When I came to know Linux, almost all advanced Linux users told me that Linux is impossible to be infected by virus and malware due to its excellent design. Except root or sudoer, nobody has the privilege to do harm on the system including malware. In case your Linux is infected, only you (the user) is affected. Therefore, you are not required to install any anti-virus or anti-malware application on Linux system. Meanwhile, Linux will not infected Windows based malware. Moreover, Linux developers tried to harden the Linux kernel in many ways, such as ASLR, XD/NX, SELinux, Apparmor, and Gentoo's harden-kernel, etc.
After being an Information Security Enthusiast, I recognized that it is totally not true. In my opinion, Linux just like any other operating systems that can be infected by malware and the interference is not limited to your system only. There are many such news recently.
Linux users can be infected with malware in many ways and some malware are cross-platform software too. The most common way to be infected malware is by surfing internet with your browsers. The other most common way is not keeping your Linux system up-to-date. For example, the very famous Heartbleed vulnerability is still vulnerable for over 200,000 devices in the world after more than a year.
Once you are infected, the malware can perform privilege escalation on your Linux system to gain the rights of root. How this to be done? The most common one is vulnerability of the kernel and/or application software. The other is by social engineering. The most insecure part is human being anyway.
Furthermore, most modern Linux distributions implied sudoer. Sudoer has the rights of root. However, most sysadmins or users will set their account name and password in a very weak way. In addition, the password of root can be easily guessed in most cases for those distributions that not using sudoer. I just name some of them here and there are many ways to get root privilege on Linux systems, for example, misconfiguration of Linux system and/or application software.
Hereby, I name some software, skills and tools as well as technologies on Linux malware for your reference. Hope you all understand that Linux is not a bullet-proof system. It is very easy to break for sure. Finally, I would like to introduce how I hardening Ubuntu for my current daily use, here you are.
Open Source Anti Linux Malware
Linux Malware Detect
ClamAV
Linux Forensics and Linux Malware Analysis
REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware
Linux and Disk Forensics
Books for Linux Malware Analysis and Forensics
Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides
Linux Forensics
Reference
Don’t believe these four myths about Linux security
Wiki - Linux malware
Wiki - Address Space Layout Randomization (ASLR)
Wiki - Social Engineering
That's all! See you.
Open Source is a great idea and it has changed the world!
Open Source forever ....
While you do not know attack, how can you know about defense? (未知攻,焉知防?)
Do BAD things .... for the RIGHT reasons -- OWASP ZAP
It is easier to port a shell than a shell script. -- Larry Wall
Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall
为天地立心, 为生民立命, 为往圣继绝学, 为万世开太平。 -- 王炜
Thursday, September 17, 2015
HOWTO : ArpON on Ubuntu 14.04 LTS
ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.
Step 1 :
Step 2 :
Uncomment the DARPI and RUN, makes it looking as :
DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -d"
RUN="yes"
Step 3 :
That's all! See you.
Step 1 :
sudo apt-get update
sudo apt-get install arpon
Step 2 :
sudo nano /etc/default/arpon
Uncomment the DARPI and RUN, makes it looking as :
DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -d"
RUN="yes"
Step 3 :
sudo /etc/init.d/arpon restart
That's all! See you.
Wednesday, September 16, 2015
HOWTO : Hardening and Tuning Ubuntu 14.04 LTS
This guide will lead you to hardening and tuning your Ubuntu 14.04 in a few steps without any expense. As an Information Security Enthusiast, my Ubuntu box is setting up like the following and I use the box every day.
kernel Hardening and Tuning
Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.
To make it looks like the following :
To reload it :
ARP Spoofing
One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.
HOWTO : ArpON on Ubuntu 14.04 LTS
Anti-Malware
Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not ture. Almost all operating systems are similar to the threats.
HOWTO : ClamAV on Ubuntu 14.04 LTS
This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".
Network Interface Tuning
Insert the following before "exit 0" :
* make sure your NICs are "eth0" and "wlan0" or else
Storage Performance Tuning
(A) SSD
Verify TRIM is supported :
If the output is similar to the below which is supported :
* Data Set Management TRIM supported (limit 1 block)
If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :
If the output is similar to the below which is enabled :
issue_discards = 1
Then set the following to "deadline" if it is not done yet.
noop [deadline] cfq
If not, set it :
Insert the following before "exit 0" :
* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
After that, you need to edit the partition table :
To make it looks like the following :
/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
You can add "scsi_mod.use_blk_mq=1" to kernel parameter, such as "/etc/default/grub".
(B) Hard Drive
Insert the following before "exit 0" :
* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
After that, you need to edit the partition table :
To make it looks like the following :
ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
Firefox Hardening and Tuning
Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.
(A) Apparmor For Firefox
AppArmor is a Linux Security Module implementation of name-based access controls.
To make it looks like the following :
Reload the rules :
(B) Firefox Add-ons
NoScript
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.
uBlock Origin
Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)
Cyscon Security Shield
Enjoy enhanced protection from phishing threats and malicious sites while browsing the Internet.
WebRTC Control
Have control over WebRTC (disable or enable) and protect your IP address.
BetterPrivacy
Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...
HTTPS Everywhere
Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.
Speed Tweaks (SpeedyFox)
This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.
ZenMate Security and Privacy VPN
ZenMate secures your browsing with encryption - protecting you from hackers, snoopers and data thieves who prey on unsecure connections.
(C) Optional
(1) Firefox Add-ons :
User-Agent Switcher
The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.
Youtube High Definition
YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.
