[huskerlug] Re: antivirus

> Linux worms and viruses would require user assistance in order to=20
> work.   Sort of like receiving an email which said " send the email=20
> to all people in your address book and then run 'rm -rf' as root"

More of it has to do with the apps that run on Linux.  If someone were to 
write an "Outlook equivalent" mail program for Linux (bugs and all), it would 
allow viruses to spread almost as easy as they do on windoze.  As long as the 
user wasn't running as root and kept their machine patched, the virus 
probably wouldn't "own" the machine, but a virus/worm like Sobig.F could 
still replicate just as easily from a Linux box as it could from a windoze 
box since non-root users are allowed to make outgoing connnections and bind 
to ports above 1023.

Windoze NT/2K/XP/2K3 can all have users that run without "SYSTEM" or 
"Administrator" privileges just like in *nix.  With proper configuration, 
they can also prevent a virus/worm from "owning" a machine.  However, most 
users just don't do it (and don't know how).  IIRC, XP home edition puts all 
users in the "power users" group by default, thus eliminating much of the 
built-in protections of the underlying OS.

On the other hand, take Lindows.  I don't know if it still does, but in 
earlier versions, the user ran with root privs.  This makes the box as unsafe 
as a winders 95/98/ME box (no privilege separation).  

Linux (and other unix based OSes) just havn't been targeted in a major way by 
virus writers yet.  There are plenty of vulnerabilities in *nix applications 
(and in *nix itself) each year for worm writers to take advantage of.  
However, the good ones keep these secret for themselves to use.

> The big worry for Linux is come cracker hacking into your box=20
> manually.    You can test for that by regularly using chkrootkit.

I recommend a standard file integrity checker (eg. tripwire, aide, samhain) in 
addition to chkrootkit.  I've tried the first 2, and am getting ready to try 
out samhain.  Putting the file sig database on read-only media along with 
your audit scripts and any binaries you need (statically compiled of course) 
really helps raise the bar for attackers as well.

>
> Keeping your patches up todate and running a good firewall, like=20

Definitely a must.

-- 
Steve Bremer
RHCE,CCNA
--
Real Men don't make backups. They upload it via ftp and let the world 
mirror it. -- Linus Torvalds
--
GnuPG Key fingerprint = 7F06 4D73 7963 BE96 5189  953A E285 CB2C BA03 2746
Available on key servers.

  


----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

Other related posts: