If you are coming from a Windows background you are used to terms like antivirus, spyware, and firewalls. Linux is different and these are not as important.
The fact of the matter is: viruses/worms take advantage of flaws or holes in the code. There are no significant Linux viruses "in the wild". Linux boxes are no less targets than any other OS.
Do not believe the suggestion that the Linux community is complacent or "behind the times" in terms of viruses, or any other security issue. Linux developers have not "ignored" viruses, rather the OS is built to be highly resistant to them and since the code is "Open" there are literally thousands of eyes watching .
For the most part, Linux anti-virus programs scan for Windows viruses which do not run on Linux.
Reasons AGAINST antivirus on Ubuntu:
- They scan primarily for Windows viruses.
- There is a high rate of false positives.
- Isolation/inoculation is poor.
- And currently there are no known active Linux viruses (so there is essentially nothing to detect).
Reasons FOR antivirus on Ubuntu:
- You are running a file or mail server with Windows clients.
- You wish to scan files before transferring them, by email, flash drive, etc., to a Windows machine.
Running antivirus can make some sense if you are intending to "protect" Windows users, however, for a variety of reasons, it is best if Windows users learn to protect themselves.
Note: There have been many documented cases in Windows and Linux that a buffer overflow in an antivirus product has been an attack vector!
If you would like to run an antivirus program on Ubuntu you have several choices :
Comments on wine
Discussions about running Windows viruses on wine crop up from time to time and it is possible to run some Windows viruses on wine.
See these links :
Take the same precautions with wine as you would with Windows. Do not install untrusted applications from untrusted sources.
Windows viruses will be confined to ~/.wine and they do not have permission to change system files. This means to remove them you simply:
rm -rf ~/.wine
You then need to restore your wine directory from a known good backup (you do keep backups ?).
UFW - Desktops
UFW - Servers
Ubuntu includes a firewall, iptables, but by default nothing is engaged. This is reasonable as a default Ubuntu install opens zero ports to the outside world, so a firewall is redundant. However, installing "server software" will cause ports to open, so some people like to use a firewall as a catch-all layer to find mistakes in their configuration.
Another use for firewalls is for the administrator to forcibly impose network policies on the user.Also, a periodic audit of the system for open ports is a good practice. Running the "nmap" command from another machine, or using one of many online port scanners:
Remember, what you care about are open ports. Closed ports and stealth ports are equally secure, in that they are inaccessible to the public.
Iptables references :
The "problem" with iptables is that it is not particularly friendly to new users. Fortunately, there are several more user friendly interfaces available to allow you to manipulate your firewall (UFW, Firestarter, and Guarddog) :
- UFW (Uncomplicated Firewall) is the newest tool. It is a command line tool and is, superior to the gui tools.
- To Configure iptables , UFW uses both configuration files /etc/default/ufw and /etc/ufw/before.rules and the command line. Howto: Use, setup, and Take advantage of the New Ubuntu Uncomplicated Firewall UFW
- If you prefer a GUI tool, gufw is a graphical front end for ufw.
- Firestarter is one of the most popular GUI front ends.
- Guard dog uses the KDE libraries.
A source of confusion sometimes occurs when users feel the need to be running firestarter/Guarddog for their firewall to be active. This is untrue ! Keep in mind that these applications are not firewalls, but rather configuration tools for ip tables. These applications should be run only to configure your firewall. Once configured, IP tables (the actual firewall) is active (at boot) without having to run firestarter/guarddog. firestarter will monitor traffic, but it runs as root and there are better monitoring programs, so configure you firewall, shut down firestarter/grauddog, and let IP tables do the rest
Browser / Spyware : Java/Flash/Ad-ware/Trackers/Cookies
This is where most users will have the most risk.
We all want Java/Flash, but our Internet browser opens us to attacks.
- Deny all cookies and add trusted sites, allowing only for session.
- Install NoScript. Again block all and add trusted sites to a white list.
- Install Safe History
- Adblocking : I block with a hosts file rather then Adblock Plus or Adblock Filterset.G because a hosts file protects more then just firefox.
- Linux script : http://hostsfile.mine.nu/downloads/updatehosts.sh.txt
Permissions and Encryption
The first layer of defense is file permissions. Permissions are used to set access and thus protect both system and user files.
See also umask at the bottom of that link. The umask value can be set in ~/.bashrc.
To set a "private home", as a user,
chmod 700 $HOME
Common servers include NFS, Samba, FTP, SSH, VNC, RDP, and HTTP. Desktops become Servers if server software is installed.
Questions to ask yourself include:
- What port(s) or services does this software provide?
- Who will be able to connect to this? (i.e. is it restricted to a range of IP addresses Password protected?)
- What level of access will the visitor have to the system? (i.e. does the server run under a restricted user, or the root account? What can this restricted user do in a worst case scenario?)
- Does this service expose any additional information that's useful to a hacker? (i.e. does it allow users to transmit their passwords in cleartext? Does it have a 'statistics' view that reveals logged-in users, ip addresses, network configuration, or other potentially helpful information?)
- What is the security history of this software? Does it have a history of vulnerability and patch after patch? Or has it had a relatively unmarred history?
What to do when you think you have been cracked :
- Power off.
- Disconnect/disable your Internet connectivity.
- Now take a deep breath, re-boot, and read the logs. Ask for help if needed, but you really need to confirm that your system has been compromised.
- If you have been compromised, and have the time and interest, boot a live CD and image your hard drive. This image can then be used for forensic analysis.
- Re-install. Unfortunately, there is no way to trust a compromised system.
- When you install, be sure to install off line, use a stronger password, and research intrusion detection.
CERT® Coordination Center (CERT/CC)
CERT® Coordination Center ~ Intruder Detection Checklist
My goodness ...
Ubuntu wiki ~ Security page
Ubuntu wiki ~ Installing Security Tools
UDSF Security Analysis Tools
The Big Ol' Ubuntu Security Resource
Locking Down Ubuntu
Ubuntu geek ~ Security category
Security references Topics include Basics, firewall, Intrusion detection, Chroot, Forensics/Recovery, and Securing networked services.
Changing poison into medicine,
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999