Firewalls & Anti Virus

[Stryder]

I was just wondering about security programs. Are there any firewall programs for Linux that is somewhat like Zone Alarm? And what about anti virus software? I have heard some say you do not need it Linux, but I find that to be a bit hard to believe. The one thing I liked about Windows was the sense (flase sense?) of security I have knowing I got control over what is connecting to the internet and what is coming in from it. And that I was able to easily monitor it. And with virus protection running, I also felt better. Always kept my anti-virus up to date daily and ran full system scans twice a week on top of the constant monitoring that Norton did. Should I apply all of these same tactics in Linux as well? And if so, what programs do you guys suggest?

[Bruno]

Stryder, Your router, does that have a firewall ?And for the AV:http://www.scotsnewsletter.com/forums/inde...t=ST&f=14&t=546To test your firewall: http://www.scotsnewsletter.com/forums/inde...t=ST&f=14&t=555Linux is in general a safe system some precautions are needed, but no need for paranoia ! Bruno

[Stryder]

Your router, does that have a firewall ?

It is a Linksys 4 port router. Not a true firewall, but does offer some security. I am of the paranoid variety. I have walked among the devious and prefer to be prepared for the worse.

[Bruno]

Stryder Are you running any services ? Test your firewall at PC-flank I´m a true believer in their tests ! ( read the posts in the linked thread ) Bruno

[Stryder]

I am not running any servers. Running the PC flank tests now.Thanks Bruno!!

[Bruno]

You´re welcome Stryder ! Bruno

[Stryder]

Passed everything with flying colors other than it said my browser gives out "referrer" information. That is not that big of a deal, at least all of the really important stuff is covered.

[Bruno]

it said my browser gives out "referrer" information.

StryderThat means it only tells what broser you use, can even come in handy !Congrats with your SAFE system ! Bruno

[bjf123]

Running the PC flank tests now.

If you run to PC Flank tests with your Linky still in place, you're not really testing your linux box. The NAT at the router will stop everything. I use a 4 port Linksys as well and pass every security test I try, but nothing ever shows up in my firewall logs, since the traffic is stopped by the Linky. Just my two cents.

[Stryder]

Yeah, that is why I was wondering about a software firewall similar to Zone Alarm so I can monitor traffic.

[cypress]

Stryder:Our local LinuxSIG has spent several months testing Linux firewalls. Two popular ones are SmoothWall and I-Cop. These can be built in an old P-1 computer box with two NIC's and placed between your LinkSys router and a hub or switch that feeds the local network. Another interesting solution is GuardDog that configures IP Tables within a GUI browser page. These systems are all free. Other security solutions can be found on a special page on Distrowatch. Look at the top or bottom of the page for security distros. My project for this month is the EnGarde Linux Community Edition of a Guardian firewall. This one is really top-drawer. They sell a similar package for businesses and I'm impressed at how much better EnGarde is than the first ones mentioned above. EnGarde even includes Snort and TripWire in this distro to report on security probes and breaches.But hey, all these security systems work. You can learn a bunch probing yourself vs. using a Gibson or PCFlank check. For probing software check out NMap. There is a Linux client that operates from the command line and a very nice GUI Windows tool. You can''t probe yourself so you'll need a buddy to test your system (or do it from work). I agree we must treat Linux security as seriously as the Windows community. I'm not a Linux expert but I've learned lots about networking and Linux testing the systems above. Good luck and report on your solution.

[Bruno]

StryderIf all in-traffic is stopped at your router, and you don´t run any services. If no more requests can reach your PC. How more secure can you be ? A hardware firewall is always better than a software one ! Bruno

[quint]

Stryder,Can't help on the firewall, but this is not a bad, easily configured AV package, that runs in the background.Clam AVI think Bruno recommended it to me.

[Bruno]

Yep, Quint ! :DB) Bruno

[Stryder]

Hey thanks quint, keep me up to date on how it works out for you.

[quint]

Hey thanks quint, keep me up to date on how it works out for you.

Will do. One thing I've noticed already is that it starts at "bootup", shuts down when you either re-boot or turn the machine off; guess I'm still being influenced by Windows, because I keep trying to run a total file scan, and haven't found out where - if you even can.

