Anti-virus Programs

David L Norris dave at webaugur.com
Thu Jan 29 05:05:19 UTC 2004


As for SMB/CIFS filesystems shared with Windows systems I use Clamav to
scan them.  This way Windows systems can't drop trojans in the shared
directories.  Clamav is horrendously slow but the virus database appears
to be very well kept.  It takes 3 DAYS to scan 60 GB of data on one of
my systems.  I will simply have to setup on-access virus scanning with
Samba-vscan or Dazuko at some point very soon.  Look here for some
interesting ways to use Clamav:
  http://www.clamav.net/3rdparty.html#pagestart


On Wed, 2004-01-28 at 21:59, Mitch Oliver wrote:
> Your best protection will always be to turn off unused services, 
> run a firewall, avoid buggy programs, and always use strong passwords. 
> Cracking is a much more clear and present threat to your Linux install than viruses will ever be.

Viruses and such are pretty rare.  Break-ins by actual human beings are
seemingly rampant among (arrogant) home Linux users (who have been
brainwashed into thinking their Linux system is invulnerable).  Over the
years I've helped more than a few people pick up the pieces after a
break-in on their Linux systems.  One was exploited through an unpatched
SSH vulnerability.  Dozens were broken into because of weak passwords
and drafty old services (SMTP, FTP, etc) setup to authenticate real
users who have remote shell access.  Mail and FTP servers are terribly
bad about allowing remote crackers to hunt and peck their way through
your user's passwords.

But poorly setup mail servers are possibly the worst because your
usernames aren't unknown to the remote user.  The cracker can poke
around your web server, mailing lists, Google, etc to find a couple of
email addresses on your machine.  Then he uses a script to bang on your
sendmail server until he finds a valid password for one of the users. 
He logs in via SSH or telnet, runs a root kit, and wipes the sendmail,
secure and last logs.  

In one such case I found the administrator had forced the user's
password to "password" and did not set the login shell to
/sbin/nologin.  (AllowGroups in /etc/ssh/sshd_config is also a good way
to combat unwanted remote logins.)  The user had not legitimately logged
in via SSH once since the account was created and would never have done
so if told she could.  The cracker logged in exactly once as that user,
wiped his entries from some logs, and used a rootkit to repurpose the
adm account for his own use.  He was very sloppy and even left behind an
extensive .bash_history.  He also missed the maillog entries showing all
of his password attempts against sendmail.  But nonetheless, he owned
that machine for several months before his buggy rootkit patches caused
enough filesystem corruption to make the system unstable/unbootable.

The chances that a rootkit will work should be greatly reduced with
Fedora Core if you've not disabled exec-shield.  Even so, I uninstall
all remote services (except SSH) from workstations, remove mail servers
from non-mail servers, firewall all non-essential ports, and restrict
SSH access to only those individuals who absolutely require it.

-- 
 David Norris
  http://www.webaugur.com/dave/
  ICQ - 412039
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040129/cc33bd0d/attachment-0001.sig>


More information about the fedora-list mailing list