Malware attacks on Linux systems are on the rise. These free and low-cost tools provide good endpoint protection.
Credit: Thinkstock
I’ve been running the Linux desktop since the great desktop debate was between C Shell and Bash. I’ve never felt a need for a Linux antivirus program. But, that’s not to say that I thought I could get away without Linux desktop or server security. Far from it! While I use third-party programs like the ones below, I rely on good security practices to secure my system.
Mind you, in recent years we’ve seen an enormous increase in Linux malware. According to security company Crowdstrike, Linux malware increased by 35% in 2021 compared to 2020. Before you tear your hair out keep in mind that the vast majority of these attacks are not targeting Linux servers or cloud instances. Instead, Crowdstrike reports, XorDDoS, Mirai and Mozi, the biggest Linux-based malware families, go after the low-hanging fruit of internet of things (IoT) devices.
That doesn’t mean your servers aren’t under attack. They are. For example, LemonDuck, a popular cryptomining botnet, is targeting Docker on Linux systems to coin digital cash and is paddling around the cloud pond looking for victims.
If you look behind the recent flood of “Linux is dangerous!” headlines, you’ll find the same refrain over and over again. At the root of the security problem is a misconfiguration, a failure to patch a long-known security hole, or, frankly, incompetent system administration work. For an example of the last, an attack that requires root before it can work ignores the elephant in the room that if your attacker has root privileges you’re already completely compromised.
Linux security basics
Before you can secure anything, you need to know its security basics. For that, turn to such online classes as the Linux Foundation’s Linux Security Fundamentals; Udemy’s Linux Security and Hardening, The Practical Security Guide; and Red Hat Security: Linux in Physical, Virtual, and Cloud.
You should look at Linux security books and online guides. Some of the best include:
- Hardening Ubuntu. Systemd edition
- Arch Linux Security
- Securing Red Hat Enterprise Linux 8, which is useful for any Red Hat-based distro
- Mastering Linux Security and Hardening
There are also online security news sites you should watch. The single best source for this is Red Hat’s Security Product Advisory page. While much of it is Red Hat Enterprise Linux (RHEL) specific, Red Hat also covers security issues that matter to all enterprise Linux distributions. Red Hat also does the best job of the major distros of reporting security fixes as soon as possible.
Another important resource is the oss-security mailing list for open-source security software reports and discussions.
Locking down Linux
Once you have the fundamentals down, you can work on locking down your Linux systems with more advanced built-in Linux tools. The foremost of these is SELinux.
SELinux is a set of Linux patches and user tools that add mandatory access control (MAC) security to the operating system. It defends the operating system by locking down any hacked or misbehaving application, preventing them from causing damage to data or other applications. But, and this is important, SELinux’s fundamental security approach is to restrict everything unless explicitly permitted. That’s the exact opposite of Linux’s standard security approach, discretionary access control (DAC), which permits everything unless explicitly forbidden.
With traditional Linux DAC security, the root user is omnipotent, for better or worse. Each process runs under a user and group. For example, the Apache webserver httpd process runs as the user apache under the group apache. Thus, the httpd process has access to all Apache files and directories. If it’s cracked, the hacked httpd process can access, modify, and destroy all files that belong to Apache.
Or, as Tom Cameron, senior technical trainer at Amazon Web Services (AWS) and SELinux expert puts it, with ordinary Linux, “[w]e give you the gun, and there’s your foot.” In short, SELinux is great for securing systems, but you really must know it well before deploying it. The most common problems with SELinux occur when it’s deployed badly.
Top Linux endpoint protection programs
Once you’ve mastered all that, then it’s time to look at Linux endpoint software. These programs detect and remove malware, identify system vulnerabilities, and ward off attacks. Here are the best available today.
chkrootkit
Chkrootkit is a popular, free tool for searching out rootkits. It looks for known signatures in system binaries. It can be run on-demand or via cron. The program also provides an expert mode that reaches beyond rootkit signatures and, instead, looks for suspicious strings (chkrootkit -x).
The program is made up of a long and detailed shell script that calls a series of other tools that the package provides (e.g., chkdirs and chkproc). Another free, popular rootkit tool, Roolkit Hunter, is no longer being updated. If you’re still using it, stop. It’s time to find a replacement.
ClamAV
ClamAV, the free, open-source antivirus tool is very popular. It detects Trojans, viruses, malware, and other malicious threats. It works on the command line, though a graphical interface, ClamTk, is also available.
ClamAV uses the somewhat outdated virus signatures approach to find dangerous files. It uses a separate tool, freshclam to keep its signatures up to date. It can scan zipped and archived files as well as regular files.
With today’s more advanced threats, it’s not as useful as it once was, but it’s still good for spotting older viruses and malware following in their footsteps.
Nessus
Nessus is a serious professional vulnerability scanner. It began as a free, open-source tool, but that changed in 2005. It is currently only free for educators, students and individuals who are starting their cybersecurity careers This edition can only be used with up to 16 Internet Protocol (IP)-addressed systems. The business version, Nexus Pro, license starts at $3,390 for an annual license.
Nessus enables you to quickly identify and fix system vulnerabilities and focus attention on missing patches, configuration oversights and software flaws. It works through a crisp, web-based user interface that’s easy to use.
