Little help from some people with some general Linux/*nix knowledge.

I am wondering what everyones opinion is on rootkit hunter (http://www.rootkit.nl/) anyone else use it? Does it test out? (Sorry, I'm fairly new to *nix, using Ubuntu 6.06 right now.)

 

Hello,
You really should not worry about malware on Linux.
Mrk

 

The best thing to secure linux in my opinion is to shutoff some unecessary services and to implement iptables. There is virtually no malware itw for linux, and the only fear you have is someone actually taking control of your system and messing with your files.

Cheers,

Alphalutra1

 

What?

 

There IS malware in the wild for Linux. There are very sophisticated rootkits; they have been around for many years as well.

 

Hello,
Please ... It takes talent to get infected in Windows. You need to be genius to get infected in Linux.
Mrk

 

There is no doubt that it's easier to get infected in Windows.

Still, if one misconfigures Linux and never patches anything (more patches come out for your regular Linux distro than for Windows), it takes nothing to get "infected" in Linux as well. The only difference is that most people who attack Linux are bound to perform dedicated manual attacks against it, instead of automated attacks.

Linux/BSDs are more secure than Windows out of the box, but there are other reasons as well for them being less prone to attack. Linux users are also usually more technically skilled and less naive than Windows users, because the Unix environment is harder, more documented, and more technically approachable in its inner workings. Also, Linux/BSD world anything that's not open source is regarded as suspicious, and for that exact reason anything adware or spyware would never be able to live and prosper, ever.

 

Hello,
Agreed. You actually support my point ...
There's the matter of root privileges, without which getting something on a system is hard. Then, if you take my favorite Linux - SUSE, it has firewall, it has AppArmor, it has "automatic" system updates, getting rooted would be like undergoing a spearmint-flavored enema. A definite reason to start over ...
Mrk

 

Perhaps if one never installs software outside of the packages provided by the Linux distro, one should not have to worry about rootkits. This process is very well protected with checksums. However, one can always add URLs to the list in yum, apt-get, etc. for package installs and updates. This is how I got vlc media player that enables me to play Windows streaming media files in Linux. Is the same level of protection applied in this case?

Also, for example, if you use a Debian-based distro, you may need software that does not have a supported *.deb package. You can alienate a *.rpm file and, sometimes, generate a *.deb file that will install. I have had mixed success both with the alien command as well as the *.deb files it has generated. You can build an executable with ./configure, make, etc. I have done this a few times.

I do not download software from sites that I do not know and trust. But if a site does not provide a checksum value for their files, how can you be sure the site has not been hacked? Here is a short-list of files I have downloaded for installation on linux (as an example only):

ggobi-2.1.2.tar.bz2 (data visualization software)
RealPlayer-10.0.7.785-20060201.i586.rpm (media player)
saga_2.0b_051019_wxgtk.tar.gz (geographic information system or GIS)
netbeans-5.0 (Java IDE) ** Correction: This did have an md5 value **

My recollection is that no checksum values were provided with this short-list of downloads.

To be safe, I do occassionally run scans with rkhunter and chkrootkit. They have not found anything todate. Here are some links to linux rootkit-related articles:

"How to scan your Linux-Distro for Root Kits" here:

http://www.howtoforge.com/scan_linux_for_rootkits

An online discussion of the previous article here:

http://digg.com/linux_unix/How_to_scan_your_Linux-Distro_for_Root_Kits_2

"How do I scan my Linux system for rootkits, worms, trojans, etc.?" here:

http://www.howtoforge.com/faq/1_38_en.html

However, if I ever do get rooted, same as windows, restore the last partition image. Open-source Linux disk imaging software, Partimage, here:

http://www.partimage.org/Main_Page

This may be overkill for desktop linux (I have tuned off all services I do not need and have very conservatively configured my /etc/hosts.allow and my /etc/hosts.deny files), but I choose to not let my guard down. I also have a router and use the Firestarter front-end to IP tables.

Finally, if security is not an issue for Linux, why are there so many linux security web sites? And why is there SO MUCH OPEN SOURCE security software for Linux? Unlike most MS Windows OS security vendors, there is no financial gain for the linux open source security software providers. Is this software for Linux servers only?

