Arch Linux and anti malware?

Discussion in 'all things UNIX' started by zakazak, Aug 4, 2015.

  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Hey Trespasser,

    Yeah, that's one of the things I look forward to the most when using Linux... not having to worry about all that stuff anymore.. It's great. :)
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    With physical access, there's usually no need for a keylogger. Just boot into single-user mode and reset the root password.

    But that won't work with LUKS. Then you'd need a keylogger ;)
     
  3. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    https://l3net.wordpress.com/projects/firejail/
    Firejail is a easy to use effective way to harden Linux web facing applications such as browsers, torrent clients etc. If your coming from windows think sandboxie.
    I know they aren't the same before I get shot down :rolleyes: but I think the OP may find this of value
    https://www.youtube.com/watch?v=xUW0L2Yj_us
    There is also a good thread in this subforum on firejail
     
    Last edited by a moderator: Aug 5, 2015
  4. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I couldn't find the source of the attack and which type of attack it is, so please disregard that information for now. I remember seeing it somewhere in Bruce Schneider's blog or some sort.

    Isn't the default option is to "Allow login as root - Yes" and then afterwards "Create a regular user account because it's not safe to use the root account"?
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Not even that, but a simple evil-maid would suffice. That's why I keep a backup of both my MBR and /boot partition:

    # dd if=/dev/sda of=/home/mbr bs=512 count=1
    # dd if=/dev/sda1 of=/home/boot bs=512 count=2097152

    I then sha512sum these, upload them to numerous places, and hope that I never feel like I need to use them.

    PS: To find out how many sectors your boot partition has just do:
    # fdisk -l
     
  6. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    This is the screenshot of root password setup in Debian 8.

    debian-8-jessie-installation-steps-with-screenshot_1.png
     
  7. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    i never get any malware using windows, why ith would i get any using linux?

    only thing i would miss is all the free portable apps on windows side.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Didn't Debian push sudo at some point, maybe 2-3 years ago?
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Not as I'm aware of. I've used Debian for.... IDK, almost 9 years? IIRC it's been always like that.
     
  10. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    This is not strictly pertinent to Arch but Mozilla just closed a zero day vulnerability that exposed Firefox users on Linux to having their passwords stolen.

    Just looking for some feedback on this from more experienced Linux users.

    https://goo.gl/cXeLnV

    On Linux, the crooks went for:

    • Global configuration files such as /etc/passwd. The passwd file no longer stores actual passwords but it lists all user accounts on the computer.
    • Files in user's home directories such as .bash_history,.mysql_history and .ssh files including private keys. Stealing your SSH keys could allow a crook to log directly into all the servers you use regularly.
    • Text files with names containing pass or access. These may contain plaintext secrets such as passwords.
    • All shell scripts. These may contain passwords or other confidential information that is needed to automate access to secure systems and services
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    This isn't a Linux vulnerability per se, it's a Firefox vulnerability.

    Web Browsers are probably the worse security whole in a system, and that's why securing them is important. I would never be affected by this vulnerability because I have several add-ons that make it impossible to execute:

    * RequestPolicy
    * HTTPS-Everywhere
    * Disconnect
    * NoScript
    * uBlockOrigin
    * AdblockPlus

    Not to mention I don't accept cookies by default (not that this is realted to the vulnerability).
    And not to mention my VPN would make it hard for the attacker to know HOW to get to me. And even if he did, my Firewall would stop him at the moment.

    Also, these days passwords are store in /etc/shadow and not in /etc/passwd, and having the account name doesn't get an attacker very far, considering you actually know how to make good passphrases. And, even if the attacker did get a hold of the shadow file, the passphrases are hashed and not reversible, except for brute-force.

    So unless you type "this is my password" by accident on the Terminal and never change your passwords, or actually have your passwords store in text files, you're fine.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Thanks!
     
  13. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    So a few days have passed and it seems like there really arent many security tools out there. All I could find was more abd more proof of how linux isnt as secure as people would think...especially without any proper security software.

