1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
|
<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3A.e">
<TITLE>The Answer Guy 48: Virus Protection for Linux: A Non-Issue ... But....</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Guy</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
LinuxCare,
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
</H4>
</center>
<p><hr><p>
<!-- endcut ======================================================= -->
<!-- begin 7 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Virus Protection for Linux: A Non-Issue ... But....</H3>
<p><strong>From muzician on Thu, 23 Sep 1999
</strong></p>
<!-- ::
Virus Protection for Linux: A Non-Issue ... But....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG>
Subject: Re: virus protection
I cant find any references to that. I am installing 6.0 for the
first time, and need to know what to do.
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Basically viruses are a non-issue for Linux and other forms of
UNIX. While it is technically possible to create them, the
multi-user design of UNIX-like systems coupled with the
widespread practices that separate "normal use" (access to
applications, and user data) from "administration" (use by
'root' user) make the OS very hostile to virus propagation.
</BLOCKQUOTE>
<BLOCKQUOTE>
You can write a virus, but it won't spread.
</BLOCKQUOTE>
<BLOCKQUOTE>
This is one of the benefits to the convention of logging in as a
"normal user" for most of your Linux work and reserving the "root"
account for upgrading and installing software. Another benefit
is that it limits the damage you'll do with a careless user
command.
</BLOCKQUOTE>
<BLOCKQUOTE>
This is not to say that Linux and UNIX are immune to viruses,
trojan horses and other forms of hostile code. Far from
it. There are many programs that run with "root" privileges on a
typical installation. Any of these <EM>might</EM> be "tricked" into acting
on an attackers behalf. They can be subverted, which leads to
the compromise of the whole system's security.
</BLOCKQUOTE>
<BLOCKQUOTE>
Any program that can be "tricked" (subverted) into running
foreign code, or otherwise compromise the user's and system
administrator's intentions has a bug. When we find these bugs
we fix them.
</BLOCKQUOTE>
<BLOCKQUOTE>
Finding the ways in which such programs can be commandeered by
hostile users, and by anonymous attackers over networking
connections is an ongoing effort by thousands of programmers
throughout the open source community. There is nothing Linux
specific about these efforts. <A HREF="http://www.openbsd.org/">OpenBSD</A> (<A HREF="http://www.openbsd.org"
>http://www.openbsd.org</A>)
is most renowned for it's accomplishment of a comprehensive audit
of its own code. Some of that code is being re-ported to Linux
(for example the BSDish FTP daemon that's included with some
distributions).
</BLOCKQUOTE>
<BLOCKQUOTE>
Linux and UNIX code auditors tend to focus on programs that are
run "SUID" (with the effective permissions of the program's
owner, rather than those of the owner of the executing process)
and with "daemons" (programs that act as "servers" for network
protocols and provide other local services). These are the most
obvious cases where programs are an interface between "security
contexts."
</BLOCKQUOTE>
<BLOCKQUOTE>
For a cracker (any anonymous attacker of your systems) the
"mother lode" is a network process that runs as 'root' and
has a remotely exploitable bug (often a buffer overflow, a
particular sort of bug where an expected input is filled with
an excessively long response which contains some hostile code).
Finding one of these allows a cracker to remotely assume control
of a whole system.
</BLOCKQUOTE>
<BLOCKQUOTE>
These sorts of bugs are not specific to Linux, or UNIX. They're
possible under NT and most other operating systems as well. They
are commonly detected on UNIX systems and quickly fixed (and
occassionally re-introduced in future versions and new programs).
It is believed that there are about as many exploitable bugs in
NT and MacOS servers as there have been in Linux and UNIX. They
usually show up as "hangs" or "abends" (abnormal ends) in the
services or on those systems, rather than complete, interactive
exploitation.
</BLOCKQUOTE>
<BLOCKQUOTE>
(The reasons for this have to do with the rather poor remote
administration features and somewhat more complicated programming
models of these other systems). So on the surface NT and MacOS
seem to "failsafe" (die without giving the attacker access) ---
although this is probably an illusion, waiting to be dispelled by
the next generation of crackers).
</BLOCKQUOTE>
<BLOCKQUOTE>
Again, these are NOT viruses. However, they have similar
results, someone runs code on your system that you didn't approve
and don't want.
