Especially since I connect through a router, do I really need firestarter and clamav ?

The price is right & they don't cause any problems, on a more serious note I think its good to send a strong signal that the Linux community is prepared for a attack - long story short I use both clamAV & firestarter ...

;)

my take on that would be a "no". although if you had to choose just one of the two, i would go with firestarter. :) a firewall is always a good thing... but there are no known virs in the wild for linux, so your clamav would just be sitting there doing nothing and eating your resources.

i guess you might want firestarter if you want a a safe feeling when using ubuntu...(Maybe monitor traffic too?)

You might need clamAV if you are trading files with alot of Windows system often in your OWN network.
it really reduce the chance of all your Windows systems being infected with a crappy virus at one time.
other than that clamAV is just useless...

The price is right & they don't cause any problems, on a more serious note I think its good to send a strong signal that the Linux community is prepared for a attack - long story short I use both clamAV & firestarter ...

;)

There is no reason to install them now. If there is ever the need, to install them would take about thirty seconds. Right now, I have better things to do with my bandwidth and cpu power.

And viruses are only a small fraction of security vulnerabilities. Windows is particularly vulnerable to them because of the way it is built. Unix is not particularly vulnerable to them for the same reason.

It is important to keep updated with all the security updates that are available to you, though. Just keep installing the updates and you will be fine.

Recently, people are starting to find out that virusscanners just don't work (on windows).

The first outbreak wave of the fast moving virusses came hours before AV signatures where out, so relying on it for defense is a big mistake.

Firestarter is a good precaution though (I have it). The base install of Ubuntu is pretty secure, so you can do without.

I'm having installed both ClamAV and firestarter.

ClamAV is only used to check a certain file not an then(seldom at the moment)

firestarter is always running, the only "attack" so far was some guy doing a Nessus scan on me :)

Ciao, bagel

Aside from the placeblo effect, installing them generally gets you nothing. There are no open ports in an out of the box install of ubuntu, so there's nothing for firestarter to protect. There's also no known linux virii in the wild.

I dont understand why this topic is being brought up so much. How I look at things, having a Firewall is just like having a keyboard. When it comes to AV, I believe it should be a common practice to have one. Even if we arent capable of having one of these bugs, we can still transmit them.

Bottom line... if you have a computer connected to the internet, you should have at a bare minimum a firewall (hardware perferably) and antivirus.

I dont understand why this topic is being brought up so much. How I look at things, having a Firewall is just like having a keyboard. When it comes to AV, I believe it should be a common practice to have one. Even if we arent capable of having one of these bugs, we can still transmit them.

Bottom line... if you have a computer connected to the internet, you should have at a bare minimum a firewall (hardware perferably) and antivirus.

This is a false perception as a result of limited knowledge and exposure to windows for too long. A firewall is only needed to deny access to services running on your PC to certain people. When you don't have stupid services installed by default, there is nothing for the firewall to deny access to. The only way you are going to spread a windows virus is if you get a windows executable in an email say, and forward it to other people. Why would you do such a thing? Just don't do that.

I understand what you are saying. Personally I NEVER open emails with executables. I just feel as though its good general practice to have these things.

I do agree, that I have been into the whole Micro$oft thing for too long, but its my job I kinda have to put up with its BS.

I dont understand why this topic is being brought up so much. How I look at things, having a Firewall is just like having a keyboard. When it comes to AV, I believe it should be a common practice to have one. Even if we arent capable of having one of these bugs, we can still transmit them.

Bottom line... if you have a computer connected to the internet, you should have at a bare minimum a firewall (hardware perferably) and antivirus.

With a sane security policy (nothing listening by default) a firewall will add nothing.

Unless you are running a mail server, you do not need a virus scanner. So by default, and Ubuntu desktop does not need these things.

Very true.

I'm pretty new to the Linux world, so please explain me a few things. I used to pay attention to have a firewall (ZoneAlarm) and antivirus (Avast!) always installed and running on my XP boxes.

Now I'm trying to switch to Linux (SuSE 9.3, 10.0 previously, now Ubuntu 5.10, which I am very impressed with), but I'm a little concerned about security.

1. No antivirus seems mostly ok for me with the way the sensitive parts of the system are protected from access of a normal user (only root or sudo can do everything). But, what if I start something infected during performing some administrative tasks as a root? I know it's not very likely, there are very few viruses for Linux etc., but still... it seems to present a small security gap. Correct me if I'm wrong.

2. What I'm way more concerned about is no controlling which applications are calling home, like for example ZoneAlarm does. Even if I'm behined a router with hardware firewall and behind the Linux software firewall (firestarter or whatever), I have only inbound protection, right? If there is a keylogger on my system, which wants to transmit my keystrokes to somebody over the internet - I get no warning from firewall. Am I right or is this somehow addressed? It is the most important and criticizied weakness of the in-built Windows XP firewall. Is the Linux firewall not better?

Should I be concerned?

Personally I found there to be a couple of problems with firestarter,

I dont use anything at home, where i have a hardware firewall. At work, there is LOADS of network traffic, so i use guarddog, which once you get your head round it is great.

Olly

1. No antivirus seems mostly ok for me with the way the sensitive parts of the system are protected from access of a normal user (only root or sudo can do everything). But, what if I start something infected during performing some administrative tasks as a root? I know it's not very likely, there are very few viruses for Linux etc., but still... it seems to present a small security gap. Correct me if I'm wrong.

Viruses attack windows because there are holes that cannot be closed, as far as I understand it. In linux, this is not the case. That's why viruses are not a type of vulnerability to which linux is prone. The user/root priviledge seperation has nothing to do with it.

Windows now uses such a priviledge structure.

And exploiting a vulnerability like a buffer overflow can result in arbitrary code being run as root. This is know as priviledge escalation and is something that is constantly found and patched in linux. Keep up with your security updates!




2. What I'm way more concerned about is no controlling which applications are calling home, like for example ZoneAlarm does. Even if I'm behined a router with hardware firewall and behind the Linux software firewall (firestarter or whatever), I have only inbound protection, right? If there is a keylogger on my system, which wants to transmit my keystrokes to somebody over the internet - I get no warning from firewall. Am I right or is this somehow addressed? It is the most important and criticizied weakness of the in-built Windows XP firewall. Is the Linux firewall not better?



There are tons of such applications, as mentioned. Also, the fact that we use centralised repositories, it is more unlikely that you will be running such an application. You install stuff from outside repositories at your own risk, you know.

Viruses attack windows because there are holes that cannot be closed, as far as I understand it. In linux, this is not the case. That's why viruses are not a type of vulnerability to which linux is prone. The user/root priviledge seperation has nothing to do with it.
Err... I always thought, that viruses are pieces of executeable code "glued" to normal programms, which execute themselves on startup of the given programm. After the malicious code did it's thing, the normal programm is executed, so the user can't notice any difference. And the virus (in the "doing it's thing" phase) can for example modify another programms from say /usr/bin in case of Linux (like sudo for example) - spread itself. Or wipe the whole partition. This can be prevented when you work as a normal user, without root privilages. You cannot modify sudo or wipe the partition, because you don't have the rights. But I really cannot see how exactly Linux should be less prone that Windows to the above scenario if you work as root.

Windows now uses such a priviledge structure.
Well... of course. The subtle difference is, under Linux your default user has no root privileges and under Windows your default user has adminstrator rights. You can limit your rights in Windows of course, but you have to be aware of security risks and actually do something to achieve it. Most of users don't know that. I think that's a huge difference. But that's a topic for another discussion actually... :)

And exploiting a vulnerability like a buffer overflow can result in arbitrary code being run as root. This is know as priviledge escalation and is something that is constantly found and patched in linux. Keep up with your security updates!
That's another story and the situation in Windows is just the same. There are also Online Updates in Windows world. The only difference is that maybe the Linux community reacts faster to close security holes. And of course the sources are mostly open, so no hidden backdoors for FBI etc.

There are tons of such applications, as mentioned.
Could you recommend something?

Also, the fact that we use centralised repositories, it is more unlikely that you will be running such an application. You install stuff from outside repositories at your own risk, you know.
Centralised repositories are great and very complete for Ubuntu. But there are still many applications, which cannot be found there. And it will always be this way. I installed Ubuntu like a week ago and already had to install 4 applications, which are not available over apt/synaptic:
Firefox 1.5
Thunderbird 1.5
Skype
Azureus
I don't think you really can limit yourself only to the software from repositories. And even repositories cannot guarantee 100% security, I think...

Recently, people are starting to find out that virusscanners just don't work (on windows).

The first outbreak wave of the fast moving virusses came hours before AV signatures where out, so relying on it for defense is a big mistake.

Firestarter is a good precaution though (I have it). The base install of Ubuntu is pretty secure, so you can do without.
exactly anti-viruse are actualy virus docters all they can do is fix problems they know about.

And I think this is the 10th security thread i have read ... stickey one of them?

Are firestarter and clamav really necessary ??

Nope, not at all.

exactly anti-viruse are actualy virus docters all they can do is fix problems they know about.

And I think this is the 10th security thread i have read ... stickey one of them?

Done.

Habriz:

You are completely right. There is no outbound protection in Ubuntu. There are many reasons for this:
1. People do not think they can get spyware because they use central repository.
2. The architectual problems are a little advanced. The programs needs to be monitored when they start, and be recognised if they have been started before. This will propably need a kernel module, and nobody has done it.
3. A virus could propably use a certified process to send messages. So the virus could just start firefox http://somehomepage.com/yourpersonalinfo, or wget http://somehomepage.com/yourpersonalinfo. The OS would not be able to distinguish if it was a user who made the request, or a malicious piece of software.

So it is a case of plugging 90% of the holes in the ship, but it won't stop the ship from sinking, since all the water come in the last 10%.
At the moment people are just fixing 0%, to be 'in the honest'.

So outbound connection limiting in a simple form, will help you twart programs made by people who do not think you are using it. Programmers who know that you are running it, are just using another way fo sending your data.

yes, the lack of outbound protection i think is one big piece that is lacking currently in iptables (and thus firestarter, which is just a gui for iptables). iptables can filter by the "name" of the process, (see man page for iptables, get to the matching by owner section. or just search for "--cmd-owner".) but it is still pretty primitive.

however, if you do want a robust per-process privilege setup, you should look into systrace (http://www.citi.umich.edu/u/provos/systrace/). that can let you configure so many things you wont know where to start! :) unfortunately, it seems that installing it would require recompiling your kernel with a systrace patch. not too friendly at the moment.

unless some kind ubuntu dev/packager would consider making a kernel version with systrace in it (or maybe a loadable module... i am not sure exactly what would work for systrace since i have not actually used it)? (wink wink hint hint) :)

Viruses attack windows because there are holes that cannot be closed, as far as I understand it. In linux, this is not the case. That's why viruses are not a type of vulnerability to which linux is prone. The user/root priviledge seperation has nothing to do with it.

Windows now uses such a priviledge structure.

And exploiting a vulnerability like a buffer overflow can result in arbitrary code being run as root. This is know as priviledge escalation and is something that is constantly found and patched in linux. Keep up with your security updates!
There are tons of such applications, as mentioned. Also, the fact that we use centralised repositories, it is more unlikely that you will be running such an application. You install stuff from outside repositories at your own risk, you know.

But imho we must remember that we live in the real world, where other OS's are used by the majority of people and even by linux users themselves. Files are sent and received continuously via email, down and uploads, transfers etc between linux and Windows PC's. Just think of image files, music files, Office files etc. For example if an Ubuntu user receives a nice image as an attachment with an email or downloads it from the internet and it contains a virus, it would be a very good idea to scan these files on receipt and remove the virus before passing on to friends and family! Yes, linux itself may not be affected by the virus, but do we really want to unwittingly help distributing any virii? I feel so strongly about this, that I feel Dapper should include a good anti-virus as standard.

You are completely right. There is no outbound protection in Ubuntu.

So no outbound protection in Linux? That's pretty bad news for me. I use my computer for internet banking among others and am pretty focused on security because of that. You may think I'm a little paranoid, but I actually have had a windows keylogger, which transmitted something over internet. No financial losses so far, but ... when you type in your bank account username and password a few times a day, keyloggers are no more a distant and theroetical threat - outbound protection becomes pretty basic and necessary feature.


There are many reasons for this:
1. People do not think they can get spyware because they use central repository.

As I said before: not everything can be found in repositories, even if they are pretty complete as it is in case of Debian/Ubuntu.


2. The architectual problems are a little advanced. The programs needs to be monitored when they start, and be recognised if they have been started before. This will propably need a kernel module, and nobody has done it.
I have no doubts it's technically challenging, but I'm sure it can be done. I have no idea how exactly ZoneAlarm handles these things internally, but I can tell you how it looks from the user perspective.
Per default no applications have rights to transmit anything. If some application (like Firefox) tries to access internet, you get a popup question if it should be allowed or denied once or persistently. No matter what your answer is, the application's hash (MD5 or something) is stored with the appropriate right (allow, deny etc.) assigned. It is done not only on the application level, but also on library level (dll), so not so called "library injection attack" is possible. Similiar procedure is used when some application tries to actively open some port(s) for listening - act as a server (like eMule or some online game). Moreover ZoneAlarm opens the port(s) for listening only when the application, which has "server rights" granted, requests that (usually simply when it starts) and closes the given ports(s) when it stops. Actually even more than closes, they are stealthed, so not visible from internet zone at all. So the eMule server ports for instance are only opened when eMule works. This is all for free - I mean the free version of ZoneAlarm can do that (it's not GPL, just freeware for home users).


3. A virus could propably use a certified process to send messages. So the virus could just start firefox http://somehomepage.com/yourpersonalinfo, or wget http://somehomepage.com/yourpersonalinfo. The OS would not be able to distinguish if it was a user who made the request, or a malicious piece of software.

This is addressed in the Pro version of ZoneAlarm, which is no more free, sadly. If some application tries to start some other application or service, it needs also rights to do so. So if you click on a link in mail, Thunderbird needs rights to start Firefox - which are also as easy assigned as above described: you get a popup question and can answer "allow", "deny", "allow always", "deny always". Very nice and simple indeed.

Additionaly you have a list of all applications and dlls with its assigned rights stored in the ZoneAlarm database, which you can manage at will. I tend to check the list every week or so and delete all things I don't know by name. This way if it was something I don't really use - no problem, if it was regurarly used, but I don't recognize it by name, it has to ask ZoneAlarm for rights again.


So it is a case of plugging 90% of the holes in the ship, but it won't stop the ship from sinking, since all the water come in the last 10%.
At the moment people are just fixing 0%, to be 'in the honest'.

So outbound connection limiting in a simple form, will help you twart programs made by people who do not think you are using it. Programmers who know that you are running it, are just using another way fo sending your data.
See above - this 10% can be handled as well.

I think Linux needs something like that. Or maybe something like that already exists?

And lean, thank you for clarifying this to me. No internet banking under Linux then I suppose, as long as I won't find acceptable sollution. Another reason, besides games to keep XP in a dual-boot configuration...

however, if you do want a robust per-process privilege setup, you should look into systrace (http://www.citi.umich.edu/u/provos/systrace/). that can let you configure so many things you wont know where to start! :) unfortunately, it seems that installing it would require recompiling your kernel with a systrace patch. not too friendly at the moment.


Thank you for the hint. The screenshots look very promising indeed. Compiling of a kernel module does not, but I think I'll give it a shot nevertheless.

Actually your link didn't work, but I've found it here:
http://www.systrace.org/

Just one more thought: it seems pretty complicated - I mean installing and then defining of the rules too. I bet no average user will bother. Something like that, but with simple and pretty interface and preinstalled should be definitely part of most of the linux distributions. Maybe keyloggers are not a big problem now, when Linux has just 2-3% of desktop market share, but in a few years...

So no outbound protection in Linux? That's pretty bad news for me. I use my computer for internet banking among others and am pretty focused on security because of that. You may think I'm a little paranoid, but I actually have had a windows keylogger, which transmitted something over internet. No financial losses so far, but ... when you type in your bank account username and password a few times a day, keyloggers are no more a distant and theroetical threat - outbound protection becomes pretty basic and necessary feature.

You place too much trust in outbound protection, elevating it meerly to placeblo. The only function outbound protection serves is to ( weakly ) attempt to detect when you have already been infected. It is far better to prevent infection in the first place. This is the general attitude of the linux community, and this is why ubuntu makes sure that you can't get infected in the first place.

If you can't get infected in the first place, "outbound protection" does nothing for you, which is why nobody has bothered to implement it.


I have no doubts it's technically challenging, but I'm sure it can be done. I have no idea how exactly ZoneAlarm handles these things internally, but I can tell you how it looks from the user perspective.
Per default no applications have rights to transmit anything. If some application (like Firefox) tries to access internet, you get a popup question if it should be allowed or denied once or persistently. No matter what your answer is, the application's hash (MD5 or something) is stored with the appropriate right (allow, deny etc.) assigned. It is done not only on the application level, but also on library level (dll), so not so called "library injection attack" is possible. Similiar procedure is used when some application tries to actively open some port(s) for listening - act as a server (like eMule or some online game).


Give me a few hours and a pot of coffee and I'll show you a program that bypasses all that. It sounds fancy on paper, but it's really just another layer of tissue paper protecting you when you already have an Abram's A1 tank at your door.


Moreover ZoneAlarm opens the port(s) for listening only when the application, which has "server rights" granted, requests that (usually simply when it starts) and closes the given ports(s) when it stops.


That isn't anything that ZoneAlarm does; that's simply how the TCP protocol works. When there isn't anyone listening, the port is closed.


Actually even more than closes, they are stealthed, so not visible from internet zone at all.

Stealthing ports violates the TCP protocol and doesn't add any protection. It just means that if the port is closed, rather than inform someone trying to connect to it "this port is closed, go away" stealthing just ignores the request. Either way the remote does not get a connection so it doesn't make any difference to security, it just annoys the hell out of people who wonder why the connection is just sitting there rather than either working or being rejected.

It is far better to prevent infection in the first place. This is the general attitude of the linux community, and this is why ubuntu makes sure that you can't get infected in the first place.
I can only agree with that: better prevent an infection, than cure it. But I really cannot see how Ubuntu "makes sure that you can't get infected in the first place". Explain, please and remember I'm a Linux newbie.

If you can't get infected in the first place, "outbound protection" does nothing for you, which is why nobody has bothered to implement it.
I cannot agree, that outbound protection "does nothing for you". Treat it just as another layer of protection. If the first layer fails (for example antivirus lacking a signature of a fast spreading virus), there is always the second layer: outbound protection. Of course it can be bypassed too given time, effort and enough of coffee, but... it can very well help as well. It's just question of odds. Without outbound protection chances it catches a keylogger transmitting something are 0%, right? With it sitting in place they are significantly bigger I'd say.

And now an example. I got something called "Blazing Tools Perfect Keylogger" under Windows XP a few months ago. It was hidden in a trojan horse, installed itself silently in the system and tried to transmit my keystrokes somewhere. The antivirus programm didn't detect it. But ZoneAlarm gave me a warning "bpk.exe tries to access the internet: allow, deny etc." The first layer of defense (antivirus) didn't work (probably lacking the signature), but the second layer actually did it's work excellently.

