TL;DR - What are you running as a means of “antivirus” on Linux servers?
I have a few small Debian 12 servers running my services and would like to enhance my security posture. Some services are exposed to the internet and I’ve done quite a few things to protect the services and the hosts. When it comes to “antivirus”, I was looking at ClamAV as it seemed to be the most recommended. However, when I read the documentation, it stated that the recommended RAM was at least 2-4 gigs. Some of my servers have more power than other but some do not meet this requirement. The lower powered hosts are rpi3s and some Lenovo tinys.
When I searched for alternatives, I came across rkhunter and chrootkit, but they seem to no longer be maintained as their latest release was several years ago.
If possible, I’d like to run the same software across all my servers for simplicity and uniformity.
If you have a similar setup, what are you running? Any other recommendations?
P.S. if you are of the mindset that Linux doesn’t need this kind of protection then fine, that’s your belief, not mine. So please just skip this post.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Maybe you’d be interested in https://wazuh.com/
Not sure this is what I’m looking for as it appears to be an XDR SIEM vendor.
That’s what modern endpoint security is, really. Traditional AV is dead. There are far too many people making malware for file signatures or heuristics to keep up. Instead, you want to look for behavior on the system and on the network. For example, if a program starts reading every file it can find on the network, and changing then from their current formats to unreadable blobs, that’s probably ransomware and should be stopped. Plain old AV probably won’t catch it on the client because of how frequently it gets modified (plus all the various evasion techniques), nor on the server because nothing unusual is running on the server.
There are none. ClamAV is the only one there is, because it has a very specific and narrow purpose. There are no viruses for Linux.
Chrootkit and rkhunter are also built for very specific things (detecting rootkits - or making them) and are not designed to protect, they are designed to analyse.
My writing here also isn’t specifically to OP, but to all others that may find this thread - Anti Virus for Linux is BS and unless you are running SMB and still have lots of Windows in your network, it’s absolutely not needed, especially if you follow the basics (like not doing stuff as root, using sudo and not giving out any system rights).
I dont understand why you’re getting downvoted for this.
Blatant lies.
https://en.m.wikipedia.org/wiki/Linux_malware
Which is exactly what I said. ClamAV serves a very specific purpose and that’s this one.
There are still no viruses for Linux specifically designed to break in to Linux, because it’s not possible.
Here is just one example that proves your assertion wrong.
https://www.f-secure.com/v-descs/slapper.shtml
Right. Completely proven wrong.
So if I’m reading this correct the vulnerability was patched before the worm got programmed and it peaked at 2000 machines infected when it targeted apache servers running openssl, which back in 2002 was basically any encrypted website.
Don’t know how an AV would have helped there.
Simply refuting the BS claim that it’s impossible for there to be a Linux virus.
This one existed, therefore the claim is false.
The claim was within the context of AV software, not a general one.
Mirai and other botnets, coin miners, ransomware… Do you think that malware makers just decided to ignore the billions of Linux servers and IoT devices that exist?
I agree with you, but, it is also true that the overwhelming majority of ransomwares affect windows https://www.statista.com/statistics/701020/major-operating-systems-targeted-by-ransomware/
Linux is not a significant target despite being so diffused
Edit. For those downvoting, windows server is ~20% of the server market and it is second in that stat. GNU/Linux distros such as rhel, debian and so on are almost 80% of server market and still there are no sufficient attacks reported to end up in that stat
True, but the largest botnet in the world runs purely on Linux devices
It targets router firmwares though… These bot farms do not usually target real gnu/Linux os, because it is easier and more effective to attack router firmwares that are not well configured by producers and telcoms, and are practically never upgraded.
Therefore they are not a real threat for standard mint or popOS user… Let alone gentoo users
Edit. See https://en.m.wikipedia.org/wiki/Mirai_(malware)
I think you’re about to find out that the “belief” that Linux doesn’t need antivirus isn’t just held by everyone in this community, it’s held by the whole Linux community. Hence there being no active projects in the space.
Heck you almost don’t need any antivirus in windows anymore. Just windows defender and half a brain when it comes to what you download.
Many security experts I know consider AV software to be snake oil. I do so too. They are so complex and need so far reaching permissions to be somewhat effective, that they become the attack vector and/or a large risk factor for faulty behavior.
Add in lots of false positives and it just numbs the users to the alerts.
Nothing beats educating users and making sure the software in use isn’t braindead. For example Microsoft programs that hide file extensions by default is a far bigger security problem than a missing AV tool. Or word processors that allow embedded scripts that can perform shit outside the application. The list goes on …
Well that’s just not fair. Snake oil doesn’t get auto updated by the vendor, and then lock my production processes and cause an outage. I’d take a bottle of snake oil any day over Symantec.