Youtube Flash-Html5
Play YouTube Videos in Flash or HTML5 Player.
(2) Browse with "New Private Window" feature
Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "NightHawk".
Reference
WebRTC IPS
IP Leak
That's all! See you.
kernel Hardening and Tuning
Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.
sudo nano sysctl.conf
To make it looks like the following :
To reload it :
sudo sysctl -p
ARP Spoofing
One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.
HOWTO : ArpON on Ubuntu 14.04 LTS
Anti-Malware
Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not ture. Almost all operating systems are similar to the threats.
HOWTO : ClamAV on Ubuntu 14.04 LTS
This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".
Network Interface Tuning
sudo nano /etc/rc.local
Insert the following before "exit 0" :
/sbin/ifconfig eth0 txqueuelen 10000
/sbin/ifconfig wlan0 txqueuelen 10000
* make sure your NICs are "eth0" and "wlan0" or else
Storage Performance Tuning
(A) SSD
Verify TRIM is supported :
sudo hdparm -I /dev/sda | grep TRIM
If the output is similar to the below which is supported :
* Data Set Management TRIM supported (limit 1 block)
If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :
cat /etc/lvm/lvm.conf | grep issue_discards
If the output is similar to the below which is enabled :
issue_discards = 1
Then set the following to "deadline" if it is not done yet.
cat /sys/block/sda/queue/scheduler
noop [deadline] cfq
If not, set it :
sudo nano /etc/rc.local
Insert the following before "exit 0" :
echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler
* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
sudo /etc/rc.local
After that, you need to edit the partition table :
To make it looks like the following :
/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
sudo mount -a
sudo mount -o remount /
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
You can add "scsi_mod.use_blk_mq=1" to kernel parameter, such as "/etc/default/grub".
(B) Hard Drive
sudo nano /etc/rc.local
Insert the following before "exit 0" :
echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
sudo /etc/rc.local
After that, you need to edit the partition table :
To make it looks like the following :
ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
sudo mount -a
sudo mount -o remount /
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
Firefox Hardening and Tuning
Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.
(A) Apparmor For Firefox
AppArmor is a Linux Security Module implementation of name-based access controls.
sudo apt-get update
sudo apt-get install apparmor-utils apparmor-profiles
To make it looks like the following :
sudo rm /etc/apparmor.d/disable/usr.bin.firefox
Reload the rules :
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
(B) Firefox Add-ons
NoScript
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.
uBlock Origin
Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)
Cyscon Security Shield
Enjoy enhanced protection from phishing threats and malicious sites while browsing the Internet.
WebRTC Control
Have control over WebRTC (disable or enable) and protect your IP address.
BetterPrivacy
Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...
HTTPS Everywhere
Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.
Speed Tweaks (SpeedyFox)
This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.
ZenMate Security and Privacy VPN
ZenMate secures your browsing with encryption - protecting you from hackers, snoopers and data thieves who prey on unsecure connections.
(C) Optional
(1) Firefox Add-ons :
User-Agent Switcher
The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.
Youtube High Definition
YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.
Youtube Flash-Html5
Play YouTube Videos in Flash or HTML5 Player.
(2) Browse with "New Private Window" feature
Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "NightHawk".
Reference
WebRTC IPS
IP Leak
That's all! See you.
Tuesday, September 08, 2015
HOWTO : ClamAV on Ubuntu 14.04 LTS
Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses.
This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand". It is also target to Desktop usage only.
The current version at this writing is ClamAV 0.98.7+dfsg.
Step 1 :
Step 2 :
To make the entries looking like the following. Make sure to replace "samiux" with your username.
Step 3 :
To make the entries looking like the following.
Step 4 :
To make the entries looking like the following.
After that, execute the following command to reload the apparmor rules.
Remark :
Download or copy will not trigger the ClamAV scan but browsing or executing (or etc) will. If any malware or virus (no matter it is for Windows, Linux or Mac OSX) is detected, it will be moved to "quarantine" directory. You can also check the log at "/var/log/clamav/clamav.log".
Testing :
You can install NO harm virus testing files for testing.
The NO harm virus testing files are located at "/usr/share/clamav-testfiles".
Reference
AppArmor Wiki
See also : Fireclam Firefox Add-ons
That's all! See you.
This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand". It is also target to Desktop usage only.
The current version at this writing is ClamAV 0.98.7+dfsg.
Step 1 :
sudo apt-get install clamav clamav-freshclam clamav-daemon libclamunrar6
Step 2 :
sudo nano /etc/clamav/clamd.conf
To make the entries looking like the following. Make sure to replace "samiux" with your username.
cd ~
mkdir quarantine
Step 3 :
sudo nano /etc/clamav/freshclam.conf
To make the entries looking like the following.
sudo freshclam
Step 4 :
sudo nano /etc/apparmor.d/usr.sbin.clamd
To make the entries looking like the following.
After that, execute the following command to reload the apparmor rules.
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
Remark :
Download or copy will not trigger the ClamAV scan but browsing or executing (or etc) will. If any malware or virus (no matter it is for Windows, Linux or Mac OSX) is detected, it will be moved to "quarantine" directory. You can also check the log at "/var/log/clamav/clamav.log".
Testing :
You can install NO harm virus testing files for testing.
sudo apt-get install clamav-testfiles
The NO harm virus testing files are located at "/usr/share/clamav-testfiles".
Reference
AppArmor Wiki
See also : Fireclam Firefox Add-ons
That's all! See you.
Labels:
Anti-Virus,
Clamav,
malware,
Ubuntu
Subscribe to:
Posts (Atom)