And now an example from the Linux world. I tried to find out if there are keyloggers available for Linux too. That's true, they are much more difficult to find, than in Windows world. But I found one: lkl. It can be installed to start silently, listen to keyboard port (0x60 if I remember correctly), log the keystrokes to a file and even send mails with reports to a given address. I did it all and Ubuntu did nothing to give me a warning. lkl even protocolled nicely my linux user and password, which I type in when logging into Ubuntu. Not to mention passwords and other things I typed in web forms (bank accounts!). Little explanation: I started lkl with a script in /etc/init.d, so it was already runnning before Ubuntu login screen shows up :)

Now I'm really a Linux newbie, who just knows how to google to find useful information. I don't want to think what a person with much more knowledge could do.

lkl is still pretty primitive (version 0.1) as it starts in userspace and not as a kernel module. And of course it cannot install itself without root privileges. But still... I can imagine a trojan horse with lkl attached, which can install itself in one of those rare moments, when you work as a root. All right, all right you have to sudo and there is no root account in Ubuntu. But I know people, who do "sudo konqueror" to do their root tasks. And you can always activate the root account, even in Ubuntu.

What I'm trying to say is, I think lack of outbound protection is still a security gap in my opinion. Not as huge as in case of Windows, but it should be closed some day, especially if Linux gains much more popularity...

That isn't anything that ZoneAlarm does; that's simply how the TCP protocol works. When there isn't anyone listening, the port is closed.
Of course. I only mean the firewall for this port is closed as well, not only the port itself. When another application, which is not authorised tries to listen on the same port, it won't get a permission.

Stealthing ports violates the TCP protocol and doesn't add any protection. It just means that if the port is closed, rather than inform someone trying to connect to it "this port is closed, go away" stealthing just ignores the request. Either way the remote does not get a connection so it doesn't make any difference to security, it just annoys the hell out of people who wonder why the connection is just sitting there rather than either working or being rejected.
If stealthing ports violates TCP protocol, then I violate TCP protocol anytime I switch my PC off or disconnect from the net any other way. I stealth all my ports then :) And another thought: I have nothing against annoying someone trying to scan my ports :)

But seriously, don't you think, it's safer, when all your ports are stealthed, as opposed to just closed? If all the ports are stealthed, then you are practically invisible from outside. I think invisible is better, than closed. After port scanning no other tries to compromise your system are made - the hacker or rather script kiddie thinks your machine doesn't exist and moves on, right?

One more thought: my router (Netgear WGR614) running a hardware firewall also prefers to stealth ports per default instead of just closing them. It cannot be a coincidence, right? :)

habrys, your arguments seem valid to me.

psusi, i will try to point out how good outbound protection works, and then i think you will see that it is not as easy as you say to bypass it.

first, it checks to see what process is starting a connection to the outside, and runs a checksum verification on the executable to make sure it has not changed. if it has - it warns you. so if some trojan has modified firefox or any other executable that "normally" would be allowed to access without challenge, that will be detected, and prevented.

second, all programs are also by default prevented from spawning other processes - so your keylogger/trojan cannot just spawn firefox or wget and access the net that way.

so while its always better to prevent infection rather than contain it afterwards, containment does serve as one of the valuable layers of protection, and is not quite as trivial to bypass as you make it out to be.

I have seen the issue of outbound filtering raised here. And Ubuntu does support it, even natively if you want (iptables).

It is just not activated by default because it would break connections for most newbie users (Windows SP2 firewall also doesn't do outbound filtering, I suspect mainly for the same reason).

Install Firestarter and set the outbound policy to restrictive (deny by default). It can be set up to ask to open a port on each request.

But imho we must remember that we live in the real world, where other OS's are used by the majority of people and even by linux users themselves. Files are sent and received continuously via email, down and uploads, transfers etc between linux and Windows PC's. Just think of image files, music files, Office files etc. For example if an Ubuntu user receives a nice image as an attachment with an email or downloads it from the internet and it contains a virus, it would be a very good idea to scan these files on receipt and remove the virus before passing on to friends and family! Yes, linux itself may not be affected by the virus, but do we really want to unwittingly help distributing any virii? I feel so strongly about this, that I feel Dapper should include a good anti-virus as standard.

I would not object per se to Dapper having a virusscanner in main (not on the install disc mind you), but if they enable stuff like on-access scanning, I'm out.

I don't want my box slowed to a crawl just because of a flawed security dogma.

And again, virus scanners are a remedy security measure, not a real prevention. If you receive a virus (via mail or others) it may not be detected at all until your signatures are prepared for it.

I would rather have the devs focus on SELinux in Dapper and PaX, which are both generic security measures that help protect you against both human attackers and virusses.

Regarding forwarding virusses to windows users. It is in part their problem and their responsibility to buy those expensive commercial scanners as well as not running with admin privileges (despite this being the default).
And they are better served with a virus scanner on an SMTP server checking both incoming and outgoing mails of all users (preferably running more then one AV).

So no outbound protection in Linux? That's pretty bad news for me. I use my computer for internet banking among others and am pretty focused on security because of that. You may think I'm a little paranoid, but I actually have had a windows keylogger, which transmitted something over internet. No financial losses so far, but ... when you type in your bank account username and password a few times a day, keyloggers are no more a distant and theroetical threat - outbound protection becomes pretty basic and necessary feature.

To be quite frank, this is simply untrue, both in facts and reasoning.
Linux does have outbound protection and it alsways had. You can even turn it on without a GUI frontend, just set the default outbound policy to DENY.

Firestarter can do this from the GUI.

But don't expect this to be an all-in protection measure. A trojan typicly comes via an allowed channel (like mail) and if it gets as far as being run, it can just as well disable both the firewall and AV software, there have been virusses that do this on windows.

You can buy yourself much more security at a lower cost by other measures, like not using things like ActiveX, by not having a mailclient that can execute code in messages and by not blindly executing stuff you don't know (mail attachments).

I care a great deal about security, but I have always hold the belief that you should plug the biggest holes first. It makes no sense to put your pink in a small hole in your boat when half of the hull has been ripped off.

Even if you have to download packages of the net that are not in the safe repositories, take a few precautions. Use either alternative repositories that are well known or download packages from the main site of a project. Verify MD5 sums and PGP sigs if they are provided etc.

If your a rather advanced user, do activate the outbound protection of firestarter or at least log and monitor outgoing connections.

I can only agree with that: better prevent an infection, than cure it. But I really cannot see how Ubuntu "makes sure that you can't get infected in the first place". Explain, please and remember I'm a Linux newbie.


Linux protects you by blocking of the infection paths. Having things like ActiveX or macros in mails and documents that are automaticly run on opening is just a plain bad idea.

How would you get a Linux E-mail virus? The steps would be:
1. Receive mail
2. Save attachment to disk
3. Give attachment on disk an executable flag (+x)
4. Run the attachment
5. Because step 4 didn't infect the system as a whole, rerun attachment with sudo before it
6. Enter your password to make it work.

In the same way, I would rather have the Ubuntu team work on PaX and SELinux as a default which are real security measures (PaX prevents buffer overflows and SELinux is a security policy framework that is more advanced then application level firewalling).


I cannot agree, that outbound protection "does nothing for you". Treat it just as another layer of protection. If the first layer fails (for example antivirus lacking a signature of a fast spreading virus), there is always the second layer: outbound protection. Of course it can be bypassed too given time, effort and enough of coffee, but... it can very well help as well. It's just question of odds. Without outbound protection chances it catches a keylogger transmitting something are 0%, right? With it sitting in place they are significantly bigger I'd say.


On Windows XP, your defense layers are already weak if you use Outlook and IE and almost non-existing if you run with admin privileges (which is still more difficult to avoid then on Linux). If you do not add something like ZoneAlarm or Anti-virus, there would be little defenses left.

I don't know how you got the keylogger on XP, but it didn't appear on your system by magic. It must have had an entry path, being an E-mail or a malicious website. It probably was executed with admin rights?

Instead of protecting what it could do once it had access to your system, it should have been preventing from entering it. You do know that the only secure way to recover from any infection (also on *nix) is to do a full reinstall? That is why preventing a compromise is so important, but you need an additional defense once you do get infected. It is just that AV and outbound filtering may not be that defense (I believe stack protection, non-executable memory and a policy such as SELinux are that defense).



And now an example from the Linux world. I tried to find out if there are keyloggers available for Linux too. That's true, they are much more difficult to find, than in Windows world. But I found one: lkl. It can be installed to start silently, listen to keyboard port (0x60 if I remember correctly), log the keystrokes to a file and even send mails with reports to a given address. I did it all and Ubuntu did nothing to give me a warning. lkl even protocolled nicely my linux user and password, which I type in when logging into Ubuntu. Not to mention passwords and other things I typed in web forms (bank accounts!). Little explanation: I started lkl with a script in /etc/init.d, so it was already runnning before Ubuntu login screen shows up :)


Off course they exist, most programmers can write one in about an hour. But the key remains how to get them installed with ROOT access without the users consent on a system (I presume you installed it nicely with sudo).

How would this keystroke logger have entered your Ubuntu system without your knowledge, much the same as happened to your XP system despite the presence of AV and a firewall?

second, all programs are also by default prevented from spawning other processes - so your keylogger/trojan cannot just spawn firefox or wget and access the net that way.

"Program <mumble> is attempting to launch the program wget, do you wish to allow it?" "Program <mumble> is trying to open a listening port, do you wish to allow it?"


How many people do you think can answer those correctly? (excluding people who know a fair bit about network security).

Outbound connection filtering requires the user to know what should be allowed to access the network. In general, users don't know that. Similarly, if your system doesn't have any ports open by default, inbound filtering requires the same knowledge.

Inbound filtering is useful on Windows because it has ports open by default.

First of all thank you for comprehensive answers to my questions, nocturn.

Install Firestarter and set the outbound policy to restrictive (deny by default). It can be set up to ask to open a port on each request.

