Let's Dance! - The Linux Lambada

A step-by-step guide to dancing The Security Tango - for Linux

Yes, this is a tad different from the Windows Tango

In the Windows Tango, I made certain assumptions:

1. You're adding the Tango to an already-running Windows machine
2. That machine has already been on the Internet, and you've done some browsing
3. You're already infected

Now, some of you may object to point three, up there. The fact is that statistics are on my side on this one. I try never to argue with statistics.

For the Linux Lambada, however, I have these assumptions:

1. You're adding the Lambada to an already-running Linux machine
2. That machine has already been on the Internet, and you've done some browsing
3. You're very unlikely to be infected

There are very few viruses that attack Linux systems. Again, statistically, it's unlikely that you'll have been hit by one. But we'll still make sure you're clean, although it won't take nearly the time that it does under Windows. Speaking of Windows, that's one reason you should make sure your system is clean - so you don't accidentally pass an infected document to our Windows-using friends.

Just like with the Windows Tango, we'll first make sure your system is clean of infection. Then we'll talk about a firewall. And, of course, all of this will be free!

Distribution differences

Different distributions of Linux use different package managers to install software. Debian-based distributions (like Ubuntu or Mint) use apt; the GUI version of that is Synaptic or KPackage or gdebi. Red Hat-based distributions (like Fedora or CentOS) use rpm; the GUI version of that is Yum or YaST or urpmi. But it doesn't matter what it's called - you likely already know what it is, and how to use it. We'll just be talking about the products that you have to install, and how to use them. Getting them installed is left as an exercise for the reader. Hey, you're a Linux user! You're tough!

Step One: Install the Software

First, we'll download the antivirus software, and run a thorough test on your system.

The software you need is clamav. But that's a command-line product; you run it from a terminal window and type stuff. That's not a big deal for long-time Linux users, but for people who are just moving from Windows, it's a big step. Luckily, there's a GUI you can run as well: clamtk for Gnome, or klamav for KDE. Theoretically, if you just install one of those two packages, your package manager of choice will install all the stuff in the background that's needed. That's why you're using a package manager to begin with.

If you're planning on doing it by hand, here are (as near as I can tell) the additional files you'll need:

clamtk (or klamav) · clamav · clamav-base · clamav-freshclam · clamtk · libbit-vector-perl · libcarp-clan-perl · libclamav5 · libconfig-tiny-perl · libdate-calc-perl · libfile-find-rule-perl · libnumber-compare-perl · libtext-glob-perl

There are other antivirus programs, such as Comodo or Sophos that are not part of your normal distribution. Some people are purists, and won't load items that come from outside their distribution. They are both good products, however.

Step Two: Clean Your System

Run clamtk (or, of course, klamav). The first thing we need to do is set up how you want to handle virus signature updates. If you're only doing this for yourself, select "Single User," but if you're the only one on the machine, it's actually better to select "System Wide." Check for both signature updates and GUI updates.

Now it's time to scan. You should make a few choices: quarantine infected files (which prevents them from infecting anything else), ignore size (so that you check even very large files), and check hidden files (to check even files you don't normally see). Anything else you want to choose is up to you.

I suggest that you do a full, thorough, recursive scan of the / directory. That's the UNIX-name of the root directory of the hard drive. If you do that, checking for hidden files and files of any size, it will scan your entire hard drive.

You may be tempted to scan only your home directory. Truth to tell, that's okay for day-to-day (assuming you keep all your files in your home directory). But you should regularly (once a week, say) check the entire hard drive. Start it and go get a cup of coffee, or watch CSI: Ubiquitous, or go to bed!

Step Three: Firewall

Most versions of Linux today already have a firewall installed! It's called iptables, and it runs automatically with most versions of Linux. The best part is that it's pretty nicely locked down right out of the box.

Step Four: Checking for Rootkits

Rootkits are what you use (if you're a bad guy) to compromise someone's system. That rookit is a program (or several programs) that open up a back door into your computer that the bad guys can use to get into your machine and work their nefarious will on it.

Usually, the bad guys hide these programs, these rootkits, so that they are not easily found by the average user. Luckily, the Linux community has risen to the challenge with a couple of great programs. Using your favorite package manager, install chkrootkit, rkhunter, and hide.

Please Note: On newer versions of Linux, hide seems to be included automatically when you install chkrootkit and rkhunter, so you cannot install it separately. If you get an error when you try to install it, just install the other two, and you'll get it, so no worries.

You can, of course, run them from the command line, but wouldn't it be nicer if we could...

Step Five: Automate Things

Sure, we've got everything installed, and it'll all run just fine from the command line. But the whole point of having a computer is to get the computer to do the work for you, isn't it? So let's set that up.

