TL;DR - What are you running as a means of “antivirus” on Linux servers?
I have a few small Debian 12 servers running my services and would like to enhance my security posture. Some services are exposed to the internet and I’ve done quite a few things to protect the services and the hosts. When it comes to “antivirus”, I was looking at ClamAV as it seemed to be the most recommended. However, when I read the documentation, it stated that the recommended RAM was at least 2-4 gigs. Some of my servers have more power than other but some do not meet this requirement. The lower powered hosts are rpi3s and some Lenovo tinys.
When I searched for alternatives, I came across rkhunter and chrootkit, but they seem to no longer be maintained as their latest release was several years ago.
If possible, I’d like to run the same software across all my servers for simplicity and uniformity.
If you have a similar setup, what are you running? Any other recommendations?
P.S. if you are of the mindset that Linux doesn’t need this kind of protection then fine, that’s your belief, not mine. So please just skip this post.
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.
That said, there are other, simpler (and probably more effective) options for hardening your systems:
- Firewall - if your servers are dedicated to specific services and you don’t plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
- Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It’s a lot easier to recognize the things that you do want to run than all of the things that you don’t want to run.
- Secure OS - I assume you’re using Debian because it’s familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).
Btw, bash has a restricted mode.
The firewall point I just don’t get. When I set up a server, for every port I either run a service and it is open, or I don’t and it is closed. That’s it. What should the firewall block?
A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.
Also, you can configure the firewall to drop packets coming in to closed ports, rather than responding to the sending device that the port is closed. This effectively black-holes the incoming traffic, so it looks like there’s just nothing there.
If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.
You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.
I don’t use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.
Firewalls set and enforce policy. Closed ports are only incidentally secure. Also, they can do a lot more than answer “nothing is listening here”.
A modern firewall might also block connections to known bad sites, in case you do somehow get malware reaching out to a command & control server. Or it might identify malicious application traffic over a port that should be for a more trustworthy service.
But these are usually only a concern in places like businesses or schools where there are a lot more people, devices, etc. on the network, especially if there’s a guest network.
I’m a senior Linux/Kubernetes sysadmin, so I deal with system security a lot.
I don’t run ClamAV on any of my servers, and there’s much more important ways to secure your server than to look for Windows viruses.
If you’re not already running your servers in Docker, you should. Its extremely useful for automating deployment and updates, and also sets a baseline for isolation and security that you should follow. By running all your services in docker containers, you always know that all of your subcomponents are up to date, and you can update them much faster and easier. You also get the piece of mind knowing, that even if one container is compromised by an attacker, it’s very hard for them to compromise the rest of the system.
Owasp has published a top 10 security measures that you can do once you’ve set up Docker.
https://github.com/OWASP/Docker-Security/blob/main/dist/owasp-docker-security.pdf
This list doesn’t seem like it’s been updated in the last few years, but it still holds true.
-
Don’t run as root, even in containers
-
Update regularly
-
Segment your network services from each other and use a firewall.
-
Don’t run unnecessary components, and make sure everything is configured with security in mind.
-
Separate services by security level by running them on different hosts
-
Store passwords and secrets in a secure way. (usually this means not hardcoding them into the docker container)
-
Set resource limits so that one container can’t starve the entire host.
-
Make sure that the docker images you use are trustworthy
-
Setup containers with read-only file systems, only mounting r/w tmpfs dies in specific locations
-
Log everything to a remote server so that logs cannot be tampered with. (I recommend opentelemetry collector (contrib) and loki)
The list goes into more detail.
Hey, kinda off topic but what’s the best way to get into a Linux/Kubernetes admin role? I’ve got a degree in networking, several years of helpdesk experience and I’m currently working as an implementation specialist.
Is that something I could simply upskill and slide into or are there specific certs that will blow the doors open for new opportunities?
Sure! I got my start with this sort of tech, just running docker containers on my home server for running stuff like nextcloud and game servers. I did tech support for a more traditional web hosting MSP for a while, and then I ended up getting hired as a DevOps trainee for a internal platform team doing Kubernetes. I did some Kubernetes consulting after that and got really experienced with the tech.
I would say to try running some Docker containers and learn the pros and cons with them, and then I would say to start studying for the CKAD certification. The CKAD cert is pretty comprehensive and it’ll show you how to run docker containers in production with Kubernetes. Kind is a great way to get a Kubernetes cluster running on your laptop. For more long term clusters, you can play around with k3s on-prem, or otherwise, I would recommend Digital Ocean’s managed Kubernetes. Look into ArgoCD once you want to get serious about running Kubernetes in production.
I think with a CKAD cert you can land a Kubernetes job pretty easily.
I would probably only recommend the CKA cert on the path to CKS. CKA gets into a lot of the nitty gritty of running a kubernetes cluster, that I think most small-to-medium companies would probably skip and just run a managed solution.