Can it be configured per application? I don't want to be asked to open a port after every click on a weblink in Firefox. I want to have a possibility for example to give only Firefox permissions to access internet over port 80. Based on checksum, so I will be asked again when I update Firefox from version 1.5 to 1.5.0.1. Or when something malicious manipulates binaries of Firefox. But no more often.

Is it possible with iptables/Firestarter?

It's rather obvious, that nobody using Linix for desktop purposes turns on an outbound protection, which asks for permission on each http request.

How would you get a Linux E-mail virus? The steps would be:
1. Receive mail
2. Save attachment to disk
3. Give attachment on disk an executable flag (+x)
4. Run the attachment
5. Because step 4 didn't infect the system as a whole, rerun attachment with sudo before it
6. Enter your password to make it work.

Yes, this is one of possiblities to get a trojan.
Another would be:

1. You installed Ubuntu being a total newbie.
2. You discover, you cannot play mp3, most of movies, DVDs etc.
3. You search forums for simple solutions and read about something called Automatix, which installs all of it for you in one step.
4. You download, install and run Automatix.
5. You get asked for password. It's normal during installation, so no worries.
6. Automatix adds a bunch of 3rd party repositories to your your sources list. You won't read everything listed in this small terminal, typically, so you have no clue. Or even don't know what repositories and sources list are.
7. Quite a lot of new packages, most of them from 3rd party repositories get installed. You have no real overview what exactly, but you are happy, because mp3, movies and DVDs playback works now.

Now let's say some small application from 3rd party repositories is a trojan horse with a keylogger. You have no outbound protection. Bad luck...

Is the above scenario so impossible?


I don't know how you got the keylogger on XP, but it didn't appear on your system by magic. It must have had an entry path, being an E-mail or a malicious website. It probably was executed with admin rights?

It was a test. I wanted to see how secure my machine is. I prepared the trojan myself, sent myself a mail with attachement, yes opened and run the attachement, a pretty and funny screensaver with trojan attached and observed what happenes.


Instead of protecting what it could do once it had access to your system, it should have been preventing from entering it.

Why instead? Why not have both? You really think AV and outbound filtering are so useless, it's not worth effort to implement them?


Off course they exist, most programmers can write one in about an hour. But the key remains how to get them installed with ROOT access without the users consent on a system (I presume you installed it nicely with sudo).

How would this keystroke logger have entered your Ubuntu system without your knowledge, much the same as happened to your XP system despite the presence of AV and a firewall?
Using Automatix with 3rd party repositories for example. Or downloading and installing per hand some application, which is not available in repositories. Just don't tell me, that everything can be found in repositories. It cannot and it never will be this way - even if Ubuntu's repositories are in fact very complete.

Can it be configured per application? I don't want to be asked to open a port after every click on a weblink in Firefox. I want to have a possibility for example to give only Firefox permissions to access internet over port 80. Based on checksum, so I will be asked again when I update Firefox from version 1.5 to 1.5.0.1. Or when something malicious manipulates binaries of Firefox. But no more often.


You have several options here. You can either allow connections based on ports (so, outbound policy is deny), each time an app wants access, the firewall prompts you to open that port outbound (for all, not one app).

This is possible with Firestarter.

There is also an option to use the --cmd-owner options in iptables to allow connections based on the launching process. Firestarter does not provide this (maybe other GUI's do, but I don't know).

But I maintain that filtering based on application checksums (or names) provides no extra security. If a malicious application already has root rights (to overwrite binaries) it will not have any trouble disabling the firewall entirely.

It provides a false sense of security if you think this will make your system secure and that is more dangerous then any problem it solves.

"Program <mumble> is attempting to launch the program wget, do you wish to allow it?" "Program <mumble> is trying to open a listening port, do you wish to allow it?"


How many people do you think can answer those correctly? (excluding people who know a fair bit about network security).

Outbound connection filtering requires the user to know what should be allowed to access the network. In general, users don't know that. Similarly, if your system doesn't have any ports open by default, inbound filtering requires the same knowledge.

Inbound filtering is useful on Windows because it has ports open by default.

I don't agree. It doesn't require much knowledge, just some common sense.

Example:
You just upgraded Firefox to a new version. You start it and try to access some webpages. You get a warning:
"Updated programm: firefox.exe tries to access internet; allow, deny, etc.."
It's obvoius you should allow.
But, if you did nothing, no new installation or upgrade, it's also pretty obvious you should deny, right?

If there is a situation, when you really don't know what to do, you just deny once and observe if some functionality you need doesn't work. In this case you just allow persistently. If everything seems to work and something bothers you to get internet access, you deny persistently. That's all - really simple.

Example:
Microsoft Word want to access internet during installation. Deny. Try out if you can use Word normally. Deny persistently. Who knows, maybe Microsoft wants to run world statistics about documents written in Word. But I don't want to provide any data. So deny. As simple as that.

5. You get asked for password. It's normal during installation, so no worries.

At this point, outbound filtering, anti-virus software et al, doesn't matter. The instant you have malicious code running unchecked (which it is, as root) it can do anything - including disabling or modfying your protection software.


The solutions are:

a) don't install things as root. This is hard because most binary packaging systems don't support user-installs, and some things need to be run at priveleged levels to work (not neccarily root, but things your user doesn't have).

b) Have the packaging system not do install stuff as root. SELinux can help here, by limiting dpkg/rpm to lesser priveleged levels, however it would still need full root access at certain times (installing a new kernel, or other root-priveleged things).

You have several options here. You can either allow connections based on ports (so, outbound policy is deny), each time an app wants access, the firewall prompts you to open that port outbound (for all, not one app).

This is possible with Firestarter.

There is also an option to use the --cmd-owner options in iptables to allow connections based on the launching process. Firestarter does not provide this (maybe other GUI's do, but I don't know).

Thank for information. I'll try this out.


But I maintain that filtering based on application checksums (or names) provides no extra security. If a malicious application already has root rights (to overwrite binaries) it will not have any trouble disabling the firewall entirely.

It provides a false sense of security if you think this will make your system secure and that is more dangerous then any problem it solves.
I don't agree here. You can for example install some malicious application from 3rd party repository with sudo apt-get and then start it under your regular user. In this case the application cannot disable firewall, but can try to transmit some data, right?

And even if it runs with root privileges it is possible, it cannot disable the firewall, simply because the hacker didn't thought about implementing it. Or it looks for iptables and you have some uncommon firewall solution.

What I'm trying to say, firewall with outbound protection is obviously not 100% waterproof, but it increases security in my opinion. Like any other security measure.

And yes, you shouldn't get false sense of security having outbound protection, you should still check the logs from time to time, that's all true. Manual browsing of logs is just another layer of security, also not 100% waterproof, as you can overlook something.

You just upgraded Firefox to a new version. You start it and try to access some webpages. You get a warning:
"Updated programm: firefox.exe tries to access internet; allow, deny, etc.."
It's obvoius you should allow.
But, if you did nothing, no new installation or upgrade, it's also pretty obvious you should deny, right?

Okay, so you trust firefox. Do you trust every extension you have installed? the flash plugin? the movie-playing plugin? They are all running inside the application "firefox.exe", which you have authorised full access to the internet.

As mentioned above, you also need to limit which programs can launch firefox - otherwise malicious code will take advantage of the fact that Firefox is in the "trusted" list.


Microsoft Word want to access internet during installation. Deny. Try out if you can use Word normally. Deny persistently. Who knows, maybe Microsoft wants to run world statistics about documents written in Word. But I don't want to provide any data. So deny. As simple as that.

How do you know which application is really "Word"? Any application could call itself that, you could have several things calling themselves "Word".

If you want to go by paths, would you trust "/usr/bin/firefox" or "/usr/lib/firefox/firefox-bin"? the second one is the actual program.

There is also an option to use the --cmd-owner options in iptables to allow connections based on the launching process.
This is only process name based, right? No checksums?

I don't agree here. You can for example install some malicious application from 3rd party repository with sudo apt-get and then start it under your regular user. In this case the application cannot disable firewall, but can try to transmit some data, right?

The application running as your user can't. But the install-script could (which is run as root).


And yes, you shouldn't get false sense of security having otbound protection, you should still check the logs from time to time, that's all true. Manual browsing of logs is just another layer of security, also not 100% waterproof, as you can overlook something.

I agree here. However, how do you know that the malicious code has installed something that tampers with the logs?

Okay, so you trust firefox. Do you trust every extension you have installed? the flash plugin? the movie-playing plugin? They are all running inside the application "firefox.exe", which you have authorised full access to the internet.
You're right, there is no control over plugins and extensions. That's a gap.

As mentioned above, you also need to limit which programs can launch firefox - otherwise malicious code will take advantage of the fact that Firefox is in the "trusted" list.
This is solved in ZoneAlarm Pro nicely. You get a warning when some application tries to start another one. So you for example get a warning, when you click on link in mail: "thunderbird tries to start firefox". And you can for example say, that you trust thunderbird to start firefox.


How do you know which application is really "Word"? Any application could call itself that, you could have several things calling themselves "Word".
It's pretty obvoius. When I double click Word icon, see Word window and see a warning from ZoneAlarm "word.exe is trying to access internet", I can assume with high probability, that it's the real Word calling home. If I only see the warning and did nothing before (no Word running), then I suspect something could be wrong.


If you want to go by paths, would you trust "/usr/bin/firefox" or "/usr/lib/firefox/firefox-bin"? the second one is the actual program.
As above.

The application running as your user can't. But the install-script could (which is run as root).
That's right. I overlooked that.
Another example then. I download some malicious software and installed it manually as a root. With mkdir, cp etc. And then run it as a normal user. It tries to transmit data over internet, but can't disable the outbound protection, right? Caught!

I agree here. However, how do you know that the malicious code has installed something that tampers with the logs?
You don't know of course. That's another reason it's also not 100% waterproof.

