AM EDT
Kiki, yer best score file is yer brain. ;)
thenixedreport

Aug 19, 2013
1:14 PM EDT
Bringing this back on topic, I've come to realize that the biggest security issue is going to be the individual user. Yes, tools such as SELinux exist, but like Kevin Mitnick has argued, social engineering can bypass those measures, hence it's important to train the user to defend against suspicious activity and conversations (i.e. never give passwords or other crucial information over the phone, etc... etc...).
kikinovak

Aug 19, 2013
1:31 PM EDT
Working in a school or a college is an excellent security training for any sysadmin. Once you've setup a network for hordes of 16-20-year-olds, I guess you can brace yourself for any malevolence under the sun. Their chief concerns are usually a) watching and downloading porn b) get receipts for some homegrown weed c) bypass the Internet filter d) hack the teacher's accounts and delete their data e) hack into the online platform to change their test results f) deface their buddies' accounts with Justin Bieber and/or hardcore porn background images g) download mobile phone ringtones over the school's internet connection so the school has to pay, etc. etc.

After this job, I guess I'll take a project with the russian mafia for relaxing :o)
jdixon

Aug 19, 2013
1:47 PM EDT
> After this job, I guess I'll take a project with the russian mafia for relaxing :o)

It probably pays better. :)
DrGeoffrey

Aug 20, 2013
6:30 AM EDT
Quoting:> After this job, I guess I'll take a project with the russian mafia for relaxing :o)

It probably pays better. :)


But, beware the retirement plan may be short.
hkwint

Aug 23, 2013
7:01 PM EDT
Quoting:How nice for France. However, since my comment said: "For the enterprise that's it AFAICT in North America." it's kind of irrelevant.


True, and totally off topic, but nonetheless, however irrelevant, still interesting to see how this is different from region to region.

To test said hypothesis, I just searched a few job forums in NL / FR / IT / DE / UK, and guess what: For the first four, there's more jobs for Debian / Ubuntu (those two combined) listed than for Red Hat, while in the UK it's close.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!