Re: rkhunter

From: Newsbox (nospam_for_me_please_at_thanks.invalid)
Date: 05/10/05 

Date: Tue, 10 May 2005 15:55:46 -0400

On Mon, 09 May 2005 07:42:05 +0000, Jacco wrote:

> My reason for instigating this threat was another query I had in
> alt.os.linux.mandrake regarding "suspicious files". Please read the
> following in conjunction with that thread. As it turned out these files
> may have been OK but it did force me to wipe the OS and put another on
> the machine. Yes I am the paranoid type a little but do not have the
> time to do that sort of thing too often.

Most of us here are a bit paranoid from time to time or we wouldn't be
interested in security. :-) I think your questions are more about knowing
what levels of concern and action are appropriate in your circumstances.
 The answers that are right for you depend on what your circumstances are
and on having valid perspectives about the issues that may be involved.
I'm sorry you felt you had to wipe your disk and reinstall, but I applaud
your serious concern and action on the side of safety. I personally don't
wipe a disk very often.
 
> As linux wants to move from the system admin / geek type OS and more
> directed as an OS suitable for the desktop its probably being a little
> unrealistic to expect general users to have all done courses in computer
> security that you may have done.

Well thanks for thinking I had some higher education; many do. I am just
a normal user.
>
> I do turn off all services I don't use [as far as I am aware]. I have
> reasonably tight iptables rules that only allows defined connections to
> the LAN or Internet. I run rkhunter, chkrootkit and tripwire regularly.
> I update the system whenever the applet tells me its need to be updated.
> But my recent scare brought home that the intrusion detection on linux
> just isn't up to the same standards insofar as ease of use and
> interpretation as those on windows.
>
I'm just guessing, but it's possible that you may be working harder than
you need to satisfy your sense of comfort about your security. It's good
you are doing these things, but they shouldn't be unnecessarily
burdensome. Aside from the other good advice and perspectives, I think
Jim Richardson posted a couple of good perspectives re: how to easily
restore your confidence in your tools.

Interpretation of results does take some experience in some cases. In
other cases understanding results is less difficult. I personally find
these tools fairly easy to use, but I can't compare them to windows
utilities that I haven't used for years.

> I know that if I run most anti-virus and anti-ad products on one of my
> windows systems I am almost 100% sure the system is OK and has not been
> rootkited. I tried the same on my suspect linux box and the bottom line
> is I had to reinstall the OS to be sure [even though it turned out
> unlikely that it was rootkitted]. Microsoft can make their security
> reasonably user friendly, surely linux can also.
>
The vendors of those proprietary products work very hard on a sales
strategy that makes you _feel_ insecure if you don't buy them (fairly
enough), and makes you _feel_ secure once you have bought and installed
them. And you are almost surely better off using those products than none
at all. But you are deceived or misinformed if you think that installing
any (protective) software on any machine under any OS will give you
"almost 100%" surety for any length of time. For one thing many viruses
simply turn off those (windows) security products. And in the other
extreme the criminals do not have to crack your machine at all to get
access to your wallet. ...Sad but true.

>> Individual system security is not just something that _can_ be done, it
>> is something that _must_ be done on a case-by-case basis for every
>> internet connected computer. _You_ just need to learn how to do that
>> well.
>
> I would argue that an OS that requires a degree to operate is unsuitable
> for the desktop.

Most current *nixes are quite simple to use at the GUI, with some
differences from windows. It's a different business model than proprietary
software. If you want someone available 24/7 to hold your hand and tell
you when it is OK to feel secure, there are support agreements available
for several OS OS's, just as there are for windows. Since most of the
Linux tools are free, no one is motivated to "sell them" to you, and you
can move beyond a freer understanding of what threats actually exist.
Those threats exist and apply at least equally to windows as to
non-microsoft OS's, but they don't show up on the radar much on that other
side.

Hopefully some of the suggestions here will begin to give you a better
level of comfort as well as helping you with your security questions.

Relevant Pages