I don’t really understand that belief. There is plenty of Linux malware especially targeting servers, you just need to have an unsecure service running to find that out
I have been using linux for almost 2 decades, never seen a virus. And I never heard of a colleague or friend who got one on Linux. That’s why no one has ever installed an antivirus, because, till now, the risk has been practically zero.
On windows, on the other hand, I saw so many viruses on friends and relatives computers…
People install antiviruses depending on the experience.
To be fair, we all know on Linux viruses exist, but is objectively pretty difficult to get one. It is not worth installing an antivirus if one doesn’t actively install garbage from untrusted sources
It’s not any more difficult to get a virus on Linux than Windows. It comes down to experience as you said. I’ve been using Windows for my entire life and haven’t gotten a virus since I was 8. But all it takes is one mistake on both Windows and Linux, you accidentally leave a docker endpoint or ssh server exposed and insufficiently protected on Linux and you’re going to get a virus the same as if you accidentally opened a .pdf.exe on Windows.
Not at all. You leave a ssh port open, you don’t necessarily get a virus. Try it. Set up a raspberry pi, install ssh and leave the port open in your firewall. It is much less risky than exposing rdp (the most comparable windows protocol) on windows for instance.
It is a security risk, but absolutely not comparable of installing pdf.exe. Not even in the same league of risk.
As said, try it now and tell me how it goes.
There is a lot of misinformation around security on Linux
Glad you asked, I run a ssh honeypot and get multiple connections adding ssh keys, trying to run lockr, downloading shit every day.
Does the attack succeed? Never happened to me. You see bot trying, but really never seen succeeding irl. How is it configured?
Do you have also a rdp honeypot by chance? Do you see different rates of attack? Honestly curious.
I don’t have any windows licenses around, otherwise, it would have been an interesting test
Also, antivirus is the wrong idea there. What you’d want is an intrusion detection and/or integrity checking system.
It’s configured to allow requests from connections using common default passwords. If it wasn’t a honeypot the requests would succeed. I don’t currently run an rdp honeypot but I did a few years back, iirc the rates were about the same with rdp being a little bit less. Which as I say, comes down to configuration and usage. If you misconfigure Linux you will get malware, same as Windows.
Running a honey pot for SSH and sharing logs only proves that people try to attack you, it does not really tell if SSH as such is vulnerable or not. It is a honey pot, people gaining access if the whole point.
Having a locked down but exposed SSH access is something else.
You’re missing my point, a virus doesn’t have to infiltrate a completely secure system. It can come through you accidentally leaving your ssh insecure or any other service.
What happens in the Windows world: Microsoft is not capable of creating and distributing a patch timely. Or they wait for “patch day”, the made up nonsense reason to delay patches for nothing. Also since Windows has no sensible means of keeping software up to date, the user itself has to constantly update every single thing, with varying diligence. Hence Antivirus: there is so much time between a virus becoming known and actual patches landing on windows, that antivirus vendors can easily implement and distribute code that recognizes that virus in the meantime.
What happens in the linux world: a patch is delivered often in a matter of hours, usually even before news outlets get to report about the vulnerability.
Zero days aren’t the only way you get viruses. Misconfiguration and social engineering are both vectors that are OS agnostic.
But do antivirus really help with that? Is it going to check for open ports and see if the service listening has a strong password?
You can’t program against social engineering or missconfiguration, and because those are the only real vulnerabilities in Linux there’s no need for antivirus.
No but it can’t do that on Windows either, all it can do is detect an infection and attempt to remove it. Same process would be applicable on Linux.
Chkrootkit isn’t an antivirus.
Yea. Thanks.
removed by mod
The last paragraph he calls out that he doesnt want to hear this.
I mean then go ahead waste your resources lol
Did you know that there’s another jackoneil on lemmy? Except he spells his name with just one ‘l’, and he has no sense of humor at all.
removed by mod
You’re not wrong.
To be honest, antivirus software is just not really a security tool. If you’re at the point where malicious software is running on your server you’ve already lost and it’s hard to know what extent the damage will be. Having proper isolation is much more important (something which, tbh, Linux isn’t quite as great at as we’d like to think, at least not with additional effort… mobile operating systems seem to take the isolation of applications a lot more seriously). You could maybe argue that the anti virus software is useful for monitoring, but I’d rather have some stronger guarantees that my application isn’t going to take my lunch money and private keys than a notice a day later that something sketchy is on my machine… I won’t flat out say a virus scanner is completely useless, because of course you can contrive of scenarios where one could be helpful, but they’re kind of dubious.