Kubernetes has a steep learning curve, since you need to understand Operations top-to-bottom to start using it, but once you have it in your tool belt, it gives you endless power and flexibility when it comes to IT Operations.
This is pretty much what I have setup. I’m not logging to a separate server but I do have other things setup like fail2ban, changes default ports, secrets management, etc. Good resource tho
-
I think you’re about to find out that the “belief” that Linux doesn’t need antivirus isn’t just held by everyone in this community, it’s held by the whole Linux community. Hence there being no active projects in the space.
Heck you almost don’t need any antivirus in windows anymore. Just windows defender and half a brain when it comes to what you download.
Many security experts I know consider AV software to be snake oil. I do so too. They are so complex and need so far reaching permissions to be somewhat effective, that they become the attack vector and/or a large risk factor for faulty behavior.
Add in lots of false positives and it just numbs the users to the alerts.
Nothing beats educating users and making sure the software in use isn’t braindead. For example Microsoft programs that hide file extensions by default is a far bigger security problem than a missing AV tool. Or word processors that allow embedded scripts that can perform shit outside the application. The list goes on …
Well that’s just not fair. Snake oil doesn’t get auto updated by the vendor, and then lock my production processes and cause an outage. I’d take a bottle of snake oil any day over Symantec.
I don’t really understand that belief. There is plenty of Linux malware especially targeting servers, you just need to have an unsecure service running to find that out
I have been using linux for almost 2 decades, never seen a virus. And I never heard of a colleague or friend who got one on Linux. That’s why no one has ever installed an antivirus, because, till now, the risk has been practically zero.
On windows, on the other hand, I saw so many viruses on friends and relatives computers…
People install antiviruses depending on the experience.
To be fair, we all know on Linux viruses exist, but is objectively pretty difficult to get one. It is not worth installing an antivirus if one doesn’t actively install garbage from untrusted sources
It’s not any more difficult to get a virus on Linux than Windows. It comes down to experience as you said. I’ve been using Windows for my entire life and haven’t gotten a virus since I was 8. But all it takes is one mistake on both Windows and Linux, you accidentally leave a docker endpoint or ssh server exposed and insufficiently protected on Linux and you’re going to get a virus the same as if you accidentally opened a .pdf.exe on Windows.
Not at all. You leave a ssh port open, you don’t necessarily get a virus. Try it. Set up a raspberry pi, install ssh and leave the port open in your firewall. It is much less risky than exposing rdp (the most comparable windows protocol) on windows for instance.
It is a security risk, but absolutely not comparable of installing pdf.exe. Not even in the same league of risk.
As said, try it now and tell me how it goes.
There is a lot of misinformation around security on Linux
Glad you asked, I run a ssh honeypot and get multiple connections adding ssh keys, trying to run lockr, downloading shit every day.
2023-09-16T09:09:48+0000 [SSHChannel session (1) on SSHService b’ssh-connection’ on HoneyPotSSHTransport,14737,61.222.241.108] Command found: echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr >> .ssh/authorized_keys
Does the attack succeed? Never happened to me. You see bot trying, but really never seen succeeding irl. How is it configured?
Do you have also a rdp honeypot by chance? Do you see different rates of attack? Honestly curious.
I don’t have any windows licenses around, otherwise, it would have been an interesting test
Also, antivirus is the wrong idea there. What you’d want is an intrusion detection and/or integrity checking system.
It’s configured to allow requests from connections using common default passwords. If it wasn’t a honeypot the requests would succeed. I don’t currently run an rdp honeypot but I did a few years back, iirc the rates were about the same with rdp being a little bit less. Which as I say, comes down to configuration and usage. If you misconfigure Linux you will get malware, same as Windows.
Running a honey pot for SSH and sharing logs only proves that people try to attack you, it does not really tell if SSH as such is vulnerable or not. It is a honey pot, people gaining access if the whole point.
Having a locked down but exposed SSH access is something else.
You’re missing my point, a virus doesn’t have to infiltrate a completely secure system. It can come through you accidentally leaving your ssh insecure or any other service.
What happens in the Windows world: Microsoft is not capable of creating and distributing a patch timely. Or they wait for “patch day”, the made up nonsense reason to delay patches for nothing. Also since Windows has no sensible means of keeping software up to date, the user itself has to constantly update every single thing, with varying diligence. Hence Antivirus: there is so much time between a virus becoming known and actual patches landing on windows, that antivirus vendors can easily implement and distribute code that recognizes that virus in the meantime.
What happens in the linux world: a patch is delivered often in a matter of hours, usually even before news outlets get to report about the vulnerability.
Zero days aren’t the only way you get viruses. Misconfiguration and social engineering are both vectors that are OS agnostic.
But do antivirus really help with that? Is it going to check for open ports and see if the service listening has a strong password?