But hackers are also only people, which can overlook something. For example to disable your outbound protection, even from a trojan horse running under root. Or to install something tampering with your logs.

Nearly nothing is 100% waterproof. It's just a question how hard and time consuming breaking of your machine's security is. If it's too hard, the bad guys just won't bother and move along to easier targets (Windows perhaps...). And this is exactly what should be achieved with multiple layers of security. And outbound protection is just one of them in my opinion.

This is only process name based, right? No checksums?

No checksums. They would be useless. If an app already entered your machine and gained root access (needed to overwrite the binaries), it can run iptables -F before launching or even recalculate and overwrite the valid checksum list (If you switch from DAC to MAC based access controls, this would not be so).

Checksum checking in Linux is usefull at install time though and enables you to verify the integrity of already installed packages.

It's pretty obvoius. When I double click Word icon, see Word window and see a warning from ZoneAlarm "word.exe is trying to access internet", I can assume with high probability, that it's the real Word calling home. If I only see the warning and did nothing before (no Word running), then I suspect something could be wrong.


So ZoneAlarm pops up that warning. Maybe a virus already modified the icon link to c:\hacked\word.exe, which first launches the payload and then starts word in the background (which isn't accessing the net).

The only way that checksums would be usable in this manner is if they were provided by ZoneAlarm itself (not calculated locally).

That's right. I overlooked that.
Another example then. I download some malicious software and installed it manually as a root. With mkdir, cp etc. And then run it as a normal user. It tries to transmit data over internet, but can't disable the outbound protection, right? Caught!


So, outbound protection might be able to protect this remote scenario (I say might, because chances are that if you didn't download a package you have to compile for yourself and the malicious code could be in the make install routine, which is run as root).

Security is always a tradeoff. You buy additional security at a cost, be it money, time or convience. Using protections such as making /tmp noexec,nosuid and sticky costs very little yet the gains are big. The same goes for PaX (once it is tested and integrated). SELinux offers big gains, but at a rather high cost.

Outbound protection is both complex and fragile, the costs are high but the gains are very low (specially on Linux), which makes it a bad tradeoff to make.

Outbound protection is both complex and fragile, the costs are high but the gains are very low (specially on Linux), which makes it a bad tradeoff to make.
All right, you convinced me. I am far too ignorant when it comes to Linux to judge myself if the costs are worth the gain, so I'll just have to believe your judgement in this matter.

If someone has another views on the usability of outbound protection in Linux, please post here. I will keep an eye on this thread :)

All right, you convinced me. I am far too ignorant when it comes to Linux to judge myself if the costs are worth the gain, so I'll just have to believe your judgement in this matter

Please don't believe me on this. The more you know, the safer you will be.

It's just that Linux is quite different from Windows, what is a good idea there my not work here.

For example the signed repositories are something that Windows will not have (except for MS' own products).

Please don't believe me on this. The more you know, the safer you will be.

Of course, but learning needs time and in the meantime I need some opinions. Thank you for yours.

Another example then. I download some malicious software and installed it manually as a root. With mkdir, cp etc. And then run it as a normal user. It tries to transmit data over internet, but can't disable the outbound protection, right? Caught!

You are jumping a crucial step, which is the selection of software you will be installing.

You have to take into account that linux programs (often) are open-source, and that means they are usually the work of more than one person, viewable by anyone and utilized by a comunity of users.

I don't say that there couldn't be an open-source project that was attacked and altered maliciously without anyone taking notice, but the chances of such going unnoticed is so small and may last for such a small time (of people noticing and fixing it), that the tradeoff of actively running an reactive security scheme for that event is just unexcusable.

The process of how software is developed for the linux platform is what sets it apart from the windows-way.

Your judgement and research also comes into place here when selecting your software sources (just ask yourself: have it been implemented elsewhere? what kind of security holes it offers, if any? Is it being actively developed? Does it offer support or has a community? etcetera...)

I can only agree with that: better prevent an infection, than cure it. But I really cannot see how Ubuntu "makes sure that you can't get infected in the first place". Explain, please and remember I'm a Linux newbie.

With a default windows install, there are several services that are listening for remote connections. Several of these services have known bugs that can be exploited to take over your computer. This is why installing a fresh copy of windows on a PC connected to the Internet without a hardware firewall will result it it being compromised within moments.

With a default ubuntu install, there are no listening services, and if you choose to install some, they are rapidly kept up to date to fix any bugs found that could possibly be used to exploit your system.


I cannot agree, that outbound protection "does nothing for you". Treat it just as another layer of protection. If the first layer fails (for example antivirus lacking a signature of a fast spreading virus), there is always the second layer: outbound protection. Of course it can be bypassed too given time, effort and enough of coffee, but... it can very well help as well. It's just question of odds. Without outbound protection chances it catches a keylogger transmitting something are 0%, right? With it sitting in place they are significantly bigger I'd say.

The problem is that neither of these are protection at all; they are detection. Trying to detect an infection after the fact is a futile arms race.

And now an example. I got something called "Blazing Tools Perfect Keylogger" under Windows XP a few months ago. It was hidden in a trojan horse, installed itself silently in the system and tried to transmit my keystrokes somewhere. The antivirus programm didn't detect it. But ZoneAlarm gave me a warning "bpk.exe tries to access the internet: allow, deny etc." The first layer of defense (antivirus) didn't work (probably lacking the signature), but the second layer actually did it's work excellently.

The real problem is that you were infected in the first place. How did this happen? Because you use outlook and got an email message with a self executing virtus attachment? Email clients in Ubuntu aren't stupid enough to automatically execute code that could possibly do maliscious things.

Which is better? Never to execute code that COULD harm you, or to run a program that looks at the code and decides if it thinks that it IS harmful?

And now an example from the Linux world. I tried to find out if there are keyloggers available for Linux too. That's true, they are much more difficult to find, than in Windows world. But I found one: lkl. It can be installed to start silently, listen to keyboard port (0x60 if I remember correctly), log the keystrokes to a file and even send mails with reports to a given address. I did it all and Ubuntu did nothing to give me a warning. lkl even protocolled nicely my linux user and password, which I type in when logging into Ubuntu. Not to mention passwords and other things I typed in web forms (bank accounts!). Little explanation: I started lkl with a script in /etc/init.d, so it was already runnning before Ubuntu login screen shows up :)


Obviously you can make your PC do whatever you want, since you own it. The question is, can someone else do that without your permission?

Now I'm really a Linux newbie, who just knows how to google to find useful information. I don't want to think what a person with much more knowledge could do.

lkl is still pretty primitive (version 0.1) as it starts in userspace and not as a kernel module. And of course it cannot install itself without root privileges. But still... I can imagine a trojan horse with lkl attached, which can install itself in one of those rare moments, when you work as a root. All right, all right you have to sudo and there is no root account in Ubuntu. But I know people, who do "sudo konqueror" to do their root tasks. And you can always activate the root account, even in Ubuntu.

Never forget the old axiom "There is no limit to the depth of human stupidity". If you download a program from Joe Cool Hacker and run it as root, you get what you asked for. Stick to running only verified software from the Ubuntu repositories ( let alone as root ) and you will be fine.

Whatever kind of detection you have in place, once you run a program as root, it can do anything it wants, including disable your detection software. That makes detection somewhat of a moot point.


But seriously, don't you think, it's safer, when all your ports are stealthed, as opposed to just closed? If all the ports are stealthed, then you are practically invisible from outside. I think invisible is better, than closed. After port scanning no other tries to compromise your system are made - the hacker or rather script kiddie thinks your machine doesn't exist and moves on, right?

No, because that is security through obscurity, which isn't security at all. It is like generating a very long and complex password that you can't remember, so you write it down on a note stuck under your desk, then claiming you are safe because you have a very complex password. Well, no, you aren't because all someone has to do is look under your desk.


One more thought: my router (Netgear WGR614) running a hardware firewall also prefers to stealth ports per default instead of just closing them. It cannot be a coincidence, right? :)

Yes, it is a widely held believe that it is a good thing, but that doesn't make it correct. If someone is probing to see what ports you have open, they won't care if you don't refuse the connections, they will just try them all and see if any work.

Originally stealthing ports slowed down probes because they only tried to connect to one port at a time, and waited several seconds before timing out. It didn't take long ( hours? days? ) before people figured out you can just send all the connection requests without waiting for any of them to be rejected.


psusi, i will try to point out how good outbound protection works, and then i think you will see that it is not as easy as you say to bypass it.

It does not matter what it does because once my virus has infected your computer, it can simply shut zone alarm off.

first, it checks to see what process is starting a connection to the outside, and runs a checksum verification on the executable to make sure it has not changed. if it has - it warns you. so if some trojan has modified firefox or any other executable that "normally" would be allowed to access without challenge, that will be detected, and prevented.

I don't need to modify the executable image on disk, I can have another process force the firefox.exe process to perform the IO on my behalf using the debug apis.

second, all programs are also by default prevented from spawning other processes - so your keylogger/trojan cannot just spawn firefox or wget and access the net that way.

I do not believe this to be the case. ZoneAlarm does not hook the kernel NtCreateProcess call AFAIK. It may hook some of the higher level apis that nice applications use, but a virus can bypass those, and again, once the virus is running with root privleges, it can break whatever hooks ZoneAlarm has in place.

where do i get "firestarter" from

where do i get "firestarter" from

Applications ----->Add Applications ----> System Tools ------> Click on more programs -----> click on Firestarter -----> Apply ------>Apply again -----> just follow any other instructions.

Applications ----->Add Applications ----> System Tools ------> Click on more programs -----> click on Firestarter -----> Apply ------>Apply again -----> just follow any other instructions.

Or, in a terminal:

sudo apt-get install firestarter

My wife & I run ZoneAlarm Suite, on our xp boxes, I have installed it on the machines of a couple of business LANs that I maintain, so I am fairly familiar with it from the user level, & I have had the opportunity to watch a variety of users come to grips with it...

