I have a single desktop connected only to the internet. It's dual-boot: Fedora 18 and windows 7 home. In Fedora, it has more than one user id.
I skimmed/read through the Fedora 18 security guide, and much of the Fedora 18 installation guide and the Fedora 18 sys. admin. guide. As best as I can tell, the only thing that I need to do is make sure the default firewall is active as per this section of the security guide: http://docs.fedoraproject.org/en-US/Fedora/18/html/Security_Guide/sect-Secur... and make sure the system stays up-to-date ("yum" seems to be doing that). But my experience, understanding of computer security and sys. admin. are extremely poor and beginners level. I'm assuming that what these guides say about multi-computer systems, LANs, WANs, servers, etc. does not apply to my system. Any thoughts or suggestions?
Windows has security essentials and malwarebytes scanning browser traffic to detect and block malware, and scanning the hard drive to find and remove malware. What does Linux have corresponding to that? I'm just about certain that my old Linux system is infected with working spyware. I'd like to have something like security essentials, malwarebytes, etc. on my new Linux system.
Thank-you in advance for your help. Bill.
On 03/21/2013 09:31 AM, William Mattison wrote:
Windows has security essentials and malwarebytes scanning browser traffic to detect and block malware, and scanning the hard drive to find and remove malware. What does Linux have corresponding to that? I'm just about certain that my old Linux system is infected with
working spyware.
I'd like to have something like security essentials, malwarebytes,
etc. on my new Linux system.
It's extremely unlikely you'll have malware that affects the Linux stuff. To take care of that, install chkrootkit or rkhunter.
If you share files with your Windows installation, the use clamav to scan those files for malware.
Hello,
2013/3/21 Steven Stern subscribed-lists@sterndata.com: [...]
It's extremely unlikely you'll have malware that affects the Linux stuff. To take care of that, install chkrootkit or rkhunter.
If you share files with your Windows installation, the use clamav to scan those files for malware.
Adding to what Steven said clamav only checks for Windows viruses as there is no malware for Linux as far as I know.
As long as you install your software from reputable sources (i.e. Fedora repositories) and you keep it up to date you should be safe in that sense.
Make sure your firewall is properly configured and blocks all ports excepting the ones you need. There are online port scanners that can help you verifying this.
Greetings, -- Jorge Martínez López jorgeml@gmail.com http://www.jorgeml.net
William Mattison writes:
malware. What does Linux have corresponding to that? I'm just about certain that my old Linux system is infected with working spyware.
I have never heard of spyware on Linux.
I'd liketo have something like security essentials, malwarebytes, etc. on my new Linux system.
Security essentials, malwarebytes, etc.'s sole reason for existence is the fundamentally flawed technical design of the underlying operating system, namely the fact that it's a single user system, with the user having total access to all files an executables on the system. Although recent vintages of MS Windows have introduced concepts such as, supposedly, separate user and admin accouns, it works about just as well as a bandaid on a constantly bleeding wound.
Even let's hypothetically say there's an exploit in Firefox that can be used to inject executable code, through a malicious web page, once running the code will have no way to overwrite Firefox's binary executable, and implant itself in Firefox, or any other operating system executable. As soon as you log out or reboot, it's gone. The scope of the damage is limited to wiping files in your home directory, and that's about it.
An actual infestation, that's similar in nature as it would be on MS Windows, would also simultaneously require an exploit in the Linux kernel itself. Although I do recall, offhand, a couple of kernel privilege escalation exploits that have come out at some point in the past, I can't recall more than 2-3 in the last 20 years, and they've generally been fixed up in a matter of days.
Probably the most that could be accomplished, on a persistent basis, would be browser-based spyware, a malicious Firefox plugin that installs itself. But that would stick out like a sore thumb, in about:plugins, and even if the plugin somehow manages to figure out how to corrupt Firefox, once it starts, to hide itself, it would still be trivially identifiable, and trivially disabled, like Firefox has recently auto-disabled certain malicious plugins.
Am 22.03.2013 00:56, schrieb Sam Varshavchik:
Even let's hypothetically say there's an exploit in Firefox that can be used to inject executable code, through a malicious web page, once running the code will have no way to overwrite Firefox's binary executable, and implant itself in Firefox, or any other operating system executable. As soon as you log out or reboot, it's gone. The scope of the damage is limited to wiping files in your home directory, and that's about it
this as a very naive point of view you do not need to change system-binaries
it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user
how many users would recognize such intrusion?
On 03/22/2013 11:36 AM, Reindl Harald wrote:
Am 22.03.2013 00:56, schrieb Sam Varshavchik:
Even let's hypothetically say there's an exploit in Firefox that can be used to inject executable code, through a malicious web page, once running the code will have no way to overwrite Firefox's binary executable, and implant itself in Firefox, or any other operating system executable. As soon as you log out or reboot, it's gone. The scope of the damage is limited to wiping files in your home directory, and that's about it
this as a very naive point of view you do not need to change system-binaries
it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user
how many users would recognize such intrusion?
OK! so how does one recognise such an intrusion? What should one look for?
Roger writes:
« HTML content follows »
On 03/22/2013 11:36 AM, Reindl Harald wrote:
Am 22.03.2013 00:56, schrieb Sam Varshavchik:
Even let's hypothetically say there's an exploit in Firefox that can be us ed to inject executable code, through a
malicious web page, once running the code will have no way to overwrite Fi refox's binary executable, and implant
itself in Firefox, or any other operating system executable. As soon as yo u log out or reboot, it's gone. The scope
of the damage is limited to wiping files in your home directory, and that' s about it
this as a very naive point of view you do not need to change system-binaries
it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user
how many users would recognize such intrusion?
OK! so how does one recognise such an intrusion? What should one look for?
Well, for starters, if you see some mysterious executable file on your desktop, the last thing you will want to do is execute it. That's it.
Now, I suppose that this attack might work if the malware fscks around with your $HOME/.profile, and uses it to launch itself when you log in. But before anyone starts hiding under their bed, and cowering in fear: if this mode of attack even begins to gain any traction, the first time someone sees some malware doing crap like that, two things will probably happen:
1) Within 2-3 days the hole in Firefox will get patched, and pushed out.
2) The next release of every Linux distro will simply make the necessary arrangements to run Firefox under a separate UID that has no write privileges to your login account's home directory (and provide some meaningful way to have downloaded files go into the dedicated UID's own home directory, with read privileges that let you copy over any legitimately- downloaded files to your own desktop, securely.
It's simply not worth anyone's hassle to jump through their arseholes, in order to set up a walled-off Firefox that runs like this right now, because, frankly, this is not a problem as of now. But as soon as – if ever – Firefox on Linux gains enough mind share to present itself a target for malware, and acquires a hole-ridden security rap sheet, with malware beginning to take advantage of that, and target Linux, then this is simply what's going to happen, and everyone will go back to sleep, again.
I started giving my wife, who knows zilch about computers, a series of Linux- runnning laptops almost ten years ago. She does whatever the hell she wants with it. Flash, browse whatever sites she wants (that reminds me, what I said re Firefox, above, applies equally well to Flash running inside Firefox), and her progression of laptops is yet to catch any malware.
So, calm down, and keep your shorts on.
I started giving my wife, who knows zilch about computers, a series of Linux-runnning laptops almost ten years ago. She does whatever the hell she wants with it. Flash, browse whatever sites she wants (that reminds me, what I said re Firefox, above, applies equally well to Flash running inside Firefox), and her progression of laptops is yet to catch any malware.
So, calm down, and keep your shorts on.
I was just curious, never concerned. I watch for unusual things in Fedora and Ubuntu on the family's laptops and my pc. Having never experienced such things was more curious about whether I had overlooked something. Thanks Roger
Reindl Harald writes:
Am 22.03.2013 00:56, schrieb Sam Varshavchik:
Even let's hypothetically say there's an exploit in Firefox that can be
used to inject executable code, through a
malicious web page, once running the code will have no way to overwrite
Firefox's binary executable, and implant
itself in Firefox, or any other operating system executable. As soon as
you log out or reboot, it's gone. The scope
of the damage is limited to wiping files in your home directory, and
that's about it
this as a very naive point of view you do not need to change system-binaries
it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user
how many users would recognize such intrusion?
How many users will see some mysterious unknown executable on their desktop, and automatically execute it?
