On 2/14/25 8:49 AM, Tim wrote:
Tim:
Is there a reason you feel the need to check for rootkits?
I'm under the impression that if you don't install things from outside
of the repos, and keep SELinux running, there's a so-close-to-zero
chance of you having a problem that it's not worth worrying about.
home user:
Maybe I'm remembering wrong, but I recall over a decade ago being
advised on this list to use 2 tools to watch for malware on this
workstation: chkrootkit and rkhunter.
As a general rule, old advice goes stale... ;-)
And out-of-date malware detection of any kind is probably pointless.
I don't know about on Linux, but running competing malware detection on
Windows boxes was always a good way to start a software fight between
them.
Actually, I was manually running them, one at a time.
Also, don't these tools check for more than just rootkits?
I haven't looked into it, but the name suggests what their job is. And
the Linux approach was always to make a tool to do its job, and another
tool to do another job.
I'm not certain. It was the impression I got from the tools' output.
Most of the time anti-malware running on Linux was to protect Windows
machines on the same network. Such as scanning incoming mail before
the Windows machines got it.
And another general rule was that Linux doesn't really need it if you
follow good computing practice of not installing or running (without
installing) random software from anywhere. Supposedly our repos have
enough eyes looking through them to stop shonky things getting in,
although that has happened.
As I mentioned before, our email programs aren't so dumb as to go "this
attachment is an executable, I'll do what the system normally does with
executables," as Windows did. Likewise with web browsers. Those are
the two main remote vectors of attack against any PC (mail and
websites).
and those are my real concerns.
I use Firefox. There's that little shield icon just to the left of the address bar. I'm amazed (and concerned) at how many web sites that shield "says" are trying to track, cross-site track, and fingerprint. ...and how many sites refuse to function unless I disable Firefox's blocking. ...even charities and government sites.
Messages in Thunderbird can be surprisingly tricky and subtle, too. I dare not say more about that.
If you want to open yourself up to Windows-style attacks, run Samba
with no firewall and treating the public internet the same as your LAN
like ye olde Windows did (I've no idea if modern Windows is as
vulnerable). I saw a friend's old XP PC get done just 13 seconds after
connecting to the internet through a USB ADSL modem, several times in a
row after lengthy format and re-installs, because he wouldn't listen to
me. It was several hours before he finally paid attention. We were
watching movies and having a pizza feast while his computer was
grinding its gears. I wouldn't have put up with that much timewasting
otherwise, but I just about wet myself laughing.
But, Fedora doesn't do that. We have a firewall by default, Samba
isn't running by default, and public IPs are treated like the plague
compared to your LAN. We don't usually have core features that are
exposed to the Wild-Wild-West, SSH has to be configured dumbly to do
that. We have SELinux that sets rules on servers about what files
they're allowed access to (e.g. webservers can't just read any file
outside of the serving directory, unless you're dumb enough to follow
really stupid guides on the internet telling you to shut it off).
And we're mostly behind some kind of router with NAT that gets in the
way of remote access, these days.
Several years ago when we had fibre internet installed in the house,
during part of the install procedure they asked me to plug a computer
directly into the fibre network (bypassing their modem/router combo
device that normally is between you and them). Other than me being
assigned an IP, they were perplexed that they couldn't detect my
laptop. Normally they get some kind of response from Windows devices
that lets them tell it's there, and can figure out what it is via
various fingerprints. My laptop was running Fedora.
How is malware going to get onto Linux box?
You pretty much have to shoot yourself in the foot with Linux, and few
anti-malware products are good at stopping people who do that. There's
very little of things just slipping in without your help.
There's the obvious route of a miscreant giving someone advice to
download and install BADTHING from their website, which might be a
website with fake how-to-solve something instructions, or a telephone
call from not-your-bank about some fake security problem. But most of
that crap is aimed at Windows users.
There's the sly remote hack of your system, where bad actors are
probing every IP on the planet trying to find something to hack (*).
But there's very few things on your system paying attention to outside
traffic. Again most of that crap is aimed at Windows users. And
that's not just because of the sheer numbers of Windows users, but
because it's such an easy target.
* Many years ago when I was not on Linux, and using a dial-up modem
with a direct connection to my computer, I would notice any time after
I posted on public mailing lists there'd be a flurry of failed
connection attempts on my IP. Clearly some bad actors watch certain
places for currently active connections.
But they probably are just scanning every IP on the planet all the
time, now. The computing power to do that is available to them.
Unplug your PC (and other LAN devices) and watch the traffic lights on
your modem/router. Ignore the odd blip, but if its WAN lights are
winking like mad that's things probing it. Some may be in response to
something you were just doing. See if it dies off after a couple of
minutes.
There will be certain apps that are a vulnerability in themselves. Web
browsers are highly complex software, probably having far more features
than they really need. And buggy... Though probably fairly limited to
a remote hacking exploiting whatever data is in the browser, more than
getting *through* it to the system, on Linux. Peer-to-peer filesharing
software's probably another big risk, it's *meant* for sharing files,
I've not read into how exploitable they may be for a long time, but a
common issue was people stupidly sharing their entire filesystem, or
all their own personal files. And just being on a peer-to-peer network
does attract a gazillion connection attempts to your IP, and that in
itself that can swamp some home modem/routers. Remember that a lot of
software is not written by trained software engineers following best
practice. There a lot of "seems to work for me" programming.
Web blogging software is a known problem. It's an interface between
inside and outside, with writeable capabilities. You have to be very
careful about ownership and file permissions, and access controls, to
let it only do what it needs to do. Else remote blackhat can create a
file through it, with executable commands, and find some way to have
the webserver run it. Some people find it hard to set up the correct
access controls, and let the thing run as root, have world readable and
writeable permissions, and switch off protective software (like
SELinux) because it tries to stop them doing stupid things. They're
often quite buggy and need frequent updates to mitigate exploits,
blogging software is not something you want to leave running old
versions.
Rule of thumb: Webservers MUST NOT own the files they serve. The
files must be owned by the author. Only the author has write
permission for them (this means directories and files). The public
files have world-readable permissions, and the webserver reads things
as the unknown other (world) user. Webservers should not run as root,
but as an independent webserver kind of user. That limits its access
to only world-readable public files. Blogging software has to act as
an interface obeying that same criteria when it creates the files it
will publish.
Having said all that, most people don't serve websites from their own
PC any more, few ISPs allow it. But those problems still exist for
people who rent space and remote install webservers and blogging
software. With the victim being your website and the host's computer
systems.
There's the harder-to-set-up hack where someone is inside your LAN, who
then has less networking obstacles in the way. But that's more of a
corporate thing, it's not like someone can plug into your home LAN
without you noticing there's a black-hat guy in your home who shouldn't
be there. Although insecure WiFi doesn't preclude that.
And the harder to do long-game of hackers weaselling their way into
some software project and contaminating software. That happened not
all that long ago.
Good "white paper"? I only have this one stand-alone home workstation and a modem. But I can see how all you've said can be useful to many others.
Thank-you, Tim.
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
