Closure of a previous question and new questions on system security apps...

[Jeffrey F. Bloss]

Brian Lunergan wrote:

> > Consider taking a look at Opera. In my opinion it's a more "mature"
> > product, and if you're measuring your security applications by sheer
> > numbers of vulnerabilities and their severity Opera can't be beat by
> > any mainstream browser.
> 
> I had considered Opera but when I tried their windows edition a year
> or two back it didn't grab hold of my interest. Firefox may have its
> faults (as does all software) but at least it seems to show the same
> face on both platforms and it's a tool I have experience and a
> comfort level with. Unless there's something compellingly different
> about Opera for the linux platform I'll stay with the fox for the
> time being.

User comfort is certainly a consideration. You're more likely to use
something you're familiar with in a secure way than you are something
you're struggling with. And to be honest Opera does some things in ways
that leave new users struggling. Either way you're light years ahead of
users of the default fare in some other worlds. ;) I'd strongly suggest
you include some of the security enhancement addons when you install
Firefox though. NoScript is a "must have" in my opinion. I'm sure
there's others, but as you probably guessed I'm an Opera enthusiast and
most of that functionality is built in. :) 

> >> edition of the anti-virus program I've used for the last year or so
> > 
> > Which one would that be? Sometimes you find that top of the line
> > Windows software looses something in the translation. One
> > "standard" on Linux boxen is ClamAV. Frisk (F-Prot) offers a free a
> > Linux command line version also, that seems to maintain it's
> > abilities across platforms. Clam is more email oriented, and even
> > catches quite a few phishing attempts. F-Prot is... well,
> > F-Prot. :) A good, solid scanner with frequent updates.
> 
> Actually, my choice for the moment is Avast from Alwil.

Avast will do a wonderful job of recognizing any Windows viruses your
Linux box might encounter. So unless you're running a mail server which
Windows boxes use, or otherwise sharing resources with Windows boxes,
it won't exactly be "overused".

I'd go with Clam if you want full "always on" protection. Let it scan
incoming mail and be done with it. Clam is outstanding in this respect,
but don't wast time with scheduled system scans, they're unnecessary. If
you want another layer then install something else (like F-Prot free
version) and run it against any new downloads and what not for as long
as you can stand seeing the "no viruses found" messages. ;)

What you probably will want along these lines is chkrootkit, rkhunter,
or ideally both. These programs test for the more common version of a
Linux "virus" called a root kit. Root kits are the nasty things that
attackers install after they've compromised your machine which give
the attacker free access to your system. Keeping attackers out is
handled in other ways, but should they fail... have good backups and be
prepared to gain some experience in the area of reinstalling Linux. ;)

Most of your "virus" protection will come in the form of things like
keeping your system updated, and simply not letting others have any
access with good passwords and not running unnecessary services.
Fortunately the later is an easy job because that's the default
configuration. If there's no door, nothing can walk through it.

> >> on my windows setup, and have a trio of likely candidates to
> >> investigate for a firewall application. I'm looking for a good data
> > 
> > You should already have a firewall installed, you just need to
> > configure it. The reason it's not enabled by default is that Ubuntu
> > leaves nothing listening at its defaults so there's really no reason
> > for it. If you're talking about installing a front end to help you
> > configure and manage netfilter/iptables that then fine, but don't
> > waste time looking for something that won't be any better, and
> > probably worse, than the stuff you have.
> 
> Ok, bad terminology on my part. I am new in the neighbourhood, so
> please do bear with me. I suspect the ones I'm looking ARE probably
> gui shells for the existing components. Firestarter (I think that's
> the right name, although some posts seem to suggest it's problematic
> in its functioning), Guarddog, and one other for which the name
> escapes me at the moment.

I think the problem with Firestarter is more of a network configuration
issue. In my case I'm sure of it. On my Fedora box it started and ran
fine, but that machine was "hard wired" to the network. But that box
now runs LTS and a rudimentary set of firewall rules loaded via
script. mostly to log activity.