    One example i currentky have in a tab opened:
    https://embed.gyazo.com/c76d9a5e6569ff5407d1c8c774774ee5.png
    http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

    This also refers to software running on the OS but is part of linux/windows for me.

    I will just give it a go and play around. Firewall is the most important thing to me and that is very well built-into linux.
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Adding to what amarildojr already said: It's a good idea to sandbox Firefox with Firejail (already mentioned above). All profiles include the file /etc/firejail/disable-secret.inc:
    Code:
    # HOME directory
    blacklist ${HOME}/.ssh
    tmpfs ${HOME}/.gnome2_private
    blacklist ${HOME}/.gnome2/keyrings
    blacklist ${HOME}/kde4/share/apps/kwallet
    blacklist ${HOME}/kde/share/apps/kwallet
    blacklist ${HOME}/.pki/nssdb
    blacklist ${HOME}/.gnupg
    blacklist ${HOME}/.local/share/recently-used.xbel
    You'll see that important files and folders are already blacklisted. I've written my own ~/.config/firejail/myrules.inc file which has the following additional rules:
    Code:
    read-only ${HOME}/.config/firejail/*
    blacklist ${HOME}/.config/autostart
    blacklist ${HOME}/.kde4/Autostart
    blacklist ${HOME}/.kde/Autostart
    blacklist ${HOME}/.wine
    blacklist ${HOME}/.conky
    blacklist ${HOME}/.gramps
    blacklist ${HOME}/.dropbox
    blacklist ${HOME}/.dropbox-dist
    blacklist ${HOME}/.dropbox-master
    blacklist ${HOME}/Dropbox
    blacklist ${HOME}/.conkyrc
    read-only ${HOME}/.bashrc
    read-only ${HOME}/.bash_profile
    blacklist ${HOME}/.bash_history
    Firejail is very easy to apply and provides excellent security at the same time.
     
    Last edited: Aug 8, 2015
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I wonder why you're using Adblock Plus when uBlock Origin is much more efficient and powerful. I'd also suggest to replace RequestPolicy and Noscript with uMatrix which is more useable and flexible.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  17. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I have read enough linux fanboy posts in this forum. And I believe the thread you are refering to is one of them.

    A lot of people here just see and understand what they want to see and understand. And trying to discuss it with them is like trying to fit a hamburger into a cd player.
     
  18. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    uBlockOrigin doesn't block a few tracking things, specially like buttons on the following forum: http://forum.clubedohardware.com.br/

    Isn't uMatrix just for Chrome/Chromium? If so, no dice. I won't use, not even Chromium. Not after it pulled a closed-source binary that spied on the user.
    Seriously? After everything everybody has said to you, you still have that stupidity?

    Obviously proof and logic doesn't work with you.

    At least I won't miss you :p

    My gosh, for the first time, your quote is accurate!
     
  19. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    The general users do not even have read permission for /etc/shadow, so there is no way this type of attack can get the system password.

    A well-configured firejail without any other security layer, not even an adblock, would have thwarted all of this type of attack.
     
  20. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    BTW, umatrix is available for firefox also.
    https://addons.mozilla.org/en-us/firefox/addon/umatrix/

    Agree with you here.
     
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    But this bug allows the attacker to execute a java-script within the user's browser and this enables the attacker to "grab" any file on the user's computer, basically working the same way as if you clicked to upload a file to a server.

    Nice! It seems very good! And it's licensed under GPL so that's also a Plus :thumb:
    I'll try it today.
     
  22. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    I just created two files--one text, one pdf-- and changed their permission to none--no read, no write, no execute--and then tried them to upload them to a remote server (my website is there) first by browser upload and then via FTP, they both failed.
     
  23. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    seems like the people you're arguing with know a lot more abt the subject than you do. just sayin
     
  24. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    You don't need any antivirus on GNU/Linux, seriously. 15$ exploit must be a scam. They are selling that kind of stuff for 15.000$ or more.
     
  25. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Yes, that is true. I tried uploading my shadow file to virustotal and it just wouldn't go.

    I'll test this with more sites to see if some can receive the file. If so, that should be kinda how the attacker was exploiting.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.