You can’t program against social engineering or missconfiguration, and because those are the only real vulnerabilities in Linux there’s no need for antivirus.
No but it can’t do that on Windows either, all it can do is detect an infection and attempt to remove it. Same process would be applicable on Linux.
Behavior-based antivirus is extremely difficult, failure-prone, and almost entirely unnecessary because of how secure Linux is, so they don’t exist to my knowledge. Signature-based antivirus is basically useless because any security holes exploited by a virus are patched upstream rather than waiting for an antivirus to block it. ClamAV focuses on Windows viruses, not Linux ones, so it can be a signature-based antivirus, but not many people run an email server accessed by Windows devices or other similar services that require ClamAV, so not many people use it, and nobody made any alternatives.
If you’re worried about security, focus on hardening and updates, not antiviruses.
Okay, I think we can wrap this up: OP started with “I don’t want to be convinced of the predominant oppinion about security” and kept their word.
OP: You got your answer. There is no alternative to ClamAV. ClamAV is open source so it will always be slower than apt update in fixing vulnerabilities.
You can wonder why the whole community that created tons and tons of cool shit for Linux with armies of talented people with way more IT knowledge than all of us combined didn’t dedicate their time to Viruses. You can ask yourself how a virus would even get on your server… or you can not. Your choice. But the answer is: There is no alternative to ClamAV and ClamAV is set up mainly to detect Windows-Viruses that get spread by Mail-Attachments and the like.I could fork ClamAV and call it OysterAV then there would be a less maintained alternative
I also use ClamAV, but only in specific circumstances, such as when a Linux server will be hosting end-user files. Perhaps a SAMBA server with a file share, or a web server which accepts user uploads.
In those cases, I might want to have it monitor the relevant part of the disk, but I also need to make sure my web application won’t fall over when the file it just accepted is unceremoniously ripped away from it. You can test that out using the EICAR file as your payload.
On a jump box, I might also have it turned on for scanning user home directories, by including /home, and then excluding any home directories for applications and daemons which might not deal well with having their IOPS nuked or delayed.I would recommend just setting up iptables & crowdsec. Open only the ports your services need, and add the relevant plugins to crowdsec. Nothing should come through.
If you have services that allow people to upload files, that’s a different story.
I am running SMB although it’s not publicly available and setup with specific users having specific access to specific shares.
Good note on crowdsec
Chkrootkit isn’t an antivirus.
Yea. Thanks.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters IoT Internet of Things for device controllers LTS Long Term Support software version SSH Secure Shell for remote terminal access VPN Virtual Private Network
4 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #141 for this sub, first seen 17th Sep 2023, 06:25] [FAQ] [Full list] [Contact] [Source code]
You’re likely doing security wrong. But I’m keeping relatively quiet, as requested.
Please read up on how to set a partition noexec, use AppArmor, firewall, how to keep things patched, hardened and actual security measures if you want to protect the server. Also make sure not only fail2ban is working but every login on exposed software on that server is protected against brute force. ClamAV and similar are to protect your windows clients of your mail and storage server. They will not help with linux viruses. And you got to protect your servers against security vulnerabilities, not malware. The server won’t randomly execute an executable file on its harddrive on its own. Think about how did that malware get there in the first place. And why is the file executable… Don’t be offended, you can install whatever you want, including ClamAV, just make sure you did the 95% of protection first if security is your concern.
Maybe you’d be interested in https://wazuh.com/
Not sure this is what I’m looking for as it appears to be an XDR SIEM vendor.
That’s what modern endpoint security is, really. Traditional AV is dead. There are far too many people making malware for file signatures or heuristics to keep up. Instead, you want to look for behavior on the system and on the network. For example, if a program starts reading every file it can find on the network, and changing then from their current formats to unreadable blobs, that’s probably ransomware and should be stopped. Plain old AV probably won’t catch it on the client because of how frequently it gets modified (plus all the various evasion techniques), nor on the server because nothing unusual is running on the server.
I don’t understand your intention, as for tips and hints and end you post on this line:
“Ps: if you have a different opinions than I do skip this post”
That’s the perfect recipe for a circle jerk.
I am not a expert in Linux, and I mostly rely on very strong passwords. I also discovered recently basic stuff like changing the default SSH port. Anyone knows of implementation of 2FA on Linux?
I have a yubikey and use their pam-module for 2FA on sudo and ssh. Took a bit of time to configure, but now it works like charm: https://wiki.archlinux.org/title/YubiKey#Linux_user_authentication_with_PAM
Thanks, I’m looking into it
Changing the default porta is security through obscurity, which is not security but just a waste of time. Don’t rely on attackers “maybe not finding stuff” but rely on your stuff being secure, even if someone had all information about your network and system architecture.
For 2fa, the other commenter mentioned yubikey pam modules. Those are probably useful, but if you want to secure your ssh server, the best solution is to use ssh keys and disable password login. I can really recommend that as its one of the few things in security that improves both usability and security.
