As for SMB/CIFS filesystems shared with Windows systems I use Clamav to scan them. This way Windows systems can't drop trojans in the shared directories. Clamav is horrendously slow but the virus database appears to be very well kept. It takes 3 DAYS to scan 60 GB of data on one of my systems. I will simply have to setup on-access virus scanning with Samba-vscan or Dazuko at some point very soon. Look here for some interesting ways to use Clamav: http://www.clamav.net/3rdparty.html#pagestart On Wed, 2004-01-28 at 21:59, Mitch Oliver wrote: > Your best protection will always be to turn off unused services, > run a firewall, avoid buggy programs, and always use strong passwords. > Cracking is a much more clear and present threat to your Linux install than viruses will ever be. Viruses and such are pretty rare. Break-ins by actual human beings are seemingly rampant among (arrogant) home Linux users (who have been brainwashed into thinking their Linux system is invulnerable). Over the years I've helped more than a few people pick up the pieces after a break-in on their Linux systems. One was exploited through an unpatched SSH vulnerability. Dozens were broken into because of weak passwords and drafty old services (SMTP, FTP, etc) setup to authenticate real users who have remote shell access. Mail and FTP servers are terribly bad about allowing remote crackers to hunt and peck their way through your user's passwords. But poorly setup mail servers are possibly the worst because your usernames aren't unknown to the remote user. The cracker can poke around your web server, mailing lists, Google, etc to find a couple of email addresses on your machine. Then he uses a script to bang on your sendmail server until he finds a valid password for one of the users. He logs in via SSH or telnet, runs a root kit, and wipes the sendmail, secure and last logs. In one such case I found the administrator had forced the user's password to "password" and did not set the login shell to /sbin/nologin. (AllowGroups in /etc/ssh/sshd_config is also a good way to combat unwanted remote logins.) The user had not legitimately logged in via SSH once since the account was created and would never have done so if told she could. The cracker logged in exactly once as that user, wiped his entries from some logs, and used a rootkit to repurpose the adm account for his own use. He was very sloppy and even left behind an extensive .bash_history. He also missed the maillog entries showing all of his password attempts against sendmail. But nonetheless, he owned that machine for several months before his buggy rootkit patches caused enough filesystem corruption to make the system unstable/unbootable. The chances that a rootkit will work should be greatly reduced with Fedora Core if you've not disabled exec-shield. Even so, I uninstall all remote services (except SSH) from workstations, remove mail servers from non-mail servers, firewall all non-essential ports, and restrict SSH access to only those individuals who absolutely require it. -- David Norris http://www.webaugur.com/dave/ ICQ - 412039
Attachment:
signature.asc
Description: This is a digitally signed message part
