How can I get a Firewall for Linux???

Discussion in 'all things UNIX' started by cheater87, Apr 27, 2009.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi chronomatic,

    Malformed packets are a way of breaking past a hardware firewall's protection. I assumed there are many variations. If one is careless enough to surf as root, then the system could very easily be stealthed against detecting the presence of a rootkit - perhaps of the "blue pill" variety - reference Invisible Things Lab.

    Just because you are not aware of any Linux malware that is a threat in the wild does not mean there is none and that your system is safe from any.

    A very competent former OS colleague of mine told of not keeping his Linux distro up-to-date on security patches. He got infected with the SuckIt rootkit. He also learned a good lesson for his oversight.

    Redundancy has an honored place in engineering solutions to many problems in the real world. The idea of security is a multi-layered approach to protect the royal jewels from getting nicked. Depending on the value of the data being protected, the notion of wasting memory is not the central idea regarding security. Even if you are protected by hardware NAT that drops all packets, it is just as easy to drop malware from within a network via USB, or, for example, if you are confident about your wired access, but also run wireless that you haven't quite locked down, perhaps a neighbor could acquire the use of your computer through wireless channels and drop an egg on your system as a prank.

    It does look like you are well protected, so don't relax just because you are! There are always weak links with computers that connect - browser vulnerabilities that have yet to be discovered by the white hats which the black hats are pushing into the wild - they want your money and your identity.

    -- Tom
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Exactly. IF one is careless enough to surf as root!

    Name one piece of Linux malware in the wild that is widespread. You can't listen to the AV companies like Symantec -- they constantly decry that Linux is entering a period of virus doom (and have been saying this for at least 10 years) but it has yet to happen. Why would Symantec do this, you ask? Well, as someone else once said, because naive Linux users have money too.

    A rootkit is not malware, it must be planted physically by an attacker who already has root access. If you have a rootkit on your system, you have been compromised through some other hole, thus the rootkit itself is the least of your problems.

    I still maintain that running a frontend for iptables on a machine that is already behind a dedicated hardware iptables firewall is superfluous. It isn't "layered," it is pointless.

    This scenario doesn't apply to the vast majority of home users. In the enterprise, yes, physical security practices need to be taken to ensure that a malicious employee doesn't reboot the system, run a livecd, and drop a rootkit. But if a malicious person has physical access to the machine (along with a liveCD to bypass the root restrictions) then it's game over anyway. But this malicious person must have a way of rebooting the system without anyone noticing. He cannot simply load a USB key into a running machine and drop malware on it. Why? Because he won't have root access to the machine.

    Doubtful that will happen to me. I run WPA2 Personal with AES and a 63 character random password, as well as MAC filtering, static DHCP, and I only allow 1 wireless connection to my router. I also only allow rsa key access to my ssh daemon and that can only be done locally. Telnet is turned off as well.

    Broswer vulnerabilities don't have nearly the same effect on a *nix box as they do on Windows (where a browser exploit can result in your machine being pwned even without user interaction). If a browser exploit is utilized in Linux, the most it can do is affect the /home directory. And if you have a MAC or RBAC module enabled, it won't even be able to do that.
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi chronomatic,

    ClamAv and BidDefender have Linux oriented signature based scanners + maybe even some heuristic scanning - I haven't used them much, but there are Linux AV malware out in the wild - we just don't hear much about them because:
    1) Windows gets most of the malware action - its a swiss cheese design for an OS
    2) Any Linux malware requires a lot more expertise, and to reveal a problem at a company it may be too embarassing, so we tend to hear it after the fact

    The term malware is a general term that applies to a lot of bad intentioned software and it most certainly does apply to rootkits - like the misuse of the Sony rootkit to enforce DRM on CD recordings. The techniques are intended as malware.

    If you are infected with a rootkit - it is NOT the LEAST of your problems, but quite the opposite!!!

    I did explain that infections can occur from within a network via so-called trusted agents that use USB flash drives that they are not aware of compromised files on it - so, layering is the POINT - to protect your data at all costs from compromise - and doing the right thing by backups, etc. Whatever it takes to protect your system.

    You don't know with 100% certainty whether a malicious person does or does not have the means to acquire root access - asserting that they categorically don't is naive!

    No matter how good you think your security may be - there is never a last exploit because they are always just around the corner! The push-pull of black-hat vs white-hat has no end-game in sight.

    -- Tom
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Looks like the 2 Adobe Acrobat Reader 0-day exploits in the wild are Linux related:

    Ref: Two Adobe 0-day vulnerabilities.

    -- Tom
     
  5. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Nice. But I don't think in practical sense any of us are using Adobe Reader for LINUX... we are more then likely using one of the options available from the repo.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.