 

rootkit hunter is suppose to be very good. i think the best security program is AppArmor. it's a kernel level application firewall.

he's a lecture about it
ftp://ftp.belnet.be/pub/mirror/FOSDEM/FOSDEM2006-apparmor.avi

someone on the Ubuntu forums gave me this link when i asked about it, i haven't used it yet because i'm still using an earlier version of Ubuntu.
https://lists.ubuntu.com/archives/ubuntu-hardened/2006-May/000145.html

http://www.linuxworldexpo.com/live/12/events/12BOS06A/conference/bio//CMONYA00BFPX

EDIT i just read up abit on AppArmor and it seems it's not ready to be used yet, i hope it turns out to be as good as it sounds.

i found this too about it
https://lists.ubuntu.com/archives/ubuntu-hardened/2006-February/000127.html

 

I hadn't ever used rkhunter before reading this thread this morning - it's nice. It's warned me about one file's permissions - but as they're owner -- (me) -- r & w only (with everyone else forbidden) I don't see the problem. I do have to check one vulnerability it reported in an application - which may not be up to date.

I do have and occasional run chkrootkit. It's nice as well ... but rkhunter is a little more thorough in its checks.

Thanks for pointing it out.

I included a screenshot of part of the rkhunter checks

 

BTW I do really like tripwire ... here's a little guide to setting it up and running it. (yes, it's a redhat doc but it applies to all. )

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html

 

I've installed partimage with synaptic, but i can't get it to show up in one of the menu's.
How can i use this software without using the CLI, i want to use it from the UI directly? Any suggestions?
I went to the homepage but couldn't find it there.

 

Lamehand,

I have recently removed Ubuntu from my PCs and am now using Fedora Core 5. If you are using Ubuntu, right-click on the menu root at the upper left of the screen and select edit. A window should popup showing the menu tree. Drill into the tree to where you want to install partimage and select add new item (or something like that). Enter the executable name if it is included in the PATH environment variable (try 'echo $PATH'). If not, you can either create a soft link (man "ln -s") that is in the PATH that "points to" the executable. Alternatively, you can write a short bash script, place it in the PATH and reference the script name instead of the executable name in the menu tool. There should be a check box for running the application in a terminal window, which I believe is how partimage runs (been awhile since I have used it); go ahead and check it. Use the search tool or file manager to find an appropriate icon (if you want one). Save and exit or just exit (can't remember if save option exists).

If you are using Fedora, you will need to install the "a la carte menu editor" with yum (I use yumex, a gui for yum). The menu editor will be placed in either System Tools (FC 4) or Accessories (FC 5) menu item. One you have selected it from the menu, a window opens up and the process is very similar to that described above.

This is from memory. Hope it helps.

bktII

 

you can put partimage in the menu by using smeg in Breezy or alacarte in Dapper. just put the correct name in alt-f2 (smeg or alacarte), if you need to find out where it is, open terminal and do this -
which partimage

to find out more about partimage try one of these
man partimage
info partimage
partimage --help

if you're interested i've got these links bookmarked about backing up Ubuntu, if that's what you're doing??
http://www.ubuntuforums.org/showthread.php?t=80790
http://ubuntuforums.org/showthread.php?t=81311
http://sourceforge.net/projects/sbackup

 

The general idea was indeed to get some sort of a back-up system for when things go wrong.Alltough i don't see myself installing a rootkit there are a lot of other ways to screw up the system.

The particular comp i'm talking about has Ubuntu 6.06 LTS installed on a second HDD and i want to remove XP from it's C partition, wich is on the main-drive of course, so i wanted to use partimage to have a back-up for when things go wrong.
And if one day i'm stupid enough to install something nasty, it's hey presto, fresh install whitin a couple of minutes.

 

I got partimage to run, but then i saw what iceni suggested, namely sbackup.
I've installed it and bam!, backups all over the place.
Now i can get rid of XP on that machine, but i have to start a new thread on that topic because that's of topic here.

Thanks
Lamehand

 

sbackup looks great for directory/file backup, especially for Ubuntu and other Debian-based distros. A recent review of sbackup, "Simplifying backups" is here:

http://www.linux.com/article.pl?sid=05/11/22/2110251

"But what it does do it does very well, and very simply.

"Finally, it is important to note that the sbackup Summer of Code project was mentored by Ubuntu Linux, and as a result makes some assumptions about the system that may not be true for non-Debian-based installations.

I was not aware of this program either, looks like a great tool. Thanks Iceni.

As I dual-boot both my PCs with WinXP and Fedora Core 5, I will probably stick with java-based "Snap Backup" which "Runs on Most Platforms (Including: Mac OS X, Linux, Solaris, and Windows)" as stated on their website here:

http://snapbackup.com/

Since I plan on continuing to dual-boot, I prefer a solution that runs on multiple platforms; less variability when I boot into XP or FC5. In FC5, just run "java -jar spapbackup.jar" in a terminal window or create a bash script to simply run it from a terminal window, menu or taskbar icon.

bktII