A large number of opinions about security

[samiux]

@samiux , all you have been doing, is to try to spread FUD, show us some case studies, prove what you are saying.

I'm by no means a security exert, and I know one of my accounts was exploited, wouldn't it be better to help us recognize things like this when they happen, instead of just posting veiled warnings?

I have given my advice to you all after the Forum has been exploited. However, you transfer my thread (originally posted at Security Discussion sub-forum) to Other OS sub-forum.

Okay, if you cannot find it yourself. I tell you once more.

That is, employ at least one professional Penetration Testing team to pentest the Forum web application software as well as the Forum server (if the whole network is better) at least once a year.

Period.

Samiux

Edit : One hacker cannot do it, it does not mean that another hacker cannot to it.

[aysiu]

Some users here seem to putting forth a false dichotomy of "Linux is invincible" v. "Linux needs antivirus."

Antivirus does not in any significant way make your Linux installation more secure. It's like putting tissue paper over chainmail. If something can break the chainmail, the tissue paper on top doesn't really help.

[lisati]

Another thought that sometimes comes up in discussions such as these: no matter how careful the user is, no matter how secure the OS, an antivirus product is only as good as what it knows about.

[1clue]

I don't support the idea of a dichotomy. Linux has never been invincible because a system which is exposed to and communicates with the outside world can't be invincible, and UN*X is all about networking. The "linux needs antivirus" idea is not really accurate because the types of exploits typical on Linux are too widely varied to be easily dealt with by a piece of software, IMO. Linux needs informed, careful admins.

Linux can be extremely secure, and it can be extremely vulnerable. Windows can be extremely secure, and it can be extremely vulnerable. The vulnerabilities typical of each are different.

I have had the task of putting a couple servers through PCI compliance surveys and testing (so you can process credit cards), and all I'm saying is that there are a lot of extras to go through if you really want to have a secure system.

PCI compliance surveys make absolutely no distinction between an operating system hole or an application hole or a stupid user hole. Each hole is a vulnerability and can risk your data. In the case of a system which processes credit cards, that means credit card data is compromised.

All I'm saying is that when somebody says, "Is my system secure?" or "What sort of protection do I need?" you don't just give a blanket "don't worry about it." Give a link to the basic security page, or tell them it depends on what you're doing, and how careful you are. We need users to be smarter and safer, not happier and easier to hack.

When I started using Linux back when the 1200 baud modem reigned supreme, I believed all the "don't worry about it" people and did some outrageously stupid things, developed habits that lasted too long and got me hacked way too easily.

It doesn't matter how secure Linux itself is. If somebody convinces you to run something that installs a key logger even in your user's $HOME directory someplace, all they gotta do is wait for you to type "sudo" and send off whatever comes next off to some remote place. You're done, they have root access.

In terms of your data and your account security, the only thing that matters is that you were compromised, not whether it was Linux or something else that did it.

Maybe we need a super short security manual for unbelievers?

[cariboo]

I've moved a number of threads from this thread to here, as they weren't really helping the op.

[coldraven]

If you let a child use a computer they will eventually see "Install our toolbar and you get a free candy bar" and of course they will do it.
I recently nearly installed a deb package from a Chinese site in order to watch streaming movies. I stopped myself when the installer asked me "Do you trust this software?". (D'oh!)
So we need to grow up and use our knowledge to avoid being owned. We need to educate (if that is possible) Joe Public not to blindly trust everyone on the Internet.
Sadly, this is unlikely. Most peoples tablets, smartphones and PCs are full of malware of some form or another, regardless of OS.

[samiux]

I don't want to misleading anyone here.

I suggest to use anti-malware/virus to all kind of systems, including Linux, Mac OSX, *BSD, *nix and Windows. My home network is implemented UTM (Unified Threat Management System), and IDS/IPS (Intrusion Detection/Prevention System).

However, it does not mean that my home network is safe and no need to keep my eyes on it. I always monitor the incoming and outgoing traffic of my home network.

Anti-malware/virus, UTM and IDS/IPS as well as WAF (Web Application Firewall) are based on signature. If the malware/virus/exploits are in the wild, experts/professionals will include such signature of those malware/virus/exploits in their products/programs. If not, no signature at all. By the way, those signature can be bypass very easily in most cases.

I also use Firefox add-on, NoScript and etc, but it does not proof that I am safe when surfing internet. If a legit website, which I trusted, is infected or intruded, I may have chance to be infected too.

So, there is no bullet-proof or silver bullet. The missing part is education even you implemented all of the above. Education includes how to monitor the traffic as well. Does education is a silver bullet? It is still not, sorry.

So? How to get the silver bullet? I can show you how - not to use computer, not to surf internet, not to use smartphone and etc.

Samiux

[1clue]

The entire thrust of my part in this discussion is that to separate any part of security as not relevant to Linux security is passing the buck and a disservice to any new user who's trying to find out about security.

"Don't worry about it, Linux is secure." Does not help. "The forum hack was a human error, it does not affect Linux security." Does not help.

Again, let's go back to the forum hack. The black hat convinced someone with access to give him the keys to the forum. That's every bit as pertinent to a security discussion as a buffer overflow problem. The problem lies with a different system (the human one) but it's still a major issue with security.

Do some forum searches on antivirus/malware detection. How many of those threads have, "Don't worry about it, Linux can't get viruses?" All of them have it, so fervently that they drown out all the people saying what the problems really can be.

This forum and most other Linux forums I've been on incorrectly educate users to believe that once they install Linux they need not worry about security. It's just not true.

There are all sorts of issues with where beginning users go after they finish with the installer CD. They do it because of convenience and because they don't know any better.

There's another thing: Linux provides all sorts of logs about what's happening in the system, but if you never look at them then almost no security breach or attempted security breach can be detected, during or after the breach. I suspect all sorts of forum members have had malware on their systems for months or years, and they would never know because they never look.

I've had an intrusion that I detected from pure log file diligence, the only way I knew about it is the log entry that said that my user logged out from a remote location. Reverse DNS pointed at a company based in China. There was no matching login entry. I never logged in remotely, so I knew right away that was an intrusion. How did it happen? Brute force ssh exploit. He guessed my password. He had cleaned up the current log for all the attempts, but I'd seen the attempts before, done nothing about it (yes, my fault and my laziness) thinking that my password was unguessable. Suddenly all those entries are gone, and only this one place where I logged out.

[coldraven]

but I'd seen the attempts before,

A genuine question: Does fail2ban work with ssh logins?

I've seen tutorials on blocking logins from outside of an IP range and general hardening of systems but it would be nice to find them all in one place.
e.g. here

[1clue]

There are a lot of Linux security write-ups. Here's my favorite Ubuntu-specific one:

https://wiki.ubuntu.com/BasicSecurity

The issue with yet another one is you need to add significant value or you just litter googlespace with more noise.