Anti-virus is a flawed approach to security which came about because of flawed OSes (ie windows). Unix was around long before windows was and no one ran AV software on it, AV software only came into mainstream because of windows. The only real benefit to it on a nix server is to protect client machines, ie scanning email or web pages before the user gets them. Linux has many better ways to protect your system that makes Anti-virus background scanning both obsolete and a waste of resources. You have the basic things like mounting data drives or other places users have permission to write too, with the noexec option. That way even if a user put a virus in his/her home directory they couldn't run it. You can also compile your kernel with all the drivers compiled into it and turn off module support. That way no one, not even root could load a module into the running kernel. Also don't mount /boot at bootup, it should never be mounted anyways unless you are moving a new kernel image over to it or configuring your boot loader... not just for security but because if the server hard crashes and corrupts the /boot partition then you won't even be able to use the bootloader to get into your system to fix it. I guess you can always use a boot floppy or CDROM but why go through all that trouble when you can just add the noauto to the /boot line in fstab. As for compiling, don't put gcc onto production servers. If you need to compile something for a server then build a "build server" where you download source code and compile it for the server you need to run it on... then copy it over. This stops a few things, users can't compile there own rootkits, etc on the server and if the source code you are compiling has been compromised like sendmail was a little while back then you are only affecting your build server and not the production server. If for some reason you really need to have gcc on the production server then at least make it so that only trusted users can use it or in the case of Gentoo make it so that only root can use it. Then there are the things you mentioned: IDS, firewalls (Can be a sense of false security as they only protect you from the outside), TCP wrappers. You can also check out the grsecurity section when you configure your kernel. It has many options to limit what users and even root can do to the machine, which brings up a valid point: The system should not always trust the root account. One that I can't stress enough: Read the system logs on a regular basis!! (ie once a day). MD5s are good too but don't put all your trust in them, if someone can change the file then they may also be able to change the posted MD5 Checksum.
Oh, and don't check your email as root :P -- Trevor Lauder Web: http://www.thelauders.net E-Mail: [EMAIL PROTECTED] Kevin Anderson said: > Even if requested by root, files should be SCANNED before they're > started. That would prevent the starting of a file which matched a known > signature. > > I totally agree that Antivirus isn't a complete solution, but at the > same time it isn't completely useless either. It helps. So does > keeping a box up to date, so does Intrusion Detection, so do firewalls, > so do even simple things like TCP Wrappers, or removing (and especially > not running) programs/utilities that the machine doesn't need. Checking > MD5s before compiling or installing something. They're all part of the > puzzle. I think antivirus has it's place, Linux or not. > > I've never played with, looked for , or experienced (to my knowledge) a > *nix rootkit. > > I've played with a rootkit for Win2K. It was one of the coolest things > I've ever seen. The one I saw (I've still got it here somewhere) was in > beta, and clearly wasn't complete. It allowed me to "define" something > that I installed (Call it TrojanA) as one thing, but Windows saw it as > something else (Notepad, for example). If I called Notepad, then > notepad would run. If I called _root_Notepad, then TrojanA would run. > Taskmanager saw me running Notepad. The executable was the same size as > Notepad. a Directory List say Notepad. Everywhere I could think of I > saw Notepad. But it wasn't Notepad. Hands down, it was the coolest > thing I'd ever seen on a PC. One of the scarier too. I'm suprised that > this isn't abused at the corporate level to (for example) monitor > employees more than it is. > > I think that Windows rootkits are rare because they're unneccessary. > It's relatively easy to remotely take control of a Windows box. At > least to the point of having it run something for you. Things like > Dameware and Remote Task Manager show that quite clearly, although they > (as legitimate utilities) want you to have a password before they'll run > something. Back Oriface is the same deal, except that since the authors > were (at that time) black hats, it's consitered a remote exploit tool > rather than a utility. I'd say I've played with more security tools than > most. I think I know a fair bit about security in general but I > wouldn't say I'm anywhere close to a guru. I'm still learning on the > whole Linux thing, and generally I'm finding that I'm ahead of everyone > I interact with on a daily basis (not so much on here, but I can't > really ask ALL my questions here), so it's difficult to advance other > than reading and playing myself. And at this point, most reading and > playing is targetted as at a specific purpose. > > The RPMs that I installed which broke my mail's web admin stuff were all > done via up2date. Personally, I'd blame the mail software before I'd > blame anything else. It's OK, but it isn't great. My guess is that it > did something that wasn't exactly normal, and the RPM killed it when it > saw something wierd. When the admin tools stopped working, it wasn't > REALLY broken, just some symlinks were gone that had previously been > there. It was a stupid problem more than a serious one. I didn't even > notice it for a few weeks, because the company's employee list is fairly > static. > > Kev.
