Whitelist

12 - Linux Security: ClamAV antivirus

CLAMAV ANTIVIRUS

- Layout for this exercise:

- ClamAntiVirus (ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses, trojans, worms, etc ...

https://www.clamav.net/
https://en.wikipedia.org/wiki/Clam_AntiVirus

- Installing clamav and clamav-daemon:

- Searching information for clamav packages:

- freshclam is the tool for clamav virus database update. However, when trying to use freshclam it might be possible to get this error message:

- Detecting any running process related to freshclam:

- Stopping clamav-freshclam service:

- Running again, now the database update is successful:

- Reading freshclam.conf:

- It is interesting to notice that the configuration indicates to check for new databases every 1 hour, what could be considered too much for the CPU performance. It may be changed to just 1 by day, or similar:

- Options for clamscan, the scanning tool of ClamAV:

- Let's scan the home directory of user johndoe. In this case the number of found virus is null:

- Another interesting option would be to move the potential found viruses to a folder created for that purpose (/virus in this case):

- Also, directly removing malware could be an option:

- Searching for malware in the whole system would take a lot of time:

- Sending bell alerts whenever a virus is found:

11 - Linux Security: system auditing with LYNIS open source tool

SYSTEM AUDITING WITH LYNIS OPEN SOURCE TOOL

- Layout for this exercise:

- Lynis is a open source security auditing tool for UNIX derivatives like Linux, macOS, BSD, Solaris, AIX, and others, performing an in-depth security scan.

https://cisofy.com/

- Creating a directory for lynis:

- Downloading lynis:

- Extracting:

- Contents of folder lynis:

- Running lynis without commands/parameters/options gives us information about the possibilities of this application:

- Commands to be used:

- Options:

- Now let's run lynis audit system. As its name indicates linys performs auditing for the system in a really deep way so the displayed output is huge.

- Let's see some of the information generated by linys:

......... etc .............

- Also some suggestions are provided:

......... etc .............

- A final summary:

- The whole report can be found at files lynis.log and lynis-report.dat inside the folder /var/log:

- Opening lynis-report.dat:

- At the suggestions section there is a lot of interesting information:

- For instance, the consideration of setting to no the directive PermitRootLogin with the purpose of disabling SSH root connection, like we saw in a previous exercise:

10 - Linux Security: restricting SSH users connections

RESTRICTING SSH USERS CONNECTIONS

- Layout for this exercise:

- At any of the cases studied in this exercise the configuration file to be changed is /etc/ssh/sshd_config:

1 - SSH root restrictions

- By default the authentication for the root is set to PermitRootLogin without-password, meaning that the root is only allowed to SSH login with a key:

- To disable the SSH root login change to PermitRootLogin no:

- Restarting SSH service:

- Now there is no successful access for the root:

- Changing the root permission to yes:

- Now the access is successful:

2 - SSH other users restrictions

- Editing the file /etc/ssh/sshd_config and adding a line with directive AllowUsers to allow johndoe:

- Restarting SSH service:

- SSH connection for johndoe is successful:

- However, SSH access it is not possible for user marie because this user is not included in the line AllowUsers:

- Adding user marie to the directive AllowUsers:

- Restarting SSH service:

- Connecting successfully to user marie:

- Another way to deny a user to connect with SSH (apart of not including into the directive AllowUsers line) is to write an specific DenyUsers directive for the non allowed users. For instance let's take user kevin: