Re: [OS:N:] Virus Protection?

[Jeremy Hogan <jeremy hogan gmail com>]

On 8/25/05, Jay Scherrer <jay scherrer com> wrote:
> Linux has been designed with security in mind. But don't let that catch
> you off guard. One of my Windows users tells me that the reason Windows
> has more viruses is because Windows is more popular over Linux. If that
> is true, we should always be ready, just in case Linux starts getting
> more popular. 

You should always be ready. Period. But I should point out that UNIX
has been around longer than Windows, and people have had plenty of
opportunity to hack it. Good hackers and bad hackers. Linux is built
like UNIX in many ways, and is just plain old not as vulnerable.

The *real* reason Windows is attacked more often is that it is easy.
Do more people dig tunnels under Fort Knox, or steal candy bars from
the local store?

The majority of WIndows attackes are written to exploit design issues
not present in Linux, but more importantly are spread by "script
kiddies" who are the 'Nets equivalent of Halloween pranksters. They're
not smart, they're bored and easily amused. Point them at a box where
they have to think about it, and they're quickly swept off.

> There have been several viruses unleashed against Linux
> such as rootkit, where these are designed to attack via sudo. The best
> practice is to watch your logs and possibly use a file logger like
> bastille, or tripwire. One area of security are core files. Core files
> are created when a program or daemon crashes do to some unexpected
> operation or bug. This core file is used for debugging and can contain
> information about your system and even your passwords. A Cracker might
> try to crash any number of programs such as Apache or Sendmail, just to
> get a hold of a core file. There are many scripts available that can
> check file directories for core dumps and zero length files.

Once a hacker is on your machine, they can run all sorts of nasty
stuff. And if you run as root and execute programs you can be tricked
into installing every little chigger they rolled into it. This is not
a flaw of either system in and of itself so much as a by product of
"crunchy on th eoutside, soft and gooey on the inside" security
policies.

The big distinction is that on a Linux machine, darn little can be
done to root processes with a breached user account, and an even
bigger distinction is can the virus/worm propagate itself without user
intervention. In the past a hacker has been able to have an easier
time escalating their privileges within a "ring" of access, due to
what's called "discretionary access control". Under SELinux, for
example, it's "mandatory access control" and the rings are cut into
slices, so gaining access to Apache, does not mean you can get access
to anything at Apache's access level. If the service does not ever
need to read a file, you can never read taht file if you are running
as that service, same for writing, etc.

> A good source for learning about Linux security is the book "Hack
> Proofing Linux" by James Stanger and Patrick Lane. This discusses
> everything from the common tools you can use to how to protect against
> packet sniffers, Those pesky little programs that watch your every key
> stroke over the web.

Also check out "Hacking Linux Exposed", stop running Windows, and get
a firewall.

--jeremy