[Agent007]

Stryder & quint,I really HOPE that u guys dont login as r00t for daily use...IMHO, ClamAntiVirus is a joke simply because it does not scan for GNU/Linux virri since they dont exist. Lets do a study of this:-Firstly, The Virus database basically contains a listing of worms for Microsoft Windows..The following is an excerpt from the database:-

VBS/Concon (Clam)=5753485368656c6c*575363726970742e5368656c6c*484b45595f4c4f43414c5f4d414348494e45VBS/CoolNote.Worm (Clam)=5072696e7a20436861726c65732041726520446965*434f4f4c5f4e4f54455041445f44454d4f2e545854??766273VBS/Eraser (Clam)=457261736546696c6573*46756e6374696f6e*46696c65546f4572617365*46696c65546f45726173652e70617468VBS/Madonna (Clam)=4d61646f6e6e61*4a6164726171756572204b696c6c6572VBS/Redlof-A (Clam)=45786563757465282244696d204b65794172722833292c54686973546578742226766243724c6626224b6579417272283029*45786563757465285468697354657874290dVBS/SST (Clam)=43687228*4e657874*456e64*46756e6374696f6e*205b4b5d416c616d6172W32/BadTrans (Clam)=6563*6179*46656213615361274672690054687500??9d5bfe576564005475656f172fW32/Blakan (Clam)=20627920*67656e657261*74696f6e20766972757320W32/Cervivec (Clam)=56746970*5769747a*626c6167*4a6f6b65*5a617274W32/Gokar (Clam)=47006f0062006f00*7400650061006d00760069007200750073*4b006100720065006eW32/Gop (Clam)=736d74702e796561682e6e65*2d20474554204f494351W32/GriYo (Clam)=436f64656420627920477269596f*323941W32/Hybris.C (Clam)=4000??????????????????????????83??????75f2e9????ffff00000000W32/Hybris.D (Clam)=3629ced72a67a34a5c3812*6629ce072b67d34a5c6812*a29dfad81918d74c9fc09abf1968*1881c3040000004875f16800104000c3W32/Magistr.B=0000??2e??????????0000ed????0000????0000????0000????00000000000000??0000*e804720000W32/MyLife.E (Clam)=7a6172793230*40656d61696c2e636f6d

Now, for the analysis for W32/BadTrans from Symantec & CERT:-Symantec

http://securityresponse.symantec.com/avcen...trans.b@mm.htmlW32.Badtrans.B@mmCategory2Discovered on: November 24, 2001Last Updated on: May 05, 2003 08:40:58 AMAlso Known As: I-Worm.BadtransII [KAV], Badtrans.B@mm [Norman], W32/Badtrans.B [Panda], WORM_BADTRANS.B [Trend], W32/Badtrans-B [sophos], W32/Badtrans.B@mm [F-Secure], W32/BadTrans@MM [McAfee], Win32.Badtrans.29020 [CA], Worm/Badtrans.B [Vexira]Type: WormInfection Length: 29,020 bytesSystems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows MeSystems Not Affected: Macintosh, UNIX, Linux