Am 22.03.2013 03:39, schrieb Sam Varshavchik:
Reindl Harald writes:
Am 22.03.2013 00:56, schrieb Sam Varshavchik:
Even let's hypothetically say there's an exploit in Firefox that can be used to inject executable code, through a malicious web page, once running the code will have no way to overwrite Firefox's binary executable, and implant itself in Firefox, or any other operating system executable. As soon as you log out or reboot, it's gone. The
scope
of the damage is limited to wiping files in your home directory, and that's about it
this as a very naive point of view you do not need to change system-binaries
it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user
how many users would recognize such intrusion?
How many users will see some mysterious unknown executable on their desktop, and automatically execute it?
are you really that naive? why do you think it needs to be on the desktop and manually started? ~/.config/autostart/your-damned-code.desktop
the damage is limited to wiping files in your home directory, and that's about it
and BTW - the system can be reinstalled easily, you work data are not on a public mirror or install ISO
Reindl Harald writes:
Am 22.03.2013 03:39, schrieb Sam Varshavchik:
Reindl Harald writes:
Am 22.03.2013 00:56, schrieb Sam Varshavchik:
Even let's hypothetically say there's an exploit in Firefox that can be
used to inject executable code, through a
malicious web page, once running the code will have no way to overwrite
Firefox's binary executable, and implant
itself in Firefox, or any other operating system executable. As soon as
you log out or reboot, it's gone. The
scope
of the damage is limited to wiping files in your home directory, and
that's about it
this as a very naive point of view you do not need to change system-binaries
it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user
how many users would recognize such intrusion?
How many users will see some mysterious unknown executable on their
desktop, and automatically execute it?
are you really that naive? why do you think it needs to be on the desktop and manually started? ~/.config/autostart/your-damned-code.desktop
When you have some free time, you may want to read the rest of what I wrote, in that message.
Am 22.03.2013 11:52, schrieb Sam Varshavchik:
Reindl Harald writes:
Am 22.03.2013 03:39, schrieb Sam Varshavchik:
How many users will see some mysterious unknown executable on their desktop, and automatically execute it?
are you really that naive? why do you think it needs to be on the desktop and manually started? ~/.config/autostart/your-damned-code.desktop
When you have some free time, you may want to read the rest of what I wrote, in that message
i did read it
but it does not matter that your attitude "my system is secure by design" is the first step to fall, no complex system on this world is immutable and only the users which aware of this will survive without damage over the long
the next ones after the windows-users which are falling currently are the naive and ignorant Apple users which still thinks they are immutable with their OS and the only reason why the linux users are ahead here is that a majority is using their brain and because security fixes are pushed very soon, but the security updates will not help you much in the time-frame before and many leaks are known by blackhats long before anybody consideres to fix them
Reindl Harald writes:
Am 22.03.2013 11:52, schrieb Sam Varshavchik:
Reindl Harald writes:
Am 22.03.2013 03:39, schrieb Sam Varshavchik:
How many users will see some mysterious unknown executable on their
desktop, and automatically execute it?
are you really that naive? why do you think it needs to be on the desktop and manually started? ~/.config/autostart/your-damned-code.desktop
When you have some free time, you may want to read the rest of what I
wrote, in that message
i did read it
but it does not matter that your attitude "my system is secure by design" is the first step to fall, no complex system on this world is immutable and only the users which aware of this will survive without damage over the long
No, you did not read what I wrote.
On Thu, 2013-03-21 at 07:31 -0700, William Mattison wrote:
I have a single desktop connected only to the internet. It's dual-boot: Fedora 18 and windows 7 home. In Fedora, it has more than one user id.
I skimmed/read through the Fedora 18 security guide, and much of the Fedora 18 installation guide and the Fedora 18 sys. admin. guide. As best as I can tell, the only thing that I need to do is make sure the default firewall is active
And what does a firewall do to help you? Acts as a barrier between outsiders and services on your computer that can be connected to. If you have no servers listening out for connections, there's little to worry about. It's far more important to set up any servers properly, than to just plonk a firewall up hoping that it'll do what you like. Especially if you're one of those people who keep on disabling the firewall to get some task done (who's then left all their badly configured services vulnerable while they did that).
