Tim: > > Is there a reason you feel the need to check for rootkits? > > > > I'm under the impression that if you don't install things from outside > > of the repos, and keep SELinux running, there's a so-close-to-zero > > chance of you having a problem that it's not worth worrying about. home user: > Maybe I'm remembering wrong, but I recall over a decade ago being > advised on this list to use 2 tools to watch for malware on this > workstation: chkrootkit and rkhunter. As a general rule, old advice goes stale... ;-) And out-of-date malware detection of any kind is probably pointless. I don't know about on Linux, but running competing malware detection on Windows boxes was always a good way to start a software fight between them. > Also, don't these tools check for more than just rootkits? I haven't looked into it, but the name suggests what their job is. And the Linux approach was always to make a tool to do its job, and another tool to do another job. Most of the time anti-malware running on Linux was to protect Windows machines on the same network. Such as scanning incoming mail before the Windows machines got it. And another general rule was that Linux doesn't really need it if you follow good computing practice of not installing or running (without installing) random software from anywhere. Supposedly our repos have enough eyes looking through them to stop shonky things getting in, although that has happened. As I mentioned before, our email programs aren't so dumb as to go "this attachment is an executable, I'll do what the system normally does with executables," as Windows did. Likewise with web browsers. Those are the two main remote vectors of attack against any PC (mail and websites). If you want to open yourself up to Windows-style attacks, run Samba with no firewall and treating the public internet the same as your LAN like ye olde Windows did (I've no idea if modern Windows is as vulnerable). I saw a friend's old XP PC get done just 13 seconds after connecting to the internet through a USB ADSL modem, several times in a row after lengthy format and re-installs, because he wouldn't listen to me. It was several hours before he finally paid attention. We were watching movies and having a pizza feast while his computer was grinding its gears. I wouldn't have put up with that much timewasting otherwise, but I just about wet myself laughing. But, Fedora doesn't do that. We have a firewall by default, Samba isn't running by default, and public IPs are treated like the plague compared to your LAN. We don't usually have core features that are exposed to the Wild-Wild-West, SSH has to be configured dumbly to do that. We have SELinux that sets rules on servers about what files they're allowed access to (e.g. webservers can't just read any file outside of the serving directory, unless you're dumb enough to follow really stupid guides on the internet telling you to shut it off). And we're mostly behind some kind of router with NAT that gets in the way of remote access, these days. Several years ago when we had fibre internet installed in the house, during part of the install procedure they asked me to plug a computer directly into the fibre network (bypassing their modem/router combo device that normally is between you and them). Other than me being assigned an IP, they were perplexed that they couldn't detect my laptop. Normally they get some kind of response from Windows devices that lets them tell it's there, and can figure out what it is via various fingerprints. My laptop was running Fedora. How is malware going to get onto Linux box? You pretty much have to shoot yourself in the foot with Linux, and few anti-malware products are good at stopping people who do that. There's very little of things just slipping in without your help. There's the obvious route of a miscreant giving someone advice to download and install BADTHING from their website, which might be a website with fake how-to-solve something instructions, or a telephone call from not-your-bank about some fake security problem. But most of that crap is aimed at Windows users. There's the sly remote hack of your system, where bad actors are probing every IP on the planet trying to find something to hack (*). But there's very few things on your system paying attention to outside traffic. Again most of that crap is aimed at Windows users. And that's not just because of the sheer numbers of Windows users, but because it's such an easy target. * Many years ago when I was not on Linux, and using a dial-up modem with a direct connection to my computer, I would notice any time after I posted on public mailing lists there'd be a flurry of failed connection attempts on my IP. Clearly some bad actors watch certain places for currently active connections. But they probably are just scanning every IP on the planet all the time, now. The computing power to do that is available to them. Unplug your PC (and other LAN devices) and watch the traffic lights on your modem/router. Ignore the odd blip, but if its WAN lights are winking like mad that's things probing it. Some may be in response to something you were just doing. See if it dies off after a couple of minutes. There will be certain apps that are a vulnerability in themselves. Web browsers are highly complex software, probably having far more features than they really need. And buggy... Though probably fairly limited to a remote hacking exploiting whatever data is in the browser, more than getting *through* it to the system, on Linux. Peer-to-peer filesharing software's probably another big risk, it's *meant* for sharing files, I've not read into how exploitable they may be for a long time, but a common issue was people stupidly sharing their entire filesystem, or all their own personal files. And just being on a peer-to-peer network does attract a gazillion connection attempts to your IP, and that in itself that can swamp some home modem/routers. Remember that a lot of software is not written by trained software engineers following best practice. There a lot of "seems to work for me" programming. Web blogging software is a known problem. It's an interface between inside and outside, with writeable capabilities. You have to be very careful about ownership and file permissions, and access controls, to let it only do what it needs to do. Else remote blackhat can create a file through it, with executable commands, and find some way to have the webserver run it. Some people find it hard to set up the correct access controls, and let the thing run as root, have world readable and writeable permissions, and switch off protective software (like SELinux) because it tries to stop them doing stupid things. They're often quite buggy and need frequent updates to mitigate exploits, blogging software is not something you want to leave running old versions. Rule of thumb: Webservers MUST NOT own the files they serve. The files must be owned by the author. Only the author has write permission for them (this means directories and files). The public files have world-readable permissions, and the webserver reads things as the unknown other (world) user. Webservers should not run as root, but as an independent webserver kind of user. That limits its access to only world-readable public files. Blogging software has to act as an interface obeying that same criteria when it creates the files it will publish. Having said all that, most people don't serve websites from their own PC any more, few ISPs allow it. But those problems still exist for people who rent space and remote install webservers and blogging software. With the victim being your website and the host's computer systems. There's the harder-to-set-up hack where someone is inside your LAN, who then has less networking obstacles in the way. But that's more of a corporate thing, it's not like someone can plug into your home LAN without you noticing there's a black-hat guy in your home who shouldn't be there. Although insecure WiFi doesn't preclude that. And the harder to do long-game of hackers weaselling their way into some software project and contaminating software. That happened not all that long ago. -- uname -rsvp Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