Thanks to them, they've even specified "Systems not affected: Linux"CERT

http://www.cert.org/incident_notes/IN-2001-14.htmlW32/BadTrans WormRelease Date: November 27, 2001Systems Affected    * Systems running Microsoft Windows 95, 98, ME, NT, and 2000 DescriptionThe W32/BadTrans worm attempts to use two known vulnerabilities to compromise systems and propagate.The format of the MIME headers in an email containing W32/BadTrans attempts to exploit a vulnerability in Internet Explorer where certain MIME types can cause arbitrary code to be executed. For more information, including patch information, see    CERT Vulnerability Note VU#980499    http://www.kb.cert.org/vuls/id/980499 On systems that are patched for this vulnerability, the user may receive a confirmation message asking whether or not to execute the attachment. Running the attachment on these systems will still result in a compromise. Users should not execute programs in email attachments unless they exercise reasonable care to ensure that the attachments do not contain malicious code.The filename in the email attachment of a W32/BadTrans infected email varies from message to message but always has two file extensions. By default, Windows may hide the true file extension from the user, as discussed in    CERT Incident Note IN-2000-07    http://www.cert.org/incident_notes/IN-2000-07.html When the malicious program is executed, a copy is written as "Kernel32.exe" in the Windows directory.  C:\WINDOWS\Kernel32.exe    MD5 checksum = 0bf5eaeed25da53f85086767bcd86e5e    Filesize  = 29020 bytesKernel32.exe is executed and the originally executed file attachment is deleted from the system. Kernel32.exe may run as a system service on some versions of Windows, causing it to not be visible in the default system task list provided by Microsoft.Kernel32.exe writes two additional files to disk in the Windows system directory.  C:\WINDOWS\SYSTEM\kdll.dll    MD5 checksum = c7ceb9fb63edc7fb7c7767f899ff5491    Filesize  = 5632 bytes  C:\WINDOWS\SYSTEM\cp_25389.nls    MD5 checksum = varies    Filesize  = variesReports indicate the "kdll.dll" file contains routines to record a user's keystrokes on the infected computer. The "cp_25389.nls" file contains logged keystrokes in encrypted form. Some reports indicate the contents of the log file are sent via email to a particular destination potentially causing sensitive information to be exposed.Kernel32.exe sets a registry key to insure it is restarted when the computer restarts.  HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32  = "kernel32.exe"While running, Kernel32.exe checks this registry value approximately every 10 seconds to insure that it is set.Reports indicate that W32/BadTrans sends copies of itself via email to addresses found in unanswered email or in files found on the computer system. Email messages generated and sent by W32/BadTrans have some identifiable characteristics.    * During the SMTP conversation, the W32/BadTrans host will issue a "HELO AOL.COM" statement. This is generally visible in the resulting Received: header in the message.    * The address in the From: header will have a '_' prepended to the sender's email address.    * The MIME headers contain:  Mime-Version: 1.0  Content-Type: multipart/related;      type="multipart/alternative";      boundary="====_ABC1234567890DEF_===="    * The body of the MIME message contains:  --====_ABC1234567890DEF_====  Content-Type: multipart/alternative;        boundary="====_ABC0987654321DEF_===="  --====_ABC0987654321DEF_====  Content-Type: text/html;        charset="iso-8859-1"  Content-Transfer-Encoding: quoted-printable  <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>  <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>  </iframe></BODY></HTML>  --====_ABC0987654321DEF_====--  --====_ABC1234567890DEF_====  Content-Type: audio/x-wav;        name="filename.ext.ext"  Content-Transfer-Encoding: base64  Content-ID: Some reports in public forums indicate that a backdoor is installed by W32/BadTrans, however the CERT/CC has been unable to confirm these reports in our own analysis.

Under normal usage the environment for Virri is not favourable and will never change even if GNU/Linux becomes widespread. Try editing/deleting system files in /etc/ or /usr/bin and c...Instead of installing the so called 'virus-scanners' for GNU/Linux, it would be better to install an IDS. U'd get detailed info if critical/system files are changed and the severity level. Then again its a must have if ur running services...Why have a false sense of security?007

[Stryder]

No I do not run in root. Only access root when making changes that require root. Now as far as services go, what services would be considered unsafe? I do not run any web related servers of any kind. I checked the list of services that are running and the ones that start at boot. From the description given on the ones I allow, all of them seem needed for the operation of the OS. But I could be mistaken on one or two. This is my first "REAL" attempt at running Linux as a everyday OS and am just wanting to make sure I do not leave myself open to exploits. I am of the Linux ignorant at this point. But that will be changing the more I use it. I have only had Linux installed for 2 days, and I figured the first place I should begin my education is security. Anyway, thanks for the insight on viruses in Linux. Oh, any ideas on a good IDS for beginners?

[Agent007]

Hi Stryder,Ur right on track! Good for a beginner. Can u just name what services u run? The trouble-makers so to speak are usually Apache, Sendmail, Exim, PHP frontend cud be a culprit too. Since PHP works with APACHE etc. The de-facto IDS is Tripwire. Just one package needs to be installed. Apart from that u only have to configure a config file. Its usually setup when the system is first loaded with a distro so that a snapshot is taken, dumped into a database and u can compare the daily integrity checks with it. Tell u what, get hold of chkrootkit scanner. This one does check for UNIX, GNU/Linux based rootkits. 47 in all! http://www.chkrootkit.org/

[Stryder]

