Linux Security?

Discussion in 'all things UNIX' started by curious george, Nov 18, 2010.

Thread Status:
Not open for further replies.
  1. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    I know linux doesn't need much (just a non dimwit user, and even then, you can get away with a lot IE:cousin), but, i was lookin around on some of the software packages, and noticed linux has a firewall. Now, im not sure if this is needed, but, i installed it anyway, along with another tool to ban IP's from guessing the wrong passwords too many times.

    Is all this necessary, or is this my obsessive compulsive windows disorder?
     
  2. katio

    katio Guest

    What distro do you use?

    Yes, it's absolutely necessary to think about security on Linux too.
    Smug Mac users are one thing but smug Linux users can be even worse. Linux is not magically secure and "M$" is not the source of all evil and exploits.

    Every Linux comes with a firewall built in, called iptables. It's a powerful tool but not exactly easy to user. But there are some front ends that make the job easier for example ufw in Ubuntu, also already preinstalled.

    Firewalls aren't absolutely necessary. If you have no services running listening on any port you don't need one at all. You can check that with netstat
    like this (example, see man netstat for more):
    # netstat -utap
    if it says localhost it's not listening on the network, just local system only. No need for firewalling that.

    If you are behind a router you are already firewalled against the internet. If you trust every device on the network you don't need a firewall either. I wouldn't, especially when there are more people on the network (I'm not even talking malice, just malware).

    You mention a tool to ban brute force attacks? They are usually used for ssh. Absolute necessity if you open that up to the internet. If you don't use ssh or similar you won't need it.
     
  3. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    I installed them, figured rather be safe than sorry. I'm behind salix OS, built off slackware.
     
  4. DIgiDis

    DIgiDis Registered Member

    Joined:
    Oct 15, 2006
    Posts:
    49
    I think many people are migrating to Linux just for the peace of mind against malware. I think the combination of being behind a hardware firewall/router and regular disk imaging can be enough for anyone with safe browsing habits and a little computer savvy.

    For those that prefer to visit the more dangerous parts of the Internet, you can create limited user accounts like in Windows. This provides a little more overall system security.

    For those that just have to push the envelope, or want to test malware and anti-malware solutions, I would suggest installing VMWare or VirtualBox and creating virtual machines for that stuff.

    Lastly, there are some AV softwares for Linux. I personally use Avast and it can also scan other partitions, like a Windows install, from within Linux. This is a good way to deal with infected Windows environments.
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Netfilter is the actual piece of software in the Linux kernel to which the iptables rules are applied. All Linux distributions have both (in the kernel), however, not all initialize them with iptables rules.

    Also, hardware firewall/routers are insufficient to stop a determined cracker.

    -- Tom
     
  6. katio

    katio Guest

    That's a broad statement. In a server environment often there's really not much else needed than limiting all access to the LAN/trusted IPs.
    Of course you'll still want to follow best practice, good passwords, regular security updates, logging, least privilege policy and so forth, but in terms of security software you are probably already covered.
    If it's internet facing I'd always add a MAC system though.

    If we are talking about desktops, going by a risk based approach, what do you actually need? If that involves being a likely target for determined hackers that absolutely means a firewall is not enough. But I doubt any of you are.
    The question is, how many remote code execution exploits are in the wild attacking popular Linux (and up to date) software? Any at all?

    It's fun (at least I think it is) to come up with theoretical or poc attacks but we should always discern between real risks and possible scenarios.
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Can you provide examples of this ?
     
  8. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    Even though I am behind a NAT router I went ahead and installed a simple firewall called gufw. I ran an AV a few years ago but all it did was show me dormant Windows malware harmlessly caught in the browser cache. I don't see any reason to waste resources on an AV now.
     

    Attached Files:

  9. katio

    katio Guest

    Suppose he was thinking of
    crafted pdf files (if you use Adobe Reader this is actually is a real risk and there've been files in the wild designed to work on Linux, but who does use it?)
    java exploit (cross platform, that includes the nasties...)
    browser drive bys (firefox got a lot of wholes, a few exploited in the wild, even less targeting *NIX)
    I think that are the major point of entry, but only applies to desktop systems as I said above.
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    katio & Nick:

    Specially crafted packets would do it for a specific target - and servers would not necessiarily be exempt. Look at what Stuxnet did - very worrisome.

    curious george, et. al:

    For a list of some 2435 hits on Linux vulnerabilites check out the web site OSVBD - i.e. from the website's main page do a quick general search for: Linux, or even Linux Kernel (819 vulnerabilities).

    Still, by most measures, Windows is to swiss cheese as Linux is to parmesan - both can be grated, but Windows was not designed with security in mind which probably accounts for the massive number of security breaches (holes), while Linux was given at least a fighting chance by being more difficult to crack - but is not in and of itself non-crackable, but very much more less vulnerable than Windows, and not without its own vulnerabilities.

    -- Tom
     
  11. katio

    katio Guest

    Yeah, that's what I meant, nothing to worry for the ordinary user. They'll only encounter automated and wide spread attacks. Those still don't target Linux desktops (although it wouldn't be such a difficult target contrary to popular belief).
     
  12. DIgiDis

    DIgiDis Registered Member

    Joined:
    Oct 15, 2006
    Posts:
    49
    It's kind of ironic that an OS that is opensource, and therefore freely available to anyone to pick apart the code looking for vulnerabilities, is more secure than a proprietary and closed source software like Windows.
     
  13. katio

    katio Guest

    http://en.wikipedia.org/wiki/Linus'_Law
    http://en.wikipedia.org/wiki/Security_through_obscurity

    You know, even more funny: The *BSDs are considered more secure than Linux (citation needed), they are open source too but have far less contributors AND money or resources.
    Personally I'm not too sure about that, there's some validity to the market share argument and more eye balls simply means more bugs are discovered but they probably are there in *BSD too.
    Though OpenBSD really is a very secure code base. Most of the time is spent auditing code and fixing bugs; functionality, features and performance come all second.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.