Also yeah, ClamAV afaik isn’t really used like a typical windows antivirus. It’s mostly used on mail servers to scan email attachments. It’s not necessarily even looking for “Linux viruses”.
Okay sure same thing as Windows. If you aren’t reckless with the things you install and run then you are likely fine BUT there’s always a chance. All it takes is one slip up. Same logic as having a lock in the door knob and a deadbolt. By your logic (and many others), the lock on the door knob is sufficient and that may be okay with you BUT I’m gonna put a deadbolt on too just in case.
We can argue about this all day long. You will have valid points and so will I.
But would you put a deadbolt on your garage door? Or on your fridge door? IMO, arguing by analogy here just obfuscates the points – your servers aren’t physical doorways with locks, and comparing them just confuses the issue.
Can you explain what added security an antivirus package would offer for a Linux server? I haven’t done much with Linux administration, mostly just using Docker images for stuff at work.
I’m not a super Linux expert or anything, but I do grok tech, and I’m curious about this topic.
How does it obfuscate the point? A layered approach to security.
Simple: Computers are not doors with locks. Antivirus is not a deadbolt, and IMO it’s really misleading to compare them. You’re trying to tell people in this thread that you need AV on Linux, against consensus, “because security”. I still don’t understand why you think it’s necessary. What’s your threat model? How does AV improve security on your servers in a way that a firewall doesn’t?
removed by mod
Okay cool. Thanks.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
4 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #141 for this sub, first seen 17th Sep 2023, 06:25] [FAQ] [Full list] [Contact] [Source code]
Honestly, the best antivirus for Linux is Arch.
Hahahahaha this actually made me chuckle. Thanks for that!
Its a rolling release, so will always have the most up to date and patched packages the fastest. That concept is the antivirus.
Can’t infect your machine if the vulnerabilities are already fixed.
Now where do new vulnerabilities come from? 🤔 Oh that’s right - from new code. And how often does new code show up on Arch? Oh…
Security concerns can vary between traditional Linux distributions and rolling release distributions.
Traditional Linux Distributions:
Stability: Traditional distributions like Ubuntu LTS tend to prioritize stability over the latest software updates. While this can reduce the risk of new software vulnerabilities, it may also mean that security patches for certain software components are not as up-to-date as in rolling releases.
Delayed Updates: Security updates for software packages may take longer to reach users in traditional distributions because they go through a more extensive testing and validation process. This delay could potentially leave systems vulnerable for a longer period.
Predictability: Traditional distributions have predictable release cycles, making it easier to plan and apply security updates. However, this predictability can also make it easier for attackers to anticipate when certain software versions will be in use.
Rolling Release Distributions:
Up-to-Date Software: Rolling releases like Arch Linux or Manjaro provide the latest software updates as soon as they are available. While this ensures access to new security features and patches quickly, it can also introduce new bugs and vulnerabilities.
Frequent Updates: Rolling releases typically require more frequent updates, which can be time-consuming and potentially introduce compatibility issues if not managed properly.
User Responsibility: Users of rolling releases have a greater responsibility to stay informed about security updates and apply them promptly. Failure to do so can leave systems vulnerable.
Testing: Rolling releases often have a testing phase where updates are evaluated by the community before being rolled out to all users. This helps catch issues, but it can still result in occasional instability.
In summary, the main security concern with traditional Linux distributions is the potential delay in receiving security updates, while rolling releases offer up-to-date software but may require more user vigilance and can occasionally introduce instability due to frequent updates. The choice between them should depend on your specific use case and your willingness to manage updates and stability.
Unfortunately you can’t easily patch the fleshy thing operating the system
Not yet…
No, it’s NixOS. Every package is self-contained in its own directory, which acts as chroot.
AFAIK this is not what happens on NixOS. Every package gets installed into a directory that’s a hash of its dependencies in the nix store, but there’s no special isolation or anything on NixOS (well, when the packages are built there’s some isolation, but that’s mostly to keep the builds honest). That said, NixOS is a little better than most distros about creating separate daemon users for services with different permissions, but I don’t think it’s done universally. I love NixOS and it has many benefits, but I don’t think this is one.
I was going to mention mcafee. Its a built in option for synology nas. However it appears that software has gone end of life.
https://www.mcafee.com/support/?locale=no-NO&articleId=TS103384&page=shell&shell=article-view
I avoid McAfee like the plague!
Have you considered doing an RFP?
A request for proposal? If that’s what you mean then no. I’m asking for my home setup not for a business/enterprise. If I missed the mark then please elaborate.