</BLOCKQUOTE>
<BLOCKQUOTE>
So these vulnerabilities (especially buffer overflows in network
daemons like popd, imapd, mountd, ftpd, etc) are the greatest
risk to the security of your system. That's why companies put
up firewalls. That's why sysadmins tell you not to leave
"ports open" (these services available) on your systems, or to
use TCP Wrappers (pre-installed on every major Linux
distribution) to limit the networks and systems that can access
those services that you REALLY need.
</BLOCKQUOTE>
<BLOCKQUOTE>
I mentioned that security auditors focus on SUID progams and
networking daemons. This is a matter of priorities as those are
the most "attractive" points for an attacker to probe. However,
we have to be aware that security auditing and robust code is
necessary ANY TIME A PROGRAM ACTS AS AN INTERFACE BETWEEN/AMONG
DIFFERENT SECURITY CONTEXTS.
</BLOCKQUOTE>
<BLOCKQUOTE>
We must be concerned about bugs IN ANY CODE THAT PROCESSES
UNTRUSTED DATA.
</BLOCKQUOTE>
<BLOCKQUOTE>
(I'm shouting about this since it is a point that is often
overlooked, even by some of the most respected programmers that I
know).
</BLOCKQUOTE>
<BLOCKQUOTE>
For example, when you sent me e-mail. Your mail comes from
one security context (the outside world, from a complete
stranger). My mail user agent (MUA) acts as an interface between
you data and me. If there's a bug in my mailer (or the editor
that my mailer invokes when I want to respond) then you might be
able to craft a piece of e-mail that will crash my program, and
possibly even subvert it.
</BLOCKQUOTE>
<BLOCKQUOTE>
Such a "black widow" would be very hard to write for any UNIX
mailer (though the addition of MIME handling features did
introduce some such bugs in some mailers). It would also be
limited in its effect. It probably could only affect one mailer
under one operating system. It might not propagate through POP
servers and/or through certain POP clients (like 'fetchmail').
</BLOCKQUOTE>
<BLOCKQUOTE>
There are dozens of common MUAs (mailers) used by UNIX and Linux
people. So any such bug is likely to only hurt a few of them
(and not propagate from them to others). Likewise for many
other classes of programs.
</BLOCKQUOTE>
<BLOCKQUOTE>
The worst security risks are incurred by "monocultures" (a term
borrowed from agriculture). If we all grow the same strains of
the same crops, one blight and we all starve. If a few of us
grow one strain, others grow a different crop, etc --- then the
damaged is limited and the blight doesn't spread as far or as
fast (since the various fields of any one crop/strain are
separated by buffer zones).
</BLOCKQUOTE>
<BLOCKQUOTE>
When you think about the effects of Melissa, and WinExplorere.zip
and the many other MS Windows macro viruses you see the inherent
risks in monoculture. (You also see that Microsoft added
features to their office suite and mail client which make it
easy to write trojans and worms).
</BLOCKQUOTE>
<BLOCKQUOTE>
Computer systems and networks exhibit similar characteristics in
the face of hostile programmers.
</BLOCKQUOTE>
<BLOCKQUOTE>
(In other words diversity is good. Some of us should run <A HREF="http://www.freebsd.org/">FreeBSD</A>,
Solaris, and some completely non-UNIX operating systems that
aren't even C derived. Some of us should run Linux on x86,
while others use Alphas, PowerPCs, etc. Uniformity has some
short-term cost and training benefits --- but that way lies
great danger!).
</BLOCKQUOTE>
<BLOCKQUOTE>
How bad is this danger?
</BLOCKQUOTE>
<BLOCKQUOTE>
Well, I've been running an experiment. I administer a system (a
web server for a small literary organization, a non-profit) which
is exposed to the Internet and gets very little administrative
attention. I tend not to upgrade it until I have to. It's been
cracked twice in three years. It <EM>probably</EM> hasn't been cracked
on other occasions since I actually do have a sneaky trick up my
sleeve that allows me to detect and recover from the garden
variety "script kiddie" attacks fairly quickly (and remotely). I
do say "probably" since anyone that asserts that he or she has
"never" been cracked or that he or she is "sure" that they are
secure is really a bit foolish. You can have a very high degree
of confidence --- but certaintly in this case is a sin.
