Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn't work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you're going to have to pay for a professional service.
That said, there are other, simpler (and probably more effective) options for hardening your systems:
- Firewall - if your servers are dedicated to specific services and you don't plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
- Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It's a lot easier to recognize the things that you do want to run than all of the things that you don't want to run.
- Secure OS - I assume you're using Debian because it's familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).
Btw, bash has a restricted mode.
The firewall point I just don't get. When I set up a server, for every port I either run a service and it is open, or I don't and it is closed. That's it. What should the firewall block?
A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.
Also, you can configure the firewall to drop packets coming in to closed ports, rather than responding to the sending device that the port is closed. This effectively black-holes the incoming traffic, so it looks like there's just nothing there.
If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.
Firewalls set and enforce policy. Closed ports are only incidentally secure. Also, they can do a lot more than answer "nothing is listening here".
I don't use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.
You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.
I think you’re about to find out that the “belief” that Linux doesn’t need antivirus isn’t just held by everyone in this community, it’s held by the whole Linux community. Hence there being no active projects in the space.
Heck you almost don’t need any antivirus in windows anymore. Just windows defender and half a brain when it comes to what you download.
Many security experts I know consider AV software to be snake oil. I do so too. They are so complex and need so far reaching permissions to be somewhat effective, that they become the attack vector and/or a large risk factor for faulty behavior.
Add in lots of false positives and it just numbs the users to the alerts.
Nothing beats educating users and making sure the software in use isn't braindead. For example Microsoft programs that hide file extensions by default is a far bigger security problem than a missing AV tool. Or word processors that allow embedded scripts that can perform shit outside the application. The list goes on ...
Well that's just not fair. Snake oil doesn't get auto updated by the vendor, and then lock my production processes and cause an outage. I'd take a bottle of snake oil any day over Symantec.
I don't really understand that belief. There is plenty of Linux malware especially targeting servers, you just need to have an unsecure service running to find that out
I have been using linux for almost 2 decades, never seen a virus. And I never heard of a colleague or friend who got one on Linux. That's why no one has ever installed an antivirus, because, till now, the risk has been practically zero.
On windows, on the other hand, I saw so many viruses on friends and relatives computers...
People install antiviruses depending on the experience.
To be fair, we all know on Linux viruses exist, but is objectively pretty difficult to get one. It is not worth installing an antivirus if one doesn't actively install garbage from untrusted sources
I'm a senior Linux/Kubernetes sysadmin, so I deal with system security a lot.
I don't run ClamAV on any of my servers, and there's much more important ways to secure your server than to look for Windows viruses.
If you're not already running your servers in Docker, you should. Its extremely useful for automating deployment and updates, and also sets a baseline for isolation and security that you should follow. By running all your services in docker containers, you always know that all of your subcomponents are up to date, and you can update them much faster and easier. You also get the piece of mind knowing, that even if one container is compromised by an attacker, it's very hard for them to compromise the rest of the system.
Owasp has published a top 10 security measures that you can do once you've set up Docker.
https://github.com/OWASP/Docker-Security/blob/main/dist/owasp-docker-security.pdf
This list doesn't seem like it's been updated in the last few years, but it still holds true.
-
Don't run as root, even in containers
-
Update regularly
-
Segment your network services from each other and use a firewall.
-
Don't run unnecessary components, and make sure everything is configured with security in mind.
-
Separate services by security level by running them on different hosts
-
Store passwords and secrets in a secure way. (usually this means not hardcoding them into the docker container)
-
Set resource limits so that one container can't starve the entire host.
-
Make sure that the docker images you use are trustworthy
-
Setup containers with read-only file systems, only mounting r/w tmpfs dies in specific locations
-
Log everything to a remote server so that logs cannot be tampered with. (I recommend opentelemetry collector (contrib) and loki)
The list goes into more detail.
Hey, kinda off topic but what's the best way to get into a Linux/Kubernetes admin role? I've got a degree in networking, several years of helpdesk experience and I'm currently working as an implementation specialist.
Is that something I could simply upskill and slide into or are there specific certs that will blow the doors open for new opportunities?
Behavior-based antivirus is extremely difficult, failure-prone, and almost entirely unnecessary because of how secure Linux is, so they don't exist to my knowledge. Signature-based antivirus is basically useless because any security holes exploited by a virus are patched upstream rather than waiting for an antivirus to block it. ClamAV focuses on Windows viruses, not Linux ones, so it can be a signature-based antivirus, but not many people run an email server accessed by Windows devices or other similar services that require ClamAV, so not many people use it, and nobody made any alternatives.
If you're worried about security, focus on hardening and updates, not antiviruses.
Okay, I think we can wrap this up: OP started with "I don't want to be convinced of the predominant oppinion about security" and kept their word.
OP: You got your answer. There is no alternative to ClamAV. ClamAV is open source so it will always be slower than apt update in fixing vulnerabilities.
You can wonder why the whole community that created tons and tons of cool shit for Linux with armies of talented people with way more IT knowledge than all of us combined didn't dedicate their time to Viruses. You can ask yourself how a virus would even get on your server... or you can not. Your choice. But the answer is: There is no alternative to ClamAV and ClamAV is set up mainly to detect Windows-Viruses that get spread by Mail-Attachments and the like.
I could fork ClamAV and call it OysterAV then there would be a less maintained alternative
I also use ClamAV, but only in specific circumstances, such as when a Linux server will be hosting end-user files. Perhaps a SAMBA server with a file share, or a web server which accepts user uploads.
In those cases, I might want to have it monitor the relevant part of the disk, but I also need to make sure my web application won't fall over when the file it just accepted is unceremoniously ripped away from it. You can test that out using the EICAR file as your payload.
On a jump box, I might also have it turned on for scanning user home directories, by including /home, and then excluding any home directories for applications and daemons which might not deal well with having their IOPS nuked or delayed.
I would recommend just setting up iptables & crowdsec. Open only the ports your services need, and add the relevant plugins to crowdsec. Nothing should come through.
If you have services that allow people to upload files, that's a different story.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters | More Letters |
---|---|
IoT | Internet of Things for device controllers |
LTS | Long Term Support software version |
SSH | Secure Shell for remote terminal access |
VPN | Virtual Private Network |
4 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #141 for this sub, first seen 17th Sep 2023, 06:25] [FAQ] [Full list] [Contact] [Source code]
You're likely doing security wrong. But I'm keeping relatively quiet, as requested.
Please read up on how to set a partition noexec, use AppArmor, firewall, how to keep things patched, hardened and actual security measures if you want to protect the server. Also make sure not only fail2ban is working but every login on exposed software on that server is protected against brute force. ClamAV and similar are to protect your windows clients of your mail and storage server. They will not help with linux viruses. And you got to protect your servers against security vulnerabilities, not malware. The server won't randomly execute an executable file on its harddrive on its own. Think about how did that malware get there in the first place. And why is the file executable... Don't be offended, you can install whatever you want, including ClamAV, just make sure you did the 95% of protection first if security is your concern.