It was a joke.
I don’t understand your intention, as for tips and hints and end you post on this line:
“Ps: if you have a different opinions than I do skip this post”
That’s the perfect recipe for a circle jerk.
deleted by creator
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.
That said, there are other, simpler (and probably more effective) options for hardening your systems:
The firewall point I just don’t get. When I set up a server, for every port I either run a service and it is open, or I don’t and it is closed. That’s it. What should the firewall block?
Firewalls set and enforce policy. Closed ports are only incidentally secure. Also, they can do a lot more than answer “nothing is listening here”.
A modern firewall might also block connections to known bad sites, in case you do somehow get malware reaching out to a command & control server. Or it might identify malicious application traffic over a port that should be for a more trustworthy service.
But these are usually only a concern in places like businesses or schools where there are a lot more people, devices, etc. on the network, especially if there’s a guest network.
I don’t use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.
You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.
If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.
A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.
Also, you can configure the firewall to drop packets coming in to closed ports, rather than responding to the sending device that the port is closed. This effectively black-holes the incoming traffic, so it looks like there’s just nothing there.
Btw, bash has a restricted mode.
You’re likely doing security wrong. But I’m keeping relatively quiet, as requested.
Please read up on how to set a partition noexec, use AppArmor, firewall, how to keep things patched, hardened and actual security measures if you want to protect the server. Also make sure not only fail2ban is working but every login on exposed software on that server is protected against brute force. ClamAV and similar are to protect your windows clients of your mail and storage server. They will not help with linux viruses. And you got to protect your servers against security vulnerabilities, not malware. The server won’t randomly execute an executable file on its harddrive on its own. Think about how did that malware get there in the first place. And why is the file executable… Don’t be offended, you can install whatever you want, including ClamAV, just make sure you did the 95% of protection first if security is your concern.
I also use ClamAV, but only in specific circumstances, such as when a Linux server will be hosting end-user files. Perhaps a SAMBA server with a file share, or a web server which accepts user uploads.
In those cases, I might want to have it monitor the relevant part of the disk, but I also need to make sure my web application won’t fall over when the file it just accepted is unceremoniously ripped away from it. You can test that out using the EICAR file as your payload.
On a jump box, I might also have it turned on for scanning user home directories, by including /home, and then excluding any home directories for applications and daemons which might not deal well with having their IOPS nuked or delayed.
I am not a expert in Linux, and I mostly rely on very strong passwords. I also discovered recently basic stuff like changing the default SSH port. Anyone knows of implementation of 2FA on Linux?
I have a yubikey and use their pam-module for 2FA on sudo and ssh. Took a bit of time to configure, but now it works like charm: https://wiki.archlinux.org/title/YubiKey#Linux_user_authentication_with_PAM
Thanks, I’m looking into it
If at all possible, do not expose things like ssh, RDP, etc to the internet. Use traditional VPN or something like tail scale. Just because ssh is on a different port than normal doesnt mean an attacker couldn’t figure out that your running ssh on port 335.
Well fail2ban went from very active to very quiet. It is definitely worth not leaving 22 (when opening ssh is a must for different reasons)
removed by mod
Yes I do have fail2ban. Do you mean I could have just (example) a yubikey and no ssh password? As safe as they can be, why remove the other factor?
removed by mod
Changing the default porta is security through obscurity, which is not security but just a waste of time. Don’t rely on attackers “maybe not finding stuff” but rely on your stuff being secure, even if someone had all information about your network and system architecture.
For 2fa, the other commenter mentioned yubikey pam modules. Those are probably useful, but if you want to secure your ssh server, the best solution is to use ssh keys and disable password login. I can really recommend that as its one of the few things in security that improves both usability and security.
What’s an ssh key? Nvm I’ll research
Welcome to the top of cryptography. We have elliptic curves, crazy math and huge numbers.
Okay, I think we can wrap this up: OP started with “I don’t want to be convinced of the predominant oppinion about security” and kept their word.
OP: You got your answer. There is no alternative to ClamAV. ClamAV is open source so it will always be slower than apt update in fixing vulnerabilities.
You can wonder why the whole community that created tons and tons of cool shit for Linux with armies of talented people with way more IT knowledge than all of us combined didn’t dedicate their time to Viruses. You can ask yourself how a virus would even get on your server… or you can not. Your choice. But the answer is: There is no alternative to ClamAV and ClamAV is set up mainly to detect Windows-Viruses that get spread by Mail-Attachments and the like.
I could fork ClamAV and call it OysterAV then there would be a less maintained alternative