</BLOCKQUOTE>
<BLOCKQUOTE>
That is on a box which is effectively "wide open." With a
modicum of configuration (not running inetd, limiting access
to any services you <EM>must</EM> run, updating your packages as bug
fixes are announced, etc) you can limit your chances of being
compromised to very low values. Read the Linux Security HOWTO
and with about five percent of the effort described there you'll
eliminate well over ninety percent of the risk.
</BLOCKQUOTE>
<BLOCKQUOTE>
Note: Symantec is apparently shipping an anti-virus for Linux.
I've heard that Trend is also testing one. I guess these are
designed to catch the two strains of viruses that have been heard
of for Linux. I also gather that they will scan your system for
MS-DOS and Windows macro viruses (well over 10,000 of those).
This is to protect the clients that might be using your Linux
system as an FTP, Samba, or NFS server, and to save you from the
infection on your "other OS" on those multi-boot systems.
</BLOCKQUOTE>
<BLOCKQUOTE>
Personally I suggested to Symantec (back when I worked there)
that the best Linux product they could release would be a simple
terminal to the PCAnywhere package. Let me use a window on my
Linux system to remotely manage any MS Windows PC's that I have
to deal with.
</BLOCKQUOTE>
<BLOCKQUOTE>
They didn't listen, and now we don't need it. VNC (*) seems to
do the job well enough, and we may stomp out most of MS Windows
before Symantec could code up a new PC Anywhere client.
</BLOCKQUOTE>
<BLOCKQUOTE><ul><li>
(Apparently ORL got aquired, so VNC is now at:
<A HREF="http://www.uk.research.att.com/vnc"
>http://www.uk.research.att.com/vnc</A>)
There are also a couple of packages for UNIX (some with Linux
ports) that will scan your mail for embedded PC/MS-DOS viruses
as it's relayed through your mail server. This can help catch
many macro viruses (though the things are so easy to write that
the anti-virus software companies will always be a reactive
coping mechanism rather than a true solution).
</UL></BLOCKQUOTE>
<BLOCKQUOTE>
Remember, a virus is just a bit of programming code. It does
things that most recipients don't want --- but nothing short of a
brilliant AI (artificial intelligence) can be relied upon to
distinguish a virus from any other (benign) program. "Heuristic"
virus scanners have been written --- they haven't fared
significantly better than the traditional reactive signature
scanners.
</BLOCKQUOTE>
<BLOCKQUOTE>
(I used to work for Symantec, and for McAfee. I've read, heard,
and dealt with far more about PC and Mac viruses than I can
possibly type here).
</BLOCKQUOTE>
<BLOCKQUOTE>
Summary: Don't worry about viruses on your Linux box. They
aren't a problem. As for the security concerns, just
lock down those stray networking services and don't give accounts
out on your system to people you don't trust. If all you do is
add the following to your <TT>/etc/hosts.deny:</TT>
</BLOCKQUOTE>
<BLOCKQUOTE><Blockquote><code>
ALL:ALL
</code></Blockquote></BLOCKQUOTE>
<BLOCKQUOTE>
... you've done plenty to secure your home system from the
occasional portscan attack through your dial-up ISP connection.
</BLOCKQUOTE>
<BLOCKQUOTE>
If you read the Security HOWTO (*) by Kevin Fenzi and Dave Wreski
and follow most of their suggestions then you'll probably never
have a problem. Under Linux you can keep your system as
wide-open or just about as locked down as you like.
