Keeping your Linux system safe

Register or Login to like
Register or Login to like
Is Occupy Wall St. really an "open source protest?"

Opensource.com

Recently, Lee Brian wrote a great article about her own Linux story in My Dad, Linux and Me. In some of the comments to that article, a discussion of viruses and Linux emerged. While most of the Linux community would agree that viruses are less of an issue in Linux than some other operating systems, there are some people we share files with who are affected by viruses and other malware.

Maybe you have a shared folder on your computer that Microsoft Windows users access. Perhaps the IT department where you are employed requires the installation of antivirus software on all computers on your network. How do we protect them and ourselves in such environments?

That's where open source antivirus engine ClamAV comes in. I have been using ClamAV on Mac OS X and Linux for almost 10 years and find it to be an effective deterrent to trojans, viruses, and malware. Its source code is available on GitHub under the GNU Public License.

On Linux servers, ClamAV can be run as a daemon. It can service requests to scan files sent from other processes. These can include spam filters or files on Samba shares. ClamAV typically runs from the command line, but there are third party developers who have created graphical user interfaces for it.

On Fedora:

dnf -y install clamav clamav-update

On Ubuntu:

sudo apt-get install clamav

For other versions of Linux and Unix, instructions are available.

Once ClamAV is installed, updates can be obtained by switching to root with "su" or "sudo" and entering "freshclam" on the command line. After updating the virus definitions, you're ready to scan your system. There are many options that can be used when scanning, and you can refer to this man page for options.

My own favorite is clamscan --infected --remove --recursive /home, which recursively scans my home directory and prints out the infected file.

Equally important to maintaining the integrity of your system is the detection of rootkits. According to Wikipedia, "A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software."

I have found that ClamAV is not always effective at detecting and eliminating rootkits. Fortunately, the open source Rootkit Hunter is available for download, and it's easy to install. Just use your package manager of choice to install the rkhunter package. There is a man page for rkhunter and you will want to consult it to choose the various options for its use. I chose to take the defaults and just ran it from the command line, 'sudo rkhunter --checkall.'  There is a very well written help page provided by the Ubuntu community. Rootkit Hunter is licensed under the GNU Public License, and the source files for Rootkit Hunter are on Sourceforge.

Update: "sudo rkhunter -checkall" changed to "sudo rkhunter --checkall" (added hyphen). Thanks to our readers for the feedback in the comments! -rikki 

Educator, entrepreneur, open source advocate, life long learner, Python teacher. M.A. in Educational Psychology, MSED in Educational Leadership, Linux system administrator, Follow me at @Don_Watkins .

17 Comments

Hi

After a fresh installation of clamav I issue the freshclam command and:

[root@localhost ~]# freshclam
ERROR: Please edit the example config file /etc/freshclam.conf
ERROR: Can't open/parse the config file /etc/freshclam.conf]

and the application warns me about the 'outdated database'

how can I fix this...?

Thank You.

Thank you for a short and easy article to follow.

Just what I need to get started with ClamAV and Rootkit Hunter.

I didn't have any Anti virus installed on my Kubuntu and to be honest I forgot all about AV and Rootkits since I left Windows a couple of years ago.

Now its installed and my first scan show no Root kit and no little viruses.
But now I'm a bit safer and hopefully prepared for the first Linux virus around.

Br Hans

@Ganzalo

Install clamav-deamon: sudo apt-get install clamav-daemon

/Br Hans

Thanks for the question, Gonzalo. I just did a fresh install on Ubuntu 14.04 LTS tonight and it's working with "sudo fresclam." However, you look like you might be on Fedora, RHEL or Centos and I'm not sure of your environment. Here is a possible solution if on Fedora, http://rpm.pbone.net/index.php3/stat/4/idpl/29284699/dir/fedora_21/com/…. My "freshclam.conf" on Ubuntu might be a bit different that your system, but I'm happy to share if you like.

Hi again, Don.

Yes, I forget to state the environment, that is a Fedora 22 (32 Bits)...
Looking in the link You provide, here are only updates for 64 bits...
I tried
[dnf install clamav-update
Last metadata expiration check performed 0:31:57 ago on Sat Sep 26 11:47:56 2015.
Package clamav-update-0.98.7-1.fc22.i686 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!]
but the message of the 'outdated database' persists...

I tried dnf upgrade clamav-update
[[root@localhost ~]# dnf upgrade clamav-update
Last metadata expiration check performed 0:39:07 ago on Sat Sep 26 11:47:56 2015.
Dependencies resolved.
Nothing to do.
Complete!]

So I don't know how to put the database 'up to date'...
Any suggestion...?

Thank You

gonzalo//.

Here is a suggestion from Server.world-info.

root@localhost ~]# dnf -y install clamav clamav-update

[root@localhost ~]# vi /etc/freshclam.conf

# line 8: comment out

# Example

[root@localhost ~]# vi /etc/sysconfig/freshclam
# end line: comment out

#FRESHCLAM_DELAY=disabled-warn
# update pattern files

[root@localhot ]# freshclam

In reply to by Gonzalo San Gil, PhD

@Don For running the rootkit hunter is 'sudo rkhunter --checkall' not 'sudo rkhunter –checkall'

Correction made to "sudo rkhunter --checkall" Thank you.

# ! Oh, my: I need a tutorial of vi/vim first...
I'm afraid I'm 'destroying' certain essential system files...

# ! Thank You, anyway, Dan: I'll keep he page bookmarked for further reading, for when I were ready for the text editors...

Thank You again...

:)

gonzalo//.

Hi,
its still wrong, one of them is not a hyphen (or minus) symbol.
Below is the corrected command
sudo rkhunter --checkall

I copied and pasted from my terminal to the article and I believe it's correct now. :)

In reply to by Emil Varughese (not verified)

Dear Don,

Shouldn't you change the title of this article? Its a bit misleading. In fact, it basically commits towards helping people make their GNU/Linux system more secure ... but instead leaves people falsely assuming that their GNU/Linux systems are bulletproof but we can instead protect our friends running systems which are more vulnerable to viral infection.

I was expecting something covering eliminating unused listening ports, hardening any needed services, using packet filtering, perhaps some sysctl settings, etc. Instead, I found that you have mentioned some tools to remove a rootkit.

Once your machine is compromised to the extent that some 3rd party has complete control over your machine, you cannot really rely on any tools running on that machine to detect the presence of the compromise.

Let me reiterate that ... if I had control of your machine ... I would ensure that any tools you install would not detect my presence. It would be the first thing on my "todo" list.

Anyway, just my thoughts.

Thanks and have a nice day.

-EE

Thanks for sharing your thoughts. :)

In reply to by Extradimention… (not verified)

Hi Don,
I read your naïve story about ClamAV and your truly believe that you have really secure system.
Here is something I would like to point your attention to in order for you to understand that computer security is not only matter of antivirus software:

It is called "Man in the Middle" and it is most abusive tactic used in our days against almost everyone. It works by the way that someone intercept in real-time all packages that your Computer system exchange with internet. When you download packages - which you believe come from Linux repository - they actually come from the "bad guys" servers. Your system is no longer running OS you think it runs, but something that looks like it. Good rootkits was never detected.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.