Closure of a previous question and new questions on system security apps...

Jeffrey F. Bloss jbloss at
Sun Jan 14 21:02:12 UTC 2007

Brian Lunergan wrote:

> Jeffrey F. Bloss wrote:
> > Maybe if you post some more specific information information someone
> > could help you make an even more informed decision. Like are we
> > talking about a desktop or laptop. Newer hardware, or older?
> > General machine specs? Using DSL/Cable? What are your typical
> > usages? Email/web, IRC, file sharing, blogging, etc... Are you the
> > only user of your system, or will you be sharing it with others?
> > Are you or anyone else a gamer? Stuff like that will be what
> > dictates your ultimate best case solution, not what worked on your
> > Windows box.
> Well, let me see. It's a desktop. Ubuntu is one half of a dual-boot
> setup with Win XP sp2 Home. Mix of new and old hardware with nothing
> that would pass for leading (or even bleeding) edge technology. The
> processor is an 800MHz AMD Duron. There's 1.2Gb of RAM. The monitor a

That tells us that while resources aren't as critical as they might be
on really old hardware, they're not as plentiful as they would be on a
brand new whiz bang, cutting edge machine. At 800 and 1.2 you may find
that some things take an unacceptable amount of time, or slow overall
performance. That's a mostly subjective thing though. It's my firm
belief you can only type and read so fast anyway. :) 

> Benq LCD. The HD a recently purchased 80Gb unit. Maxtor or WD, I
> forget which. The sound card is a PCI512, and the modem is an
> external 56k by Gnet. Oh yes, the cd writer is an LG unit. I think
> that should cover all the hardware that might be relevant.
> Usage? Single user system. I don't IM, or game, and I'm not into the
> music/video upload/download thing regardless of the legality of the
> source or lack there of. As far as what I do off the partition, I
> send and receive email, I do browse and download from the net but the
> browsing is mainly for research and reading and the downloading is
> only software from OOo, the R project, etc. and software updates. I

This says you're in a low risk group, and probably don't need some of
the things you used on Windows because they're either non-issues, or
built in. Firewalls on Win* platforms are in place mostly to manage the
services that are open to the public by default, and difficult to shut
off. Again, even on Windows it's better to just shut them off. There's
really no inherent reason to load a "personal firewall", it's just
infinitely easier than rooting around trying to kill every unnecessary
process reliably.

And you're not sharing any files of any consequence with your Windows
partition so a Windows virus checker is useless. The threats against
your Linux partition are going to com from two directions. People
trying to exploit things like buffer overflows in certain software with
malicious data, and script kiddies trying to guess your passwords. The
former is dealt with by keeping your system updated, the latter in your
case by not specifically opening up any service that allows a
connection which can be hammered on by the kids and their password
guessing programs. And you're not connecting to multiple local networks
so that whole can of worms is academic.

You really *don't* have any apparent need for AV or an active
firewall... *shrug*

> have also mounted an occasional link to the Windows side of the
> machine if there's something to move between them, after which the
> link is closed.

Since this apparently isn't email, there's no reason even for something
like ClamAV (from the persepctive of your Win partition) which is mail
centric. Your Windows antivirus software should not only protect you by
scanning any Windows executable you might download while running
Linux, it should do a much better job of it in its "native" environment.

> Suggestive of anything? Waste of time to put ANY defensive tools in
> place, or is there a likely guard team that would be appropriate?

No, you just need different defensive tools because your threats are
different and your Linux installation poses no real threat to your
Windows installation. Id' still make sure I had a copy of rkhunter and
chkrootkit running at least once a day on the odd chance that someone
hits you with a 0-day exploit. You may even want to investigate
Bastille for locking things down a bit tighter, or something like
Nessus to scan your machine for known *nix problems. Although I don't
personally think either one of those is necessary either in your case.
You're simply not at risk as long as you don't decide to run a service
that you need to control access to, and keep your security updates

> Taking into account that I'm neither completely clueless about
> computing or paranoid about security. Instead I would characterize
> myself as just cynical enough about cyberspace as it now stands to

These are the "preconceived notions" I was talking about. Cynicism is
one thing, but letting it permeate your thinking to the point that
you're adding unnecessary junk which might itself be exploited, or
neglecting to address the *real* risks, is counter productive.

> believe that it is just a question of time before the crooks,
> scammers, schemers, and trouble makers search for new fodder on other

They're already searching. Linux boxes are real prizes, and computer
crooks go after them with a vengeance whenever they find them. I run a
home mail/web server that has SSH access for remote admin. I have to
use two firewalls, one on my router and one on the box itself, to both
allow that access and rate limit it so that I don't see hundreds upon
hundreds of brute force login:password guesses every day. My mail
server only listens for SSL connections, and requires authentication.
It also scans all incoming mail. ClamAV is nice because it picks up a
lot of those Phishing emails too. ;)

I had to put some of the extra, more "Windows like" tools in place
because of the way I do things. But again, when my laptop is connected
to the home network it runs "naked" even though I have SSH enabled on
it also. There's no path to that port from the outside because of my
Linksys sends all that traffic to the server. I flip on Firestarter
when I'm at the library (or in a motel room in Tampa like yesterday),
but I wouldn't even do that if I didn't have something listening. No
need for it. When I ran Windows I did things exactly the same, but I
took the time to do the rooting around and hardening of Windows
itself. Overall my Windows box was *far* more secure than any box
running any firewall, anywhere. If I were going to run something like
that it would be a good IDS like Snort, although in that situation it
would be more of an informative tool because again, there's really no
way to exploit something that doesn't exist...

> platforms. I'd rather be as proactive as possible or practical rather
> than reactive and I think that may call for more than just keeping
> the system files up to date.

Suit yourself. If it gives you peace of mind that it has some
value. :) But don't delude yourself into thinking that because you have
software 'X' installed you're any safer than without it. You may
actually be more vulnerable. A quick Google for 'antivirus software
vulnerability' or such should turn up some interesting reading. :)

Trivia: I remember back in the day when virus authors started
"piggybacking" actual antivirus software and infecting executable files
when the AV software opened them for scanning. It was the safety
measure itself that led the BadThing(tm) right to the door step of your
innocent files. Routine scanning suddenly became a very dangerous
thing in deed. A fast infector would destroy every single
executable on your drive. Pretty efficient way to do things if you think
about it, considering that at the time most virus scanners only looked
at real executable files by default. ;)

     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
    grok!              Registered Linux user #402208
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <>

More information about the ubuntu-users mailing list