ZAS, is a problem for the average user, they don't understand anything about the OS, they are usually scared of it. They are scared to make a choice when a ZAS request is popped up. The first week of use (when the rules are being established by ZA) is quite traumatic for some users. Putting extra strain on anyone in the office who does have an understanding! Or the admin'!

ZAS slows all machines down quite noticeably. I would never run such software on Ubuntu. Being free of such software is one of the many joys of using Linux, in my opinion.

I use web based email, with a reasonable anti-virus & spam protection supplied by that ISP.

Any email that I don't recognise, I delete.

I back up my important files regularly.

My preference is that I would rather reinstall my system in the event of infection, than cripple it with paranoia!

[EDIT:] & yes I use Ubuntu for internet banking most days, & any other financial transactions on the web, NO worries! :-D

This link is a good one re: windoze / linux & security:

http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

But I maintain that filtering based on application checksums (or names) provides no extra security. If a malicious application already has root rights (to overwrite binaries) it will not have any trouble disabling the firewall entirely.


It will have the possibility, but just like the variety of legit applications we run they all have different amounts of features behind their design and implementation. Many of the arguments here have been of the variety if the program got in it could just do this or that. Yes it could disable the firewall, yes it could find the hash table of checksums maintained by an outbound security scheme, but that does not mean it's easy or it will.

Just getting a keylogger in there and working would be a pretty good task for an aspiring identity thief.

I'm positive that many scripts (and programs) are installed as root by Ubuntu users alone that the user doesn't read or know what's in it.

I think habrys brings up valid points. My needs don't dictate the same needs as his, and I don't like to slow my system down with things I don't need, but that doesn't mean that's what's right for everybody.

It will have the possibility, but just like the variety of legit applications we run they all have different amounts of features behind their design and implementation. Many of the arguments here have been of the variety if the program got in it could just do this or that. Yes it could disable the firewall, yes it could find the hash table of checksums maintained by an outbound security scheme, but that does not mean it's easy or it will.

Just getting a keylogger in there and working would be a pretty good task for an aspiring identity thief.

I'm positive that many scripts (and programs) are installed as root by Ubuntu users alone that the user doesn't read or know what's in it.

I think habrys brings up valid points. My needs don't dictate the same needs as his, and I don't like to slow my system down with things I don't need, but that doesn't mean that's what's right for everybody.

This a valid point that Vayu makes: The bottom line is that you have to do what you think you have to...

Research well before making your decision, which is of course what this thread is about. Then do what you are comfortable with.

What suits one user, another will be agitated about, another anxious, I guess there is a difference between those two emotions? I don't know, I don't suffer from those emotions, I have different emotions, no more or less important, just different!! :KS

Yes it could disable the firewall, yes it could find the hash table of checksums maintained by an outbound security scheme, but that does not mean it's easy or it will.


It's very easy to disable the firewall, just run 'iptables -F' as root to clear it.


I'm positive that many scripts (and programs) are installed as root by Ubuntu users alone that the user doesn't read or know what's in it.



That's part of my point. If a users insist on going outside of the trusted repositories without being able to check the safety of the code they download, there is very little we can do to protect them.
If they blindly install code from untrusted sites, chances are they are going to tell the firewall to let it through (if the code din't bypass it already which would be trivial).

That is why I think we should concentrate on getting stuff like PaX, SELinux or AppArmor installed and enabled by default. It can help protect users regardless of the threat, regardless of their level of skills and even in the case that they run untrusted code as root.


I think habrys brings up valid points. My needs don't dictate the same needs as his, and I don't like to slow my system down with things I don't need, but that doesn't mean that's what's right for everybody.

I'm certainly not saying the no-firewall setup is good for everybody. I intall firestarter on each of my systems myself for several reasons. Even enabling the outbound blocking is a good idea in some situations (although I don't do that).

It's just that checksums add very little to the current filtering mechanism while being a lot more complex and slower.
And setting outbound blocking (in any form) by default will break the installation for most novice users.

The trouble with ZoneAlarm and other Windows closed source firewalls is that you first have to trust them.

re: if you run as root you get what you deserve.

The .deb files contain or can contain script that can do anything. I suppose them is executed as root. If you install something from .deb you can easily get infected. And people very often download .deb 's of open source software compiled by somebody, and also love to build .deb's for anyone else. There's very real possibility of virus spreading around. Granted, there's not many linux computers, and not many virus writers, but it is certanly possible, and it can spread :( edit: i don't think i'm disclosing anything secret to potential virus writers as they probably know it already anyway.
edit: my point is, it is just as secure in this regard as windows, just less popular.
edit: trusted repositories: hmm, what if i don't want to too much trust the repositories? With all respect, there's lot of software, i don't believe all sources is read by maintainers to ensure that them is virus free.

I think that the speed with which the linux community would respond to such a breech of security cannot possibly be compared to windoze!

& due to the open source nature of the software the response would be incredibly effective! :cool:

Anti-virus software is a maybe. If you are storing docs (particularly downloading and uploading .doc, .pdf. ...) your should be running one. No matter how secure an OS is, you can still distribute it to alot of other people. Even if it doesn't affect you, it doesn;t look too good for the Linux community if we are the ones spreading those things around.

As far as a firewall, every extra step toward security is a plus. There is always a bug in any system. I direct you to the Ubuntu security updates section for a reminder. If a hacker can get a cobalt system or a GA-Bull, you can be cetain that they can find a weakness in your box, too. Every system has a fault, every step toward security is an improvement.

Two other suggestions, though. Stop running any broadcast, or listening services you do not need (i.e. ftp or http servers, port scanners, remote connection hosts OR clients). Also, invest in a NAT router, prefereably with hardware firewall. If you want an easy, basic, check of how secure your system is then go to Steve Gibsons Site (http://www.grc.com) and try out his sheilds up! page. It's free, and it is a good start. Besides, then you can read his take on true computer security, or the illusion of it...

Steve Gibson site (http://www.grc.com) as Kencoe points out has several check tools (also free software for windows users) , I did use Shields Up! in both Ubuntu 5.10 and Windows XP with Norton Internet security 2005. While Ubuntu passed every single test, Windows XP with Norton failed (Norton firewall set at the recommended level of security i.e default.) I don't know if this is a true benchmark, however I can tell you I did pay 35 pounds sterling for this piece of software (Norton) that cannot even block a ping request at the RECOMMENDED level of security... well this was just a single test based on my own computer, this may not apply to your particular case, but you can perform the same test just to see happens...

What do you think about that:

"Virus writers have crafted another example of malicious software that can infect computers running Windows or Linux."

http://news.zdnet.com/2100-1009_22-6059140.html

:confused:

windows is the virus, and when we stop being lazy and realise this things will get interesting. right now wolves vist the field of sheep like a shopping mall. easy pickings...... mmm bit ... like ...the matrix.

I know you guys are tired of this thread, but I have to tell this because it is really a big joke on me.

I just installed Ubuntu three days or so ago.

And of course having used MS in one form or another from its very beginning, I am paranoid. On W2K, i run a firewall, NOD32, and about seven or so anti-spywares, because as we know none of them get everything.

So the first thing I did is load firestarter and clamav. I can't get clamav to run, so that is how I ended up here.

Firestarter astounded me. It loaded with no effort at all and of course I immediately went to Steve Gibson's Shield's Up to test it.

I was absolutely amazed. The very first firewall, and I have had five over the years, that on the very first try closed all of the ports. Complete stealth on the first try.

Amazing. In the past, I would muck around for days to get the right combination of closed ports and a system that would work.

So looking for a solution to my clamav problem, I read all of the posts here and was surprised to learn so much in so few minutes.

So I turned firestarter off and went back to Shield's up and guess what? All of my ports are closed and gave the all green stealth results that Gibson is so proud of.

So I learned a big lesson today.

Thanks, guys.

Now if I could just get that darn network thing to save my dialup numbers, ISP addresses etc, so I do not have to fill that in every thime I dial up, I will have resolved all of my dial up problems.

By the way, the reason I am moving to linux is that I got so tired of MS's constant panic's over security. All of that stuff is a pain.

You are right. MS is the virus we all need to run from.

I have stuff over 20 years old on my W2K machine. I am playing with Ubuntu on an older machine. In a few days, I am going to set my main machine up with dual boot unless I learn of a way to read that old stuff without it.

I have PeachTree accounting for two companies on the W2K and old Lotus 1-2-3 spread sheets and Lotus Word Pro docs that are old old old, but I can't get along without them, at least until I find a replacement.

Anyone who has been that route and can give me some advice, will be appreciated.

But thanks for the big lesson on firewalls.

CSSJR

In my opinion, I would not use any of them......

.... it depends of the scenario!

ClamAV if it is on a mailserver or some system wich trade files with users with diferent OS, this will reduce the infection of Win systems!

I dont use firestarter cause my machines are in a secure LAN, wich is protected with firewall and nat!

But my laptop that is always with me, anywhere I go (yes, to the bathroom to :mrgreen: ), is protected by firestarter, but no AV soft!

Conclusion: You must analise the function and surrounding enviorament of the machine that you configuring, so that you can meet the security needs, without lost of usefull resources and accessibility!

Props to all!

;)

I dont use firestarter cause my machines are in a secure LAN, wich is protected with firewall and nat!

But my laptop that is always with me, anywhere I go (yes, to the bathroom to :mrgreen: ), is protected by firestarter, but no AV soft!

We must also remember that most security policies now recommend installing software firewalls on individual machines within a secure network to help prevent the possibility of internal attack. It would depend on how much your network users are really trustable, and how high tendency is to install questionable apps that aren't. There are many newer Admins checking these forums as well...

For all the new admins reading... Use Whitelist mode!!!

In my opinion, we should always be kitted up ready.