</BLOCKQUOTE>
<BLOCKQUOTE><ul><li>
(<A HREF="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html"
>http://www.linuxdoc.org/HOWTO/Security-HOWTO.html</A>)
</UL></BLOCKQUOTE>
<!-- sig -->
<!-- end 7 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright ©</a> 1999, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 48 December 1999</H5>
<H6 ALIGN="center">HTML transformation by
<A HREF="mailto:star@starshine.org">Heather Stern</a> of
Starshine Technical Services,
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H6>
<P> <hr> <P>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<TABLE WIDTH="95%"><TR VALIGN="center" ALIGN="center">
<TD colspan="2" rowspan="2"><A
HREF="../lg_answer48.html"
><IMG SRC="../../gx/dennis/answernew.gif"
ALT="[ Answer Guy Current Index ]"></A>
<TD colspan="2" rowspan="2"><A
HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answertoc.gif"
ALT="[ Index of Past Answers ]"></A></td>
<TD WIDTH="11%"><A HREF="../lg_answer48.html#greeting"><img
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A></TD>
<TD WIDTH="11%"><A HREF="1.html">1</A></TD>
<TD WIDTH="11%"><A HREF="2.html">2</A></TD>
<TD WIDTH="11%"><A HREF="3.html">3</A></TD>
<TD WIDTH="11%"><A HREF="4.html">5</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="11%"><A HREF="5.html">5</A></TD>
<TD WIDTH="11%"><A HREF="6.html">6</A></TD>
<TD WIDTH="11%"><A HREF="7.html">7</A></TD>
<TD WIDTH="11%"><A HREF="8.html">8</A></TD>
<TD WIDTH="11%"><A HREF="9.html">9</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="10.html">10</A></TD>
<TD WIDTH="10%"><A HREF="11.html">11</A></TD>
<TD WIDTH="10%"><A HREF="12.html">12</A></TD>
<TD WIDTH="10%"><A HREF="13.html">13</A></TD>
<TD WIDTH="11%"><A HREF="14.html">14</A></TD>
<TD WIDTH="11%"><A HREF="15.html">15</A></TD>
<TD WIDTH="11%"><A HREF="16.html">16</A></TD>
<TD WIDTH="11%"><A HREF="17.html">17</A></TD>
<TD WIDTH="11%"><A HREF="18.html">18</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="19.html">19</A></TD>
<TD WIDTH="10%"><A HREF="20.html">20</A></TD>
<TD WIDTH="10%"><A HREF="21.html">21</A></TD>
<TD WIDTH="10%"><A HREF="22.html">22</A></TD>
<TD WIDTH="11%"><A HREF="23.html">23</A></TD>
<TD WIDTH="11%"><A HREF="24.html">24</A></TD>
<TD WIDTH="11%"><A HREF="25.html">25</A></TD>
<TD WIDTH="11%"><A HREF="26.html">26</A></TD>
<TD WIDTH="11%"><A HREF="27.html">27</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="28.html">28</A></TD>
<TD WIDTH="10%"><A HREF="29.html">29</A></TD>
<TD WIDTH="10%"><A HREF="30.html">30</A></TD>
<TD WIDTH="10%"><A HREF="31.html">31</A></TD>
<TD WIDTH="11%"><A HREF="32.html">32</A></TD>
<TD WIDTH="11%"><A HREF="33.html">33</A></TD>
<TD WIDTH="11%"><A HREF="34.html">34</A></TD>
<TD WIDTH="11%"><A HREF="35.html">35</A></TD>
<TD WIDTH="11%"><A HREF="36.html">36</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="37.html">37</A></TD>
<TD WIDTH="10%"><A HREF="38.html">38</A></TD>
<TD WIDTH="10%"><A HREF="39.html">39</A></TD>
<TD WIDTH="10%"><A HREF="40.html">40</A></TD>
<TD WIDTH="11%"><A HREF="41.html">41</A></TD>
<TD WIDTH="11%"><A HREF="42.html">42</A></TD>
<TD WIDTH="11%"><A HREF="43.html">43</A></TD>
<TD WIDTH="11%"><A HREF="44.html">44</A></TD>
<TD WIDTH="11%"><A HREF="45.html">45</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="46.html">46</A></TD>
<TD WIDTH="10%"><A HREF="47.html">47</A></TD>
<TD WIDTH="10%"><A HREF="48.html">48</A></TD>
<TD WIDTH="10%"><A HREF="49.html">49</A></TD>
<TD WIDTH="11%"><A HREF="50.html">50</A></TD>
<TD WIDTH="11%"><A HREF="51.html">51</A></TD>
<TD WIDTH="11%"><A HREF="52.html">52</A></TD>
<TD WIDTH="11%"><A HREF="53.html">53</A></TD>
<TD WIDTH="11%"><A HREF="54.html">54</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD colspan="3"><A HREF="55.html">55</A></TD>
<TD colspan="3"><A HREF="56.html">56</A></TD>
<TD colspan="3"><A HREF="57.html">57</A></TD>
</TR></TABLE>
</TR><TR VALIGN="center" ALIGN="center">
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr> <P>
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../index.html"
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes48.html"
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../../faq/index.html"
><IMG SRC="../../gx/dennis/faq.gif"
ALT="[ Linux Gazette FAQ ]"></A>
<A HREF="../lg_tips48.html"
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
|