What would be a listening server? People who install Apache or mail servers, to try them out (could be you, but we don't know, and they don't listen to the world by default). People who have NFS servers for file serving between machines (not you, by your description). People who have SSH servers running for remote access to a terminal (not needed by you, possibly, but we don't know if you're going to log in from the internet back to home, and I don't recall whether one's installed and running by default).
As for surprise exploits, you've got pretty much two vectors in Linux: Something wrong with the web browser. And users installing random software from the internet without due care. Neither of which a firewall is going to protect you from. Because such exploits are going to send out a connection, firewalls rarely stop outgoing connections, and any responses will be allowed through most firewalls for being *related* to an allowed outgoing connection ("related" connections are usually allowed to go through firewalls).
Hence, the importance of learning your software (what you have running, and how it's supposed to work), and not depending on magic firewalls.
In Windows the situation is similar, except that you have less control over the services that it may be running. There's a plethora of them, with little configuration options presented to the ordinary user. Hence the user reliance on firewalls. And people are prone to installing really bad software, hence the reliance on anti-malware of various kinds.
Am 22.03.2013 07:11, schrieb Tim:
And what does a firewall do to help you? Acts as a barrier between outsiders and services on your computer that can be connected to. If you have no servers listening out for connections, there's little to worry about.
aha - and you can be sure you have no open ports be careful with such attitude
* udp 0.0.0.0:4321 20106/java * tcp 0.0.0.0:4321 20106/java * tcp 0.0.0.0:10137 20106/java
guess what - this is from my development IDE
and i saw KDE-pre-releases with a lot of open ports listening on 0.0.0.0 before the 4.0 version - well now you an tell me all that should not happen - in case of security we have to face the truth or we went down
chkrootkit and rkhunter installed. Thank-you, Steve Stern.
nmap installed. Thank-you, Rahul.
automatic updating is on.
The old system (10 years old) was probably infected early summer 2011. Whether the spyware came from a bad web site via Firefox, or e-mail via yahoo e-mail (thru Firefox), or some other way, I don't know. As far as I know, no files that I've knowingly created have been changed or lost. But there's a definite uncanny correlation between e-mail that I write and spams and spoofs that I receive, both in timing and in content (judging by subject lines). There is almost certainly at least some sort of keystroke logger on this dinosaur. One of the main reasons for getting the new system is to solve this problem. (I was long overdue for an upgrade too.) Though the probability of infection is very small, I know from first hand experience it's not zero. Better diligence and less laziness on my part can reduce that probability some, but I still would like something to detect and remove whatever slips through the cracks, and because I'm human.
I do not currently plan to connect to the new home system from the outside. But I may someday connect to work computers, clouds, etc. from home via ssh, vpn, etc. I will not be running a mail server, or any other kind of server, on my new system.
thanks, Bill.
--- On Thu, 3/21/13, William Mattison wcmattison@yahoo.com wrote:
From: William Mattison wcmattison@yahoo.com Subject: Fedora 18 security questions. To: users@lists.fedoraproject.org Date: Thursday, March 21, 2013, 10:31 AM I have a single desktop connected only to the internet. It's dual-boot: Fedora 18 and windows 7 home. In Fedora, it has more than one user id.
I skimmed/read through the Fedora 18 security guide, and much of the Fedora 18 installation guide and the Fedora 18 sys. admin. guide. As best as I can tell, the only thing that I need to do is make sure the default firewall is active as per this section of the security guide: http://docs.fedoraproject.org/en-US/Fedora/18/html/Security_Guide/sect-Secur... and make sure the system stays up-to-date ("yum" seems to be doing that). But my experience, understanding of computer security and sys. admin. are extremely poor and beginners level. I'm assuming that what these guides say about multi-computer systems, LANs, WANs, servers, etc. does not apply to my system. Any thoughts or suggestions?
Windows has security essentials and malwarebytes scanning browser traffic to detect and block malware, and scanning the hard drive to find and remove malware. What does Linux have corresponding to that? I'm just about certain that my old Linux system is infected with working spyware. I'd like to have something like security essentials, malwarebytes, etc. on my new Linux system.
Thank-you in advance for your help. Bill.
-
Jorge Martínez López -
Rahul Sundaram -
Reindl Harald -
Roger -
Sam Varshavchik -
SternData -
Tim -
William Mattison