I mean, yeah, in a few minutes you can install these things, but what if some nasty thing has blocked out those abilities?

So, in my own PC, I have firestarter, chkrootkit, rkhunter, and am thinking of installing avast! for linux. I was always very impressed with avast! as I installed it on a few friends' XP boxes, and it found, on one system, over forty trojans, viruses and worms, that norton had said weren't there. I installed avast! for linux a while back, on Breezy, but it was impossible to read because somehow the letter-spacing had been completely bummed...

I'm going to go find this shield up thingy, it sounds interesting...

A default, updated install with no firewall is immune to every existing network attack e.g. ICMP based ?

... but there are no known virs in the wild for linux, so your clamav would just be sitting there doing nothing and eating your resources.

There are at least three known viruses for Linux. Fortunately, none of them do anything unless run as root and ignored, and then do little damage. Still much better the Windows or Mac.

Having read all these amazing pages and as a newbie ( not newbie for starting to use ubuntu, but really for jumping always between XP and linux. Use XP, but theres always a litle voice saying, "go to ubuntu, it's much better now", looks like a itching, :smile: and there i am again with another try) i'd like to ask something.
As mencioned by others, i too, used automatix for install a lot of stuff ( yes, that was a lazzy thing to do ).
Sometimes i use Amule and Azureus ( yes, sometimes i lose some episode of one particulary show i like :) ). Therefore, i use a ipfilter ( Moblock ) and like it seems, there is a trouble running it with firestarter, because the two of them can't work together. So, when i go and use this programs, i turn moblock on, therefore, shuting off firestarter.
So now i have a fresh installed ubuntu, tweaked with automatix, running a firestarter firewall that don't block anything, only shows what passing by on my PC, and a moblock ipfilter that is really working. All of this in a ADSL connection on a Dlink router with nat. Is this for instance, a well protected machine, running only moblock without a firewall?
Another question, on a fresh install, only using oficial repositories, is there any trouble only by using firefox, no matter the page i go to, and other programs, even if they are not the most updated ones?


Sorry to ask these question, but consider like a summary of all that has been said. I think like me, there is a lot of guys in my condition and don't now if they are really protected.

PS: Again, sorry for my english

my take on that would be a "no". although if you had to choose just one of the two, i would go with firestarter. :) a firewall is always a good thing... but there are no known virs in the wild for linux, so your clamav would just be sitting there doing nothing and eating your resources.
If you're running SMB, NFS, etc. (sharing with Windows) on production machines, then a good AV solution to "nip it in the bud" is a good solution. A good hardware firewall (or firewall/router) is the best, and should the first, line of defense. Firestarter and clamav I suppose are okay to use on top of these defenses, but in this authors opinion, completely unnecessary (and use up cycles as well).

And I'm going to have to disagree slightly with you nanotube: while the spread is not very significant, there are indeed Linux viruses, worms, and trojans out in the wild. Here is short list (http://www.viruslibrary.com/virusinfo/Linux.htm) (and these are only the ones with "linux" in there name....keep in mind also that there are a number of known vulnerabilities in server-type programs such as Apache, etc.) Another point: the link above is not exhaustive by any means...simply do a search on the web for linux and virus and you'll be surprised!

I use both firestarter and clamav. I think its better to use the tools given then to hope a zero day does not come up and byte Linux. *nix is better secured as an OS in general. But things running on top of that OS can cause you problems. Like OpenOffice scripting vulnerablities that were just pointed out.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002430
In theory it would not effect the underlying system but may effect your data etc. So why take the chance? Its avalible and useful. The argument that it waste clock ticks. Come on ~80% of your cpu time is idle anyway.

Using layered defenses is good. I wish Ubuntu had SELinux built in also just for the extra security. In its place I have installed> http://www.ossec.net/ OSSEC HIDS - Open Source HIDS. "OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response."

BYte69

i use firestarter is all. mainly because of that error you always get saying clam is out of date and then won't update itself!

i think i use pretty good, basic, common sense about what i open and such.

I use Firestarter and not the ClamAV (I had the same problem as missmoondog)

I have checked my ports and ping return status with the Shields UP! web site and I am in stealth mode on all my ports and in the ping handling.

I would use the ClamAV eventually if it would work correctly. ](*,)

hi, generally if you run something from an untrusted source there's a chance it could be malware and erase the most important and least protected directory, and also the one directory whcih can't be replaced in 15 minutes - your home directory.

there was the time the Mozilla repos had malware, so even trusted soruces can have malware.

alot of anti-virus scanners depend heavily on something called heuristics, which means they don't have to have sigs for the lastest malware. heuristics will pickup the code. you can read about F-Prots virtual Employee below
http://www.wilderssecurity.com/showthread.php?t=136830

i'm not really sure but nmap can probably see 'stealthed' computers maybe with the new bad checksum option.

Especially since I connect through a router, do I really need firestarter and clamav ?
No, unless you are runing a server.

I can only agree with that: better prevent an infection, than cure it. But I really cannot see how Ubuntu "makes sure that you can't get infected in the first place". Explain, please and remember I'm a Linux newbie.
iptables is Linux's firewall which has been a part of the kernel since version 2.4.

It is often referred to as a packet filter as it examines each packet transferred in every network connection to, from, and within your computer.

iptables replaced ipchains in the 2.4 kernel and added many new features including connection tracking also called as stateful packet filtering.

Rules, Targets, Chains, Tables, States, and all that stuff

iptables makes decisions on what to do with a packet based on rules that the system administrator creates.

Data is passed through the Internet in the form of packets of information; connecting from your computer to a website will cause many packets to be exchanged in both directions.

To understand the user concept of Linux... A user without root privileges cannot damage the entire system. Any damage caused is strictly limited to the user's own account and data. Any operation caused with root privileges may potentially harm the entire system. Anyone intending to harm a running Linux system must gain root privileges first. This is why it is much harder to create viruses for Linux systems. They must overcome the root barrier first.


And now an example. I got something called "Blazing Tools Perfect Keylogger" under Windows XP a few months ago. It was hidden in a trojan horse, installed itself silently in the system and tried to transmit my keystrokes somewhere. The antivirus programm didn't detect it. But ZoneAlarm gave me a warning "bpk.exe tries to access the internet: allow, deny etc." The first layer of defense (antivirus) didn't work (probably lacking the signature), but the second layer actually did it's work excellently.
If converting to a Linux system from a MS Win system, you probably experienced a fair share of trouble caused by multiple kinds of viruses and worms spreading over the Internet via e-mail. Now that you have made the switch to Linux, you can at least put that fear aside, because these cannot harm a Linux system as easly as Windows system.


lkl is still pretty primitive (version 0.1) as it starts in userspace and not as a kernel module. And of course it cannot install itself without root privileges. But still... I can imagine a trojan horse with lkl attached, which can install itself in one of those rare moments, when you work as a root. All right, all right you have to sudo and there is no root account in Ubuntu. But I know people, who do "sudo konqueror" to do their root tasks. And you can always activate the root account, even in Ubuntu.

What I'm trying to say is, I think lack of outbound protection is still a security gap in my opinion. Not as huge as in case of Windows, but it should be closed some day, especially if Linux gains much more popularity... Switching from your normal user account to root for administrative tasks and switching back for your normal work sounds tedious and perhaps unnecessary because root has ultimate power over the system. Still, switching back to the normal user account after accomplishing the administrative jobs adds to security, because any mistake made as root can have severe consequences.
The whole system might be affected, not just the normal user account. Thus, preserve your system's integrity by clearly distinguishing between the different roles ("normal user" and "superuser").

Keeping your system up to date by always applying the software updates to add security to your system. These updates fix possible exploits contained in the application code.


After port scanning no other tries to compromise your system are made - the hacker or rather script kiddie thinks your machine doesn't exist and moves on, right?
Wrong. (BlackHat) Hackers do not use click-me programs like trojans or exploits to help them gain access. They do not attact home users unless there is a good reason for it. Not long ago there was an article on zdnet dot com "Mac OS X hacked under 30 minutes" well Windows can be done under a minute.

But hackers are also only people, which can overlook something. For example to disable your outbound protection, even from a trojan horse running under root. Or to install something tampering with your logs.
Hackers = skills above advanced user. They don't do mistakes, but Script Kiddies do.

Please don't believe me on this. The more you know, the safer you will be.
It's just that Linux is quite different from Windows...
That's because Windows is not Linux. ;)


And I'm going to have to disagree slightly with you nanotube: while the spread is not very significant, there are indeed Linux viruses, worms, and trojans out in the wild. Here is short list (and these are only the ones with "linux" in there name....keep in mind also that there are a number of known vulnerabilities in server-type programs such as Apache, etc.) Another point: the link above is not exhaustive by any means...simply do a search on the web for linux and virus and you'll be surprised!
There are more nasty codes outside that are not listed in that link.

I use both firestarter and clamav. I think its better to use the tools given then to hope a zero day does not come up and byte Linux. *nix is better secured as an OS in general. But things running on top of that OS can cause you problems. Like OpenOffice scripting vulnerablities that were just pointed out.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002430
In theory it would not effect the underlying system but may effect your data etc. So why take the chance? Its avalible and useful. The argument that it waste clock ticks. Come on ~80% of your cpu time is idle anyway.

Don't believe everything you read. As you can see that site is closed source related. Article is trying to say "Hey buy MS Office and stay bug-free".

Have Phun

@Penguinux Pumma
I couldn't agree more with (nearly ;)) everything you said. Excellent post!

Another point: the link above is not exhaustive by any means...simply do a search on the web for linux and virus and you'll be surprised!
There are more nasty codes outside that are not listed in that link.Indeed!

I move my Ubuntu laptop from home to work quite a bit. Corporate policy is to have anti-virus on every machine on the network. So I installed clamav, just to play by the rules. I've not heard of any good reason not to.