Linux has a program called crontab that maintains a table of commands and when to run them for the cron system, which, as long as the computer is on at the appropriate time, runs whatever tasks are scheduled in crontab (among other, maintenance-type programs that all happen in the background). Every user in the system has his or her own set of crontabs, and the root user (what Windows people call the administrator and Mac people dare not name) has his or her own set as well. The root user (or just "root") has many more privileges and can access both programs and system areas to which you have no rights (and, really, no business in on a day-to-day basis). We'll be installing these programs into root's crontab, so they can check the whole system.

Before we do that, let's set a nice, easy editor for crontab, shall we? If you're a real Linux wonk, you know vi or emacs or joe or whatever editor floats your boat. And you can certainly keep it. But one of the easiest, and possibly the best for newbies for our purposes, is nano. You can set it (and you only have to do this once) by going to a command line (terminal window) and typing sudo update-alternatives --config editor then hit enter. You may have to enter your password. Select nano from the list by number (on my machine, it's choice 3), and hit enter. Done! Relax, when you become a Linux guru, you can change it to anything you like.

Now type sudo crontab -e and hit enter. You'll be asked for your password. Type the following:

# m h dom mon dow command
01 01 * * * /usr/bin/rkhunter --update
02 01 * * * /usr/bin/rkhunter --cronjob --rwo --novl --nomow
10 01 * * * /usr/sbin/chkrootkit
15 01 * * * /usr/bin/clamscan -r --quiet /home/

Type Control-X (hold the control key down and hit the X key), then hit the Y key, and press enter. Done! And you only have to do it once. Please Note: Again, on newer versions of Linux, this seems to be included automatically in /etc/cron.daily/, so there's no need for the above if you're using a newer version of Linux.

Now, note the structure of the code above. The first number is the minute, the second is the hour (in 24-hour format). I leave my machine on all the time, so all of this happens at various times in the 1 AM hour. If you don't leave your machine on, have this stuff happen while the machine is typically on.

Note also that we're virus scanning only the home directories of the users on this machine (/home/). That makes sense, since most of us only interact with our home directory. If you'd rather check the entire drive, you can. But you certainly don't have to do it every day. You could change the clamscan line, and add another, like so:

15 01 * * 1-6 /usr/bin/clamscan -r --quiet /home/
15 01 * * 0 /usr/bin/clamscan -ir /

This will scan all the directories under home (including your own directories) every Monday (1) throught Saturday (6), and scan your entire hard drive (/) every Sunday (0). Scanning your entire hard drive takes longer, but hey - it's Sunday! You're either in Church or having that extra cup of coffee (or both), so relax!

Step Six: Checking Your Logs

The programs we've installed run in the background, or overnight. So how do you know what happened when they ran? Simple: check the logs. Here's the way to do it by hand:

sudo cat /var/log/rkhunter.log
sudo cat /var/log/clamav/freshclam.log

Please note that freshclam.log has many scary warnings. Please check the link in the log for info about how those may be false alarms.

Step Seven: Oh, wait... there is no Step Seven...

That's really all you need to know (a lot easier than the Windows Waltz, isn't it?). Seriously. We're done. There were a lot of things we did once, but they're done now. The system will automagically check itself for rootkits and viruses every day at the appointed times. Updates will occur along with all your Linux updates. You're done. All you have to do from now on is check the logs for bad stuff. If you're just a regular desktop user, you can stop reading now. However, for those of you who want a (slightly) deeper look at iptables (the firewall thingy), take a deep breath. And don't say I didn't warn you...

By default there are no iptable rules set and everything is allowed to leave or enter IP stack. On the other hand, by default there are no services listening on the network. There are some listening on loopback, but they can only be reached from the machine itself. So, if I wanted to pwn your box I could not use vulnerabilities in any daemons (background programs) and would have to find a flaw in the kernel's IP stack and attack it - most likely a buffer overflow exploit of some sort. It is not completely unheard of to have these kinds of vulnerabilities in the kernel, but they're not terribly common, either. Exploiting these (should they surface) would not be a trivial task either. Script kiddies would have a tough time.

If, however, you want to muck about with iptables (contraindicated), install firestarter. You can set all kinds of things. If you don't understand the consequences of those things you're changing, here's an idea: don't change them!!!!!

Of course, this assumes you're running a standard desktop system. If you're running a server, then you seriously need to set up iptables rules, but that's way outside the scope of this page. Which means you're on your own. If you're going to run a server, you need to learn enough to own a server.

Special thanks must be given to @DamnedFacts on Twitter, who reminded me I'd completely left out the section on rootkits.