Can I be comfortable with Linux Security

[brer]

Hello,

I'm relatively new to the Linux scene and I'm in the process of setting up a webserver using Apache 2 on the latest release of Ubuntu 8.10. Most of what I've learned is from using google and these forums but coming from MS windows systems and knowing all about the security vulnerabilities I'm very conscious about the system security.

My system is behind a router firewall which has been loyal for years so I'm pretty confident that any incoming traffic is dropped before it even hits my system. I've also setup a custom script for iptables from an online help page to block incoming traffic and disabled port forwarding as I don't need(I don't think I do anyway), it wasn't easy I tell you So I'm pretty sure that nothing can get in. However I'll need to open up port 80 to allow traffic to the webserver and this is where I'm worried.

How would I know or tell that nothing is running malicously on the system, for example a trojan or shell script or key logger. Windows firewalls like ZoneAlarm, F-Secure let you know if something from inside the system is trying to get out and you have the option to enable or disable it, AV tools look for certain patterns of code to identify malicous code and highlight it but there seems to be nothing like this on Linux, not that I've found so far.

Coming from Windows where a program tells me if something is accessing the internet or maybe contains malicous code I feel my system is open and vulnerable by not having this on the Linux system.

How do I tell, do I need I to know? I little bit confidence from experts/people who know would go a long way.

Thanks

[Dapper Dan]

This is a good article that may address many of your questions concerning Linux security.

[brer]

Many thanks Dan, I'll give it a read

[Rubberman]

When you run a public web server, you have opened a potential vulnerability. How vulnerable depends upon a couple of things.

Code:

1. Don't run your web server as root. If you do, then if you get compromised, they have pwned you.
2. If you are using a database, do not allow scripts to send raw SQL code or you become vulnerable to SQL injection attacks.
3. Do rigorous bounds-checking of input in your web-enabled applications in order to avoid stack-overflow attacks.

Once you open your system to web access, you will be probed. This is a given. Before you do, make sure you have secured your system and web applications as well as possible. Some studies show that exposing a system to the internet will result in probes by malware within minutes or seconds. Caveate User! and good luck!

[brer]

Thanks for all your replies guys, I've read up about iptables and to be honest its a little over my head but I have at least got an understanding of how the firewall works. One question though if I may, if I have a firewall setup and its set to allow all traffic from my machine to the internet how can I telll if I have a trojen or keylogger on the system?

[Rubberman]

You can install chkrootkit and run that. You should be able to get it with Ubuntu's package manager, apt-get. Also, get an anti-virus scanner, such as clamav (also available via package manager) and periodically scan your system discs.

[sarlacii]

Hey brer, you should check out Ubuntu's excellent firewall setup tools. To quote from Basic Ubuntu Linux Firewall Configuration - Techotopia

<snip>Ubuntu Linux provides two firewall configuration options. The first is a basic yet effective and easy to use firewall configuration system called lokkit. Another, more advanced, option is called Firestarter. And yet another option is to use a tool called Guarddog. <snip>

In PClinuxOS you have a basic firewall config tool in the Administration Centre on the "Security" tab. Messing with iptables yourself is dangerous and laborious. Unless you want to know exactly how it works, the GUI tools are way easier.