Just understand the limitations of anti-virus software for Linux: Just like their Windows couterparts, they do nothing to stop a zero-day attack, among other limitations. If you feel more secure knowing that you have an AV scanner running, then by all means, go ahead and use it. But it is important to understand how Linux virii propogate, etc. Some earlier posts in this thread address this issue. I'm of the opinion that on a Linux box, it's more conducive to use a firewall than an AV program. But do some research and then you decide. And in the end, it's all about smart user practices. :-D

I think a lot of new Ubuntu users and newbee linux users in general are asking the questions.
I just installed Ubuntu 6.06. Have been playing with differet Linux distros for a long while. I am a long time windows user and I do believe the Ubuntu 6 is the best yet. I too had the question in my head "what kind of security do I need. Duh- Linux is the security...Bye Bye Windows :) :)

I just dont get it....

Someone else pointed it out....lets say 50% of ubuntu users use automatix. Thats universe and multiverse stuff. One piece of malicious code and thats it...%50 of linux users infected.

'Its the same or worse on windows' seems to be the linux cry....well....yes, but what now for windows...a week later all the antivirus/spyware tools catch up and wipe it out - the damage may have been done but the users get a chance to change passwords etc when they are found. What about linux...... nothing.... that malicious code just sits there as far as I can tell. Linux has no user friendly protective measures or scanning at all.

I am new to Ubuntu, but I think there is an advantage to Windows over Linux not mentioned...saftey in numbers...there are a lot of machines to be infected before yours; many poorly protected - meaning hackers neednt bother writing complex scripts to disable zonealarm. You have a really good chance of escaping. On Linux there seems to be a big group who claim to only use trusted repositories, so dont play DVDs, use their computers for jukeboxes etc etc., and no way of detecting an infection of any type. Probably the hackers are more able too.

I just turned on outbound blocking on Firestarter and its terrifying. I am getting at least 5 to 10 outbound connections a second. Thats after I have opened the 2 ports I think I need. Allsorts of things are turning up, so many I am thinking I need to reinstall ubuntu.

As far as I can see the truth is you dont need AV or firewall packages on linux because they are not as functional as they are on windows. Someone already said, its about layers - but without the code from the universe and multiverse hardly anyone would be using Ubuntu or Linux for home computing, because there is too much functionality missing.

Universe and multiverse are screened. You can't just submit a package and get it in. You have (practically) no chance of getting burned by installing a package. If you do, you have to re-install from scratch to be sure the scumware is really gone, no matter what OS you run.

About your Firestarter worries: please run ps -e in a terminal and post the output. We can help you find out if you really have something.

Aren't script type "viruses" still possible? It would be crude and unable to hide under close scrutiny but someone could theoretically slip you a malicious script. Linux is sophisticated and slipping in a bash script in with a phony email would work right? It would be a cheesy thing to do but if someone has a grudge......:twisted:

But you have to make the script executable first and then run it with admin previledge.

yep, sudo is king. long live the sudo...

Three cheers for sudo...

Hip hip...Horray
Hip hip...Horray
Hip hip...Horray

Hello,

I have no firewall yet because i'm running Xubutu and installing Firefstarer (which I used on ubuntu Breezy) would install loads of gnome stuff. I didn't close any ports myself.

This is the report I got from ShiedsUP (http://www.grc.com/x/ne.dll?rh1dkyd2)

All ports closed and three stealthed

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

Conclusion: a firewall is necessary to pass the test.

In my mind ClamAv is necessary only to make sure you don't pass viruses from infected files you may have received to Windows users. At least this is the present situation. I guess we'll be informed if Linux viruses get really nasty for the common user on her desktop.

I think Bastille is a better option to secure a Linux box then firestarter or clamav.

ClamAV is really only good for an email server with Windows clients. It really doesn't make much sense to write a Linux virus. Worms are more of a problem.

As for a firewall, unless you are worried about a lot of traffic (or fear a DDOS) I would not bother. A better way is to uninstall unwanted services, and keep your system up-to-date.

Another thing is that linux users tend to be more computer literate than most windows users (the ones that get upset because they can't find my start button or Windows Media Player on my laptop...). We are more aware of basic security measures like not running files we don't know and not running as admin.
I am not downplaying the security of linux. It is fantastic. The total failure of relying on external programs for security has already been well proved by m$ already. Any process can be terminated by malware with enough privilages. Most of security is stopping it getting in first.
And to those who distrust them, I'd take apt-repositorys over shoving 'free windows painting program' into google any day.

I find it hilarious that to "stop" a windows system you first have to click on the "start" button.

lmao

No wonder new computing neophytes who are birthed on windows are confused about what a computer really is.....gee some think its a vending machine.

I use firestarter to monitor and control traffic because I run a small personal web server, and am on a network with Windows machines which requires me to open certain ports at certain times, so I like to have a quick and easy way to manipulate my firewall policy.

I have a whole different philosphy about antiviruses though. As I said in another thread, a virus is a program just like any other, it just does things that you don't want and that harm your system like delete necessary operating system files and such. The fault with antiviruses comes due to the fact that they only detect "known" viruses. I or anybody else who knows a programming/scripting language could write a malicious file to delete files, or create a really big file until the hard drive is full, whatever we wanted. The funny thing is, not one antivirus in the world would pick it up. An anti-virus is "helpful" if you're sharing files with a Windows system where the user has full read/write privilages to the entire disc, but other than that it's pretty useless. True virus protection should come in the form of a well structured operating system, not in the form of another piece of software to eat up your system resources.

As far as MS and viruses go,their OS is set to an unreal *trust* environment.

Even in the new version,Vista,the permissions that programs need to run,are at a level that are *unsafe* for average users.And that's a shame that a company that sells itself as "user-friendly"..ie.It just works!...can still turn out such low-security requirement code.
I was looking forward to the new file system they were coming out with,that never materialised.

OK,enough knocking MS.At the end of the day,they still have a big lock on the market.Consumer and business.

Luckily,for linux users anyway,the virus threat has not really developed as a viable playground for the malicious type's that use their skills to steal money,credit card #'s,bank acct's,and so on.

Never forget that the first virus,or rootkit,was written on a UNIX machine.
Therefore,you still need to be vigilant in ways most common users don't consider.
NEVER CONNECT TO THE INTERNET WITHOUT A FIREWALL!

IPtables may be too granular for some users,I mean too difficult for some to decypher,especially MS users.I believe the knocks of learning to configure your own system far outweigh any of the perceived difficulties.
My message?:Let's get the word out about what the average linux user already knows....Wannabe secure?Try Linux!

Sorry for the length of this rant,
Regards, Scott

i have a netgear router/switch/firewall between my internal network and the cable modem. I do have virus protection and a firewall running on winbloz xp so I figured I would install firestarter and add some rules. Besides adding the normal ports like ftp, ssh, telnet, and the ports I use for bittorrent, what else should I be adding in the rules of either outbound or inbound within Firestarter? Keeping in mind that I do need to share files thru Samba between my Xubuntu laptop, my 3 xbox's which run xbox media center, my winbloz xp machine, as well as my ubuntu server machine (which is were I have firestarter installed) any suggestions would be very appreciated. also, am i understanding clamav correctly, it doesn't run all the time does it, only when I open it and tell it what folders and files to scan? or can I have it running all the time? how does clamav's virus file or definitions get updated if it's not running all the time? thanks for anyones help.

http://www.pcw.co.uk/personal-computer-world/software/2151042/avg-free-linux

I'm giving it a try because I think we are getting a little over confident in the Linux world...

My two cents:

If it's available, and it works, and your machine can spare the resources (and most machines these days can), then there is no reason not to have a firewall and AV running. You don't have to run everything locked down, but getting in the habit of using these programs is a good idea.

Exactly! If you are not running any services, then an iptables firewall is pointless.
Behind a normal SPI NAT router, you're fine with no iptables firewall. Especially if you have no services... then you need no firewall at all.

i see a few people suggestion to install firestarter, stating that "having a firewall is good". when you first install ubuntu, a firewall is already up and running.

firestarter is merely a nice gui to make setting up the firewall easier for the end user. as for clamav, its not really necessary if you not connected to other windows machines on your local network.

so, basically, the answer is no, you dont need either. you might want firestarter if you wanna customize your already existing firewall, but it is not necessary.

The fault with antiviruses comes due to the fact that they only detect "known" viruses.

not true

http://en.wikipedia.org/wiki/Antivirus#Approaches

not true

http://en.wikipedia.org/wiki/Antivirus#ApproachesHeuristics are fine, but zero-day attacks really suck.

I am still kind of confused about whether or not I need Firestarter...

My machine has been running 6.10 since around the beginning of this month (November 2006), and before that I was running Mandriva, under which I used Firestarter. I currently have Democracy 0.9.1 installed and I occasionally use other Bittorrent clients. I installed Firestarter a couple days after I installed Ubuntu, ran it once then read a bit more here and elsewhere that said I didn't need any firewall other than iptables.

But earlier today, I noticed that Democracy was connecting to the Internet even when I didn't have any active downloads, so I rebooted and started up Firestarter to check what was going on. Apparently, Democracy is a true Bittorrent-style client and uploads as well as downloading. That's cool with me -- that's the whole purpose of Bittorrent, after all -- but I have Democracy set to use ports between 8500 and 8600, and these connections are all over the place: 10044, 23245, 55785, etc. When I close Democracy, most of the connections go away, but one remains -- that connection to 10044, with a connection that resolves to tm.net.my, the program listed as Python 2.4.

Is this connection okay? How do I get Democracy to actually use only ports 8500-8600? Is Democracy unsafe to use? What about other torrent clients? Is Firestarter/iptables not doing its job?

Thanks!

I have had problems with both firestarter and clamAV. Firestarter causes troubles with Azureus- sometimes it wants to block the port that Azure