What’s an ssh key? Nvm I’ll research
Welcome to the top of cryptography. We have elliptic curves, crazy math and huge numbers.
If at all possible, do not expose things like ssh, RDP, etc to the internet. Use traditional VPN or something like tail scale. Just because ssh is on a different port than normal doesnt mean an attacker couldn’t figure out that your running ssh on port 335.
Well fail2ban went from very active to very quiet. It is definitely worth not leaving 22 (when opening ssh is a must for different reasons)
Honestly, the best antivirus for Linux is Arch.
Hahahahaha this actually made me chuckle. Thanks for that!
Its a rolling release, so will always have the most up to date and patched packages the fastest. That concept is the antivirus.
Can’t infect your machine if the vulnerabilities are already fixed.
Unfortunately you can’t easily patch the fleshy thing operating the system
Not yet…
Now where do new vulnerabilities come from? 🤔 Oh that’s right - from new code. And how often does new code show up on Arch? Oh…
Security concerns can vary between traditional Linux distributions and rolling release distributions.
Traditional Linux Distributions:
-
Stability: Traditional distributions like Ubuntu LTS tend to prioritize stability over the latest software updates. While this can reduce the risk of new software vulnerabilities, it may also mean that security patches for certain software components are not as up-to-date as in rolling releases.
-
Delayed Updates: Security updates for software packages may take longer to reach users in traditional distributions because they go through a more extensive testing and validation process. This delay could potentially leave systems vulnerable for a longer period.
-
Predictability: Traditional distributions have predictable release cycles, making it easier to plan and apply security updates. However, this predictability can also make it easier for attackers to anticipate when certain software versions will be in use.
Rolling Release Distributions:
-
Up-to-Date Software: Rolling releases like Arch Linux or Manjaro provide the latest software updates as soon as they are available. While this ensures access to new security features and patches quickly, it can also introduce new bugs and vulnerabilities.
-
Frequent Updates: Rolling releases typically require more frequent updates, which can be time-consuming and potentially introduce compatibility issues if not managed properly.
-
User Responsibility: Users of rolling releases have a greater responsibility to stay informed about security updates and apply them promptly. Failure to do so can leave systems vulnerable.
-
Testing: Rolling releases often have a testing phase where updates are evaluated by the community before being rolled out to all users. This helps catch issues, but it can still result in occasional instability.
In summary, the main security concern with traditional Linux distributions is the potential delay in receiving security updates, while rolling releases offer up-to-date software but may require more user vigilance and can occasionally introduce instability due to frequent updates. The choice between them should depend on your specific use case and your willingness to manage updates and stability.
-
There are none. ClamAV is the only one there is, because it has a very specific and narrow purpose. There are no viruses for Linux.
Chrootkit and rkhunter are also built for very specific things (detecting rootkits - or making them) and are not designed to protect, they are designed to analyse.
My writing here also isn’t specifically to OP, but to all others that may find this thread - Anti Virus for Linux is BS and unless you are running SMB and still have lots of Windows in your network, it’s absolutely not needed, especially if you follow the basics (like not doing stuff as root, using sudo and not giving out any system rights).
…some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.[
Which is exactly what I said. ClamAV serves a very specific purpose and that’s this one.
There are still no viruses for Linux specifically designed to break in to Linux, because it’s not possible.
There are still no viruses for Linux … because it’s not possible.
Here is just one example that proves your assertion wrong.
Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.
Right. Completely proven wrong.
So if I’m reading this correct the vulnerability was patched before the worm got programmed and it peaked at 2000 machines infected when it targeted apache servers running openssl, which back in 2002 was basically any encrypted website.
Don’t know how an AV would have helped there.
Simply refuting the BS claim that it’s impossible for there to be a Linux virus.
This one existed, therefore the claim is false.
The claim was within the context of AV software, not a general one.
Mirai and other botnets, coin miners, ransomware… Do you think that malware makers just decided to ignore the billions of Linux servers and IoT devices that exist?
I agree with you, but, it is also true that the overwhelming majority of ransomwares affect windows https://www.statista.com/statistics/701020/major-operating-systems-targeted-by-ransomware/
Linux is not a significant target despite being so diffused
Edit. For those downvoting, windows server is ~20% of the server market and it is second in that stat. GNU/Linux distros such as rhel, debian and so on are almost 80% of server market and still there are no sufficient attacks reported to end up in that stat
True, but the largest botnet in the world runs purely on Linux devices
It targets router firmwares though… These bot farms do not usually target real gnu/Linux os, because it is easier and more effective to attack router firmwares that are not well configured by producers and telcoms, and are practically never upgraded.
Therefore they are not a real threat for standard mint or popOS user… Let alone gentoo users
I dont understand why you’re getting downvoted for this.