Sophos Antivirus (SAV)
For now, there’s still a free version of Sophos Antivirus (SAV), but it’s no longer being kept as up-to-date as its service-based cousin, Sophos Central Anti-Virus for Linux version 10. Both versions use signature files to detect and deal with viruses on your Linux machines. It also detects non-Linux viruses that might be stored on your Linux servers, where they could spread to your macOS and Windows computers.
Lynis
Lynis is an open-source security auditing tool for Linux, macOS, and Unix-based systems. It provides both compliance testing (e.g., with HIPAA and ISO 27001) and system hardening. Lynis provides warnings and many suggestions for hardening security along with links that you can follow to get more information on each issue.
Microsoft Defender for Endpoint on Linux
Oh, the irony! Microsoft’s Microsoft Defender for Endpoint on Linux is a good anti-malware and virus program. Who’d thought it even five years ago!? As the name indicates it works in concert with the Microsoft Defender for Endpoint family. It also boasts endpoint detection and response (EDR) capabilities.
While it does a good job of chasing down viruses for all operating systems, however, this version of the program is meant for Linux servers, not desktops. This program would be an excellent addition for any company depending on Linux servers and Windows desktops.
Nexpose
Rapid7‘s Nexpose Vulnerability Scanner works by identifying your machines’ active services, open ports and running applications. That done, it checks for vulnerabilities in the known services and applications. In addition to discovering these problems, it also provides risk classification, impact analysis and reporting and mitigation of threats. It is often installed as an independent network appliance. The user interface is straightforward — both easy to use and uncluttered.
Nexpose is excellent for use on large networks. It can be set up to use distributed scan engines for easily scalable reporting. The program’s pricing varies depending on the number of assets you’re protecting. The Community edition is free for a full year. That will give you more than enough time to see if it works well for your company.
Protect that penguin!
Your best Linux protection starts with using Linux’s existing tools to set up a solid security system. Everything else is secondary. That said, there are useful programs out there to protect your endpoints. You should use them. Again, it all starts with deploying and administering Linux responsibly.
Related content
- featureThe CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you.ByCSO StaffDec 29, 202322 minsTechnology IndustryTechnology IndustryTechnology Industry
- featureIf you don’t already have a generative AI security policy, there’s no time to lose Businesses are finding more and more compelling reasons to use generative AI, which is making the development of security-focused generative AI policies more critical than ever.ByMichael HillDec 27, 202314 minsGenerative AIData and Information SecuritySecurity Practices
- opinionHow the new Instegogram threat creates liability for organizations Organizations might be at risk of liability for images containing malicious code they post on social media even if they were unaware of it.ByDaniel B. Garrie, Jennifer Deutsch and Peter HalprinDec 26, 20234 minsThreat and Vulnerability ManagementLegalRisk Management
- featureUnderstanding the NSA’s latest guidance on managing OSS and SBOMs Open-source software is ever vulnerable to malicious actors, but software bills of material can help mitigate the threat. NSA guidance sets a solid foundation for managing the ecosystem.ByChris HughesDec 25, 20239 minsApplication SecurityOpen SourceSecurity Practices
- Podcasts
- Videos
- Resources
- Events
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Please enter a valid email address
I've spent years navigating Linux systems, from the days of C Shell and Bash debates to the contemporary landscape of evolving security threats. The information you provided touches on several crucial aspects:
Linux Security Basics:
- Educational Resources: Courses like the Linux Foundation’s "Linux Security Fundamentals," Udemy’s "Linux Security and Hardening," and books like "Securing Red Hat Enterprise Linux 8" offer foundational knowledge.
- News Sources: Platforms like Red Hat’s Security Product Advisory and the oss-security mailing list offer updates on security vulnerabilities and patches.
Locking Down Linux:
- SELinux: This is a crucial tool providing mandatory access control (MAC) security. Its approach differs from standard discretionary access control (DAC) by restricting everything unless explicitly permitted.
Linux Endpoint Protection Programs:
- Chkrootkit: An effective tool for detecting rootkits by searching for known signatures in system binaries.
- ClamAV: An open-source antivirus tool detecting Trojans, viruses, and malware via virus signature approach.
- Nessus: A professional vulnerability scanner identifying system vulnerabilities and aiding in patching and configuration oversights.
- Sophos Antivirus (SAV): Available in both free and service-based versions, it uses signature files to detect viruses on Linux machines and non-Linux viruses.
- Lynis: An open-source auditing tool providing compliance testing and system hardening.
- Microsoft Defender for Endpoint on Linux: Surprisingly, Microsoft offers a version for Linux servers, integrating with the Defender for Endpoint suite, providing anti-malware and virus capabilities.
- Nexpose: Rapid7’s vulnerability scanner that identifies active services, open ports, and applications, providing risk classification and mitigation.
The emphasis on responsible administration and the utilization of Linux’s inherent security tools as the primary defense aligns with industry best practices. Additionally, the incorporation of specialized endpoint protection software complements these practices for a robust security posture against evolving threats.
This landscape demonstrates the constant evolution of Linux security practices, reflecting the need for continuous adaptation and vigilance to safeguard against emerging threats.
