Query: Rootkits on Fedora

[subratabera]

Hello all,

I am just curious and want to know if there is any possibility of my Fedora Core 5 (and Core 6 in near future) being affected by rootkits. I recently came across a site which recommended to install chkrootkit on fresh Fedora installation. Here is the link -->

*www.oreillynet.com/onlamp/blog/2006/10/fedora_core_6_installation_hel.html

Also there is an utility which can locate and remove (i suppose) rootkits called chkrootkit and can be found at -->

*www.chkrootkit.org/

Also I have installed Firestarter which disabled iptables on my system. Is it normal? Firestarter shows all the inbound (blocked) traffic, but, is it as good as default iptables? And also I want to know are these firewalls capable of blocking rootkit capabilities.

I have installed many packages without using yum because of bandwidth problem, i just type

yum install package-name

and copy the list of packages needed and downloaded them from different sources at office and then installed the rpms. Is there any possibility of affecting my system using this method. If yes, how can i locate such problems? Also is there any other safer method installing rpms offline?

I request all geeks in this forum to help me...
This will help many others newbies like me too...

So please help...

Subrata Bera.

 

[mehulved]

Well i don't really feel that chkrootkit and rootkithunter are needed to be installed. Cos if your system's compromised then there's a good chance of those being corrupted. So, you'd rather have these on some live CD and if you feel your OS has rootkits then boot up with the live CD and run any of them. So, no chances of compromise. But, I am not sure how well does it catch up with rootkits.

 

[subratabera]

Hello t_y_f
My system is perfectly ok( I think so). But I want to know is there any possibility of being infected where I am not running any servers and behind firewall. And also please try to answer my other questions.

Thankyou.

Subrata Bera.

 

[praka123]

i have been using chkrootkit in my debian and ubuntu install,its a small utility which scans ur "/" root directory for rootkits known afaik.it finishes scan in below 10 seconds.although it doesn't found any rkits in my instlns .it will needs to update its database with time.
BTW rkhunter is cool one too.
firestarter is a GUI for iptables.under the hood is iptables only.if ur security phreak,u can go on and install shorewall..
afaik iptables don't have anything to protect rootkits..

there is no problem in downloading dependencies from reliable sites or its mirrors.u can verify those packages by checking GPG keys given.

 

[subratabera]

Thankyou very much Prakash for your help.

I have scanned my system with chkrootkit and found nothing there. Linux is always a little bit difficult compared to windows for newbies like me. But I am getting used to it now and enjoying the power of Linux(Fedora) far more than Windows. But still there are many question which needs to be answered. Here are few of them...

1) Configuring Linux firewalls is very difficult compared to windows firewalls. I want to know is there any easy way to configure iptables/firestarter as I can configure ZoneAlarm? How one can block or allow a specific application from accessing internet with firestarter?
2) Please explain a little bit more about how to verify packages by checking GPG keys offline.
3) Please start a new thread(and make it sticky) which explains how to install themes, icon sets and other eye-candies in Linux (Both KDE & GNOME). This will benefit many of us.

Thanx once again...

Subrata Bera.

 

[mehulved]

For the third part, it's as easy as opening those themes, icons from KControlPanel(KDE) or from System => Preferences => Themes(GNOME)
I don't know about the other two queries as I haven't ever tried them out, if I do get to it, I will post it up.

 

[subratabera]

Not all themes can be installed by that method. For example take FINGERPRINT theme which changes the way you login (an excellent theme that can be downloaded from www.kde-look.org) which needs far more brainpower to install. It needs moodin plugin which needs to be installed manually using make. If there is anyone who have installed fingerprint theme on his computer then please answer...

Subrata Bera.

 

[mediator]

I have installed many packages without using yum because of bandwidth problem, i just type

yum install package-name

and copy the list of packages needed and downloaded them from different sources at office and then installed the rpms. Is there any possibility of affecting my system using this method. If yes, how can i locate such problems? Also is there any other safer method installing rpms offline?

No there's no possibilty of ur system getting affected by this method AFAIK! Rpms get installed until n unless they dont have any dependencies. Yum is the best tool to install rpms and handles dependencies itself. It doesn't matter if u have a bandwidth problem. If u install xmms by "yum -y install xmms" and then it shows like 3 packages to download and install then u can stop the yum process after downloading of the first package. When u do the "yum -y install xmms" again after sometime, it will download only those packages then which were not downloaded previously! This is becoz the packages are stored in some directory after download and r not removed from there until u perform "yum clean all"!

