Let's Dance! - The Linux Lambada

Yes, this is a tad different from the Windows Tango

1. You're adding the Tango to an already-running Windows machine
2. That machine has already been on the Internet, and you've done some browsing
3. You're already infected

Now, some of you may object to point three, up there. The fact is that statistics are on my side on this one. I try never to argue with statistics.

1. You're adding the Lambada to an already-running Linux machine
2. That machine has already been on the Internet, and you've done some browsing
3. You're very unlikely to be infected

There are very few viruses that attack Linux systems. Again, statistically, it's unlikely that you'll have been hit by one. But we'll still make sure you're clean, although it won't take nearly the time that it does under Windows. Speaking of Windows, that's one reason you should make sure your system is clean - so you don't accidentally pass an infected document to our Windows-using friends.

Just like with the Windows Tango, we'll first make sure your system is clean of infection. Then we'll talk about a firewall. And, of course, all of this will be free!

Distribution differences

Different distributions of Linux use different package managers to install software. Debian-based distributions (like Ubuntu or Mint) use apt; the GUI version of that is Synaptic or KPackage or gdebi. Red Hat-based distributions (like Fedora or CentOS) use rpm; the GUI version of that is Yum or YaST or urpmi. But it doesn't matter what it's called - you likely already know what it is, and how to use it. We'll just be talking about the products that you have to install, and how to use them. Getting them installed is left as an exercise for the reader. Hey, you're a Linux user! You're tough!

Step One: Install the Software

First, we'll download the antivirus software, and run a thorough test on your system.

The software you need is clamav. But that's a command-line product; you run it from a terminal window and type stuff. That's not a big deal for long-time Linux users, but for people who are just moving from Windows, it's a big step. Luckily, there's a GUI you can run as well: clamtk for Gnome, or klamav for KDE. Theoretically, if you just install one of those two packages, your package manager of choice will install all the stuff in the background that's needed. That's why you're using a package manager to begin with.

If you're planning on doing it by hand, here are (as near as I can tell) the additional files you'll need:

clamtk (or klamav) · clamav · clamav-base · clamav-freshclam · clamtk · libbit-vector-perl · libcarp-clan-perl · libclamav5 · libconfig-tiny-perl · libdate-calc-perl · libfile-find-rule-perl · libnumber-compare-perl · libtext-glob-perl

Step Two: Clean Your System

Run clamtk (or, of course, klamav). The first thing we need to do is set up how you want to handle virus signature updates. If you're only doing this for yourself, select "Single User," but if you're the only one on the machine, it's actually better to select "System Wide." Check for both signature updates and GUI updates.

Now it's time to scan. You should make a few choices: quarantine infected files (which prevents them from infecting anything else), ignore size (so that you check even very large files), and check hidden files (to check even files you don't normally see). Anything else you want to choose is up to you.

I suggest that you do a full, thorough, recursive scan of the / directory. That's the UNIX-name of the root directory of the hard drive. If you do that, checking for hidden files and files of any size, it will scan your entire hard drive.

You may be tempted to scan only your home directory. Truth to tell, that's okay for day-to-day (assuming you keep all your files in your home directory). But you should regularly (once a week, say) check the entire hard drive. Start it and go get a cup of coffee, or watch CSI: Ubiquitous, or go to bed!

Step Three: Firewall

Most versions of Linux today already have a firewall installed! It's called iptables, and it runs automatically with most versions of Linux. The best part is that it's pretty nicely locked down right out of the box.

Step Four: Checking for Rootkits

Rootkits are what you use (if you're a bad guy) to compromise someone's system. That rookit is a program (or several programs) that open up a back door into your computer that the bad guys can use to get into your machine and work their nefarious will on it.

Usually, the bad guys hide these programs, these rootkits, so that they are not easily found by the average user. Luckily, the Linux community has risen to the challenge with a couple of great programs. Using your favorite package manager, install chkrootkit, rkhunter, and hide.

You can, of course, run them from the command line, but wouldn't it be nicer if we could...

Step Five: Automate Things

Sure, we've got everything installed, and it'll all run just fine from the command line. But the whole point of having a computer is to get the computer to do the work for you, isn't it? So let's set that up.

Linux has a program called crontab that maintains a table of commands and when to run them for the cron system, which, as long as the computer is on at the appropriate time, runs whatever tasks are scheduled in crontab (among other, maintenance-type programs that all happen in the background). Every user in the system has his or her own set of crontabs, and the root user (what Windows people call the administrator and Mac people dare not name) has his or her own set as well. The root user (or just "root") has many more privileges and can access both programs and system areas to which you have no rights (and, really, no business in on a day-to-day basis). We'll be installing these programs into root's crontab, so they can check the whole system.

Before we do that, let's set a nice, easy editor for crontab, shall we? If you're a real Linux wonk, you know vi or emacs or joe or whatever you like. And you can certainly keep it. But one of the easiest, and possibly the best for newbies for our purposes, is nano. You can set it (and you only have to do this once) by going to a command line (terminal window) and typing sudo update-alternatives --config editor then hit enter. Select nano from the list by number (on my machine, it's choice 3), and hit enter. Done! Relax, when you become a Linux guru, you can change it to anything you like.

Now type sudo crontab -e and hit enter. You'll be asked for your password. Type the following:

# m h dom mon dow command
01 01 * * * /usr/bin/rkhunter --update
02 01 * * * /usr/bin/rkhunter --cronjob --rwo --novl --nomow
10 01 * * * /usr/sbin/chkrootkit
15 01 * * * /usr/bin/clamscan -r --quiet /home

Type Control-X (hold the control key down and hit the X key), then hit the Y key, and press enter. Done! And you only have to do it once.

Now, note the structure of the code above. The first number is the minute, the second is the hour. I leave my machine on all the time, so all of this happens at various times in the 1 AM hour. If you don't leave your machine on, have this stuff happen while the machine is typically on.

Step Six: Checking Your Logs

The programs we've installed run in the background, or overnight. So how do you know what happened when they ran? Simple: check the logs. Here's the way to do it by hand:

Easier Than it Looks

That's really all you need to know (a lot easier than the Windows Waltz, isn't it?). Seriously. We're done. There were a lot of things we did once, but they're done now. The system will automagically check itself for rootkits and viruses every day at the appointed times. Updates will occur along with all your Linux updates. You're done. All you have to do is check the logs for bad stuff. If you're just a regular desktop user, you can stop reading now. However, for those of you who want a (slightly) deeper look at iptables (the firewall thingy), take a deep breath. And don't say I didn't warn you...

By default there are no iptable rules set and everything is allowed to leave or enter IP stack. On the other hand, by default there are no services listening on the network. There are some listening on loopback, but they can only be reached from the machine itself. So, if I wanted to pwn your box I could not use vulnerabilities in any daemons (background programs) and would have to find a flaw in the kernel's IP stack and attack it - most likely a buffer overflow exploit of some sort. It is not completely unheard of to have these kinds of vulnerabilities in the kernel, but they're not terribly common, either. Exploiting these (should they surface) would not be a trivial task either. Script kiddies would have a tough time.

If, however, you want to muck about with iptables (contraindicated), install firestarter. You can set all kinds of things. If you don't understand the consequences of those things you're changing, here's an idea: don't change them!!!!!

Of course, this assumes you're running a standard desktop system. If you're running a server, then you seriously need to set up iptables rules, but that's way outside the scope of this page. Which means you're on your own. If you're going to run a server, you need to learn enough to own a server.

Special thanks must be given to @DamnedFacts on Twitter, who reminded me I'd completely left out the section on rootkits.