The services that are running are as follows:atdcrondcupsdevfsddm harddrake internetkeytablekeyheaderlinuxconfnetfsnetworkntpdnumlockpartmonportmaprandomsound syslogtmdnsxfsxinetdThe following are set to run at boot but are not currently running (NOTE: I did not personally stop them):famrawdevices

[quint]

Hi Stryder,Ur right on track! Good for a beginner. Can u just name what services u run? The trouble-makers so to speak are usually Apache, Sendmail, Exim, PHP frontend cud be a culprit too. Since PHP works with APACHE etc. The de-facto IDS is Tripwire. Just one package needs to be installed. Apart from that u only have to configure a config file. Its usually setup when the system is first loaded with a distro so that a snapshot is taken, dumped into a database and u can compare the daily integrity checks with it. Tell u what, get hold of chkrootkit scanner. This one does check for  UNIX, GNU/Linux based rootkits. 47 in all! http://www.chkrootkit.org/

Agent007,Thanks for the info and your insight. Like Stryder, I don't login as root, nor have this machine set up to be a mail server, etc. Guess that I am instilled with the fear of attack from the outside world of sadistic pc users; a fear firmly imbedded by our friends at MS. Just one more reason I am so enjoying this Linux experience. Have found the http://www.chkrootkit.org site very interesting. Thank you,

[Agent007]

quint: Your welcome! The more u work with GNU/Linux, u'll understand the ins and outs in no time...... And finally I'm sure u will just laugh at those anti-virus companies! Stryder: As a security measure, stutdown ntpd...I'll post a tut shorly on how to sync the time via a script which is run by a cron job. Apart from that everything is OK. Btw, why r u running portmap?007

[Stryder]

quint: Your welcome!  The more u work with GNU/Linux, u'll understand the ins and outs in no time...... And finally I'm sure u will just laugh at those anti-virus companies!  Stryder: As a security measure, stutdown ntpd...I'll post a tut shorly on how to sync the time via a script which is run by a cron job. Apart from that everything is OK. Btw, why r u running portmap?007 

Portmap.....no reason that I know of. I did not start it myself. That was something the default set-up must of done.

[bjf123]

The services that are running are as follows:

How do I find what services are running on my SuSE setup?

[Peachy]

Stryder,What you need to do is setup an IDS using SNORT. Here's a primer. I have another article from a magazine that I will dig up tonight.

[quint]

Stryder,What you need to do is setup an IDS using SNORT. Here's a primer. I have another article from a magazine that I will dig up tonight.

Peachy,Terrific place, wish I knew about it a few hours ago. Just installed ASPLinux, and one of the packages was "Tripwire". Having remembered that Agent007 suggested this to Stryder, I chose to install it. Everything appears to be fine, but I can't for the life of me find that program. Suppose it's there somewhere, but was wondering if I had to configure it or something. KPackage says it is installed, have selected: "show hidden files", but this is like finding WMD. Snort was also offered, but I did not know anything about it, so did not select. Wonder if I could run both? Thanks,

[Peachy]

The services that are running are as follows:

How do I find what services are running on my SuSE setup?

from a console type:service --status-all | lessBy piping the output to less, you can scroll through with the terminal window to see the long listing. Alternatively you could output to a file like so:service --status-all > services.txt

[Agent007]

Stryder,What you need to do is setup an IDS using SNORT. Here's a primer. I have another article from a magazine that I will dig up tonight.

Snort needs to be bound to a NIC......

[Agent007]

but I can't for the life of me find that program. Suppose it's there somewhere, but was wondering if I had to configure it or something. KPackage says it is installed, have selected: "show hidden files", but this is like finding WMD. Snort was also offered, but I did not know anything about it, so did not select. Wonder if I could run both? Thanks,

Setting up snort is not *that* simple...It's also an overkill for home users....Since u've installed the tripwire package, login as root, open up the console or terminal and type this:-/usr/sbin/tripwire --initafter that is over, type this;/usr/sbin/tripwire --check007

[Borst]

Greetings! I'm new at Linux also. I recently installed Red Hat 9 on my PC. I am trying to shut down services I do not need running. I know Sendmail is running. There are probably others. I have an article that I DL of the net last year when I was contemplating Linux. The article says I need to turn edit /etc/inetd.conf to turn off any services I don't need. Apparently, that file is no longer used as I have no such file in /etc/. How do I go about disabling daemons and services I don't need?TIABorst