For firewalls, I don't think there are any programs that access the net without ur permission. The only program I know was the system update program and I cud disable it easily by going to service option and disabling it there!

For ur system getting infected, the chances are almost zero since u don't run server processes and r behind firewall. Almost zero becoz no system is perfect and everything is hackable on net and in the digital computer world.

 

[Yamaraj]

You should also enable and configure SELinux, which comes with both FC5 and
FC6, to prevent rootkit attacks. Though it's not really easy to configure SELinux
in way such that it provides the needed protection without getting in your way,
it cannot be avoided if system security and integrity are at stake.

SUSE offers AppArmor, which takes a different approach to achieve similar results.
It's also considered easier to install and configure than SELinux.

 

[subratabera]

Thanks mediator & Yamaraj for your help.

I actually wanted to know how can I prevent a program from accessing the Internet at all, like konqueror (I am a KDE fan). I am just curious to know that. Also how can I verify the GPG key manually?

Thanks mediator from clearing my doubts about yum. But I never install anything from my RELIANCE broadband connection (115K max) at my home. I just copy the needed packages and download them at my office (I have all that permission at my office ) from sites listed at repo files in yum.repos.d directory. I think that will not cause any problem because yum also uses the same loaction to download files from.

Also please help me installing the fingerprint theme....and consider starting a new thread which help newbies to make their system go WOW...

Thankyou.

Subrata Bera.

 

[JGuru]

@Subratabera, FireStarter is not a very good firewall.If you need a very good firewall,
then install Shorewall. Configuring Shorewall is too geeky, so suggest that you
download GUI tool for Configuring Shorewall from here
With Shorewall installed & configured properly, you can prevent any application from accessing
the Net. Also read Tutorial on Configuring Shorewall using Webmin (GUI tool) Click here
Regarding installing Fingerprint theme, I think @Eddie can help you. Since I use only GNOME,

 

[Yamaraj]

Firestarter is not a firewall itself. It's only an interface and rule builder for the
netfilter/iptables duo. Netfilter is the actual packet filtering technology built
into the Linux kernel, and iptables is a userland command-line interface for
configuring the Linux IPv4 packet filtering ruleset. For IPv6, there is ip6tables
available, which is quivalent to iptables for IPv4.

Shorewall is not very easy to configure and set rules, particularly for beginners.
OTOH, it is perfect for experienced sysadmins and netadmins.

I'll still recommend using Firestarter if the user isn't familiar with the innards of
the packet filtering and rule building techniques.

 

[praka123]

all the gui's are based on iptables.iptables(ntfilter's) is working under the hood.

btw i've read somewhere the new fedora core 6 from redhat user community has a gui config tool for configuring SE Linux.

 

[subratabera]

In todays connected (24x7) world we definitely need more security whether we are using Windows or Linux. All the systems are under threat and secuirty is becoming a must. Linux offres more security than Windows but M$ is patching its faults with care, and Vista is M$'s most secure OS ever. I think now Linux community should develop something which can be used by a novice without knowing too much of the underlying system. The Linux security tools are powerful enough but we need a more user friendly version of those tools.

BTW can iptables and shorewall reside on the same system without affecting each other? Also is there anyone who is using shorewall in his system?

I know, I am secure enough with firestarter/iptables but want to experiment with more powerful tools just for curiosity. BTW I have installed webmin (thanks JGuru for that) and learning its use right now. It is a veryful powerful software (used it first on PCQLinux provided by PCQuest magazine) so needs a little care while handling.

 

[mediator]

btw i've read somewhere the new fedora core 6 from redhat user community has a gui config tool for configuring SE Linux.

It was there in FC4 too, forgot about FC3!

 

[subratabera]

Today I have found a great website recommended in a Linux Forum which can actually check my firewall and entire system for possible loopholes. This presents a detailed report which can be a great help to secure your system further and especially your firewall. Just check it out...

*www.grc.com/x/ne.dll?bh0bkyd2

Just press the proceed button located below the webpage and then use available tests...

Subrata Bera.