My laptop in essence has no network configuration, it seeks out and
connects to the best network it sees *after* I log in. I think this
"confuses" Firestarter. Other's have reported the same issue, and there
is a workaround in the form of setting Firestarter to automatically
start once you've logged in rather than at boot time. In my case this
would be fine because as long as there's no network up nothing can "get
in" anyway.

I choose not to start it automatically because there's a perfectly
functional firewall in my router. When I use public access points like
at the library I start it, but only because I have SSH running and I
use the firewall to log/limit access to that service. 

There's a lot of other options. Many people simply use a script to load
their firewall rules at boot time. No need for any GUI. And if you're
using a default configuration there's nothing to manage anyway. Please
don't be suckered in by buzzwords like "stealth". There's a place and
time for blindly dropping packets, but most home users will never be in
that position. If your upstream network (ISP) is configured properly
"stealth" can even have an effect opposite to what it claims to provide.
It can actually be a beacon that tells an attacker there's a user with a
personal firewall in stealth mode, where simply giving a proper response
like the kernel normally would allows you to blend in with the rest of
network.

> 
> >> backup solution to cd-rw, and an anti-spam application along the
> >> lines of the spampal program I've been using over on my windows
> >> setup.
> > 
> > Spamassassin and Bogofilter are again, two "standards".
> > Spamassassin is a little more feature rich, and a lot slower. It
> > also requires a daemon be running in many/most implementations.
> > Bogo is fast and lean, and seems to take to training a little
> > easier. At least on this system. Either one should work after it
> > learns its job, and as you say, nothing will catch 100%. For that
> > reason I'd say Bogofilter unless you were running your own mail
> > server. I run both. SA on my server and Bogo in my workstations. I
> > still occasionally see spam, but I'm not as aggressive as some.
> 
> Hmm, since I'm not running a server setup it sounds like Bogofilter
> will be the one to look into. Thanks for the idea.

Indeed. For a home user bogo is the better choice IMO. As long as your
mail client supports it (you may need to configure fetchmail/procamil
or an equivalent, but this would likely be necessary with SA also).

My choice, Claws-Mail, has a plugin. ;) 

> 
> >> Having said all that I can just hear all those Linux purists on the
> >> list getting ready to trot out the flames and put downs that I'm
> >> some
> > 
> > Why would anyone do that when you're asking legitimate questions?
> > 
> > Your sweeping generalization of people who prefer one environment to
> > another as prone to "trotting out flames and put downs" on the other
> > hand, certainly begs that caliber of reply. :-/
> 
> I was actually intending to counter a particular group of Linux
> supporters who seem to place almost religious faith in the security
> of their chosen tool and regard any suggestion such as I made as

Bottom line is, there really are pronounced differences between Windows
and Linux security. What you may see as "religious fervor" is more
likely than not just a recognition of these differences. Linux lays a
different set of issues on the table to deal with, and trying to
address them with "Windows logic" is fruitless. Conventional virus
scanning is a waste of time, as is throwing up a firewall in
front of something that doesn't exist. Even on Windows boxes it's
preferable to shut off unnecessary services rather than block them with
third party software. The problem is, Windows makes it difficult or
even impossible in some situations to shut off unwanted services. :(

The other side of the coin is that passwords and updates are an even
bigger issue on a Linux box because those things are the "built in"
ways a Linux box addresses security, as is monitoring the integrity of
your system, and examining logs for unusual activity. You'll be way
further ahead of the game installing rkhunter and configuring logwatch
to mail you regular updates than you are installing Avast or such. The
former adds something, the latter essentially nothing and you pay for it
in CPU cycles and drive space. Not to mention the fact that as you say
these are human created and thus imperfect inventions. There's an
outside chance that a mostly useless copy of Avast could be used as a
point of attack by a crafty crook who discovers a flaw in that
application.

It really is a completely different world, not perfect by any stretch,
but it does mean that if you're serious about staying secure you have
to adapt to a new set of rules and procedures. :)

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
    grok!              Registered Linux user #402208
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070111/7c69ba3b/attachment.sig>