Linux Security Explained

by on 10/09/2012 in Linux OS, Security

Some would arrogantly insist that the phrase “Linux Security” is an oxymoron, because they maintain that Linux is either totally immune to infections or Linux viruses don’t exist.

NO OS is immune and there ARE Linux viruses in the wild (never mind that cross platform malware is becoming more common.)

Granted, Linux malware is minimal, but that certainly doesn’t say it’s not out there, or that Linux systems have some magic shield built in.

A few years ago, smug Apple users found out that their MAC systems were vulnerable.

A common thought on the fact that Linux malware is rare is that since the Linux market share is much less than Windows, malware writers get the biggest bang for their buck by focusing on Windows instead of Linux.  The “official” position (Linux Documentation Team: ) is that this is flawed reasoning (see the link for more info on this).  This piece is not intended to argue that point, but the Linux position on this reinforces that aura of invincibility.

BTW, there is no such thing as 100% security, unless you encase your machine in concrete and never connect to the Internet.

So let’s get into some of the nuances of Linux Security.

There are two popular Linux rootkit scanners: Rootkit Hunter and Chkrootkit (actually, there’s at least one more that I know of, but I use Rootkit Hunter and Chkrootkit.).  Both can be found in the Linux repository.  Seems kind of revealing to me that Linux offers these packages in their repository . . . sort of an admission that these things are needed.

And then there are at least two antivirus packages that can also be found in the repositories of some distros:  AVAST and ClamAV.

Stay with me on this, ’cause this is going to be lengthy.  There’s a reason this is going to be long-winded, and I’ll give it at the end.

As far as different distributions, my Ubuntu 12.04 distro DOES NOT show Avast in Synaptic, while my Mint 12 DOES.  I’m too lazy to compare software sources and see what the determining repository is, but that’s academic anyway ’cause you can download and install Avast right from the Avast site: .

I’m normally a repository kinda’ guy, but if you can’t find Avast in Synaptic, go ahead and download it from the site above.  My own preference is to download it from the Avast site, mostly because having an up to date engine in your antivirus program is critical.  BUT, before you open it, read through the section below on “Avast”.  You should be able to find the two rootkit scanners (which are command line utilities) and Clam in Synaptic, so you can install them from there if you want.  The same applies here though . . . read through the respective sections BEFORE you use Synaptic.

I have 12.04 on one partition and Mint12 on another.  Most of this is written from the Mint12 perspective (Mint uses the Ubuntu kernel), and a lot of it would be the same anyway.  There are a few nuanced differences between the two, but if I pointed out the Ubuntu 12.04 nuances, this would be a lot lengthier than it already is.

And I’m going to jump a little ahead on Clam here.  In Synaptic there is “ClamAV” and “ClamTK”.  ClamAV is the command line version.  ClamTK is the front end GUI.  So if you want the GUI, you need to install ClamTK (and it will install ClamAV as a dependency anyway.)  BUT, read the “Clam” section below BEFORE you even consider Synaptic . . . you may not want to use Synaptic.


Let’s take Rootkit Hunter first.  The latest version is 1.4.0.  In Synaptic, your search would be “rkhunter”.  The version I get in Synaptic is 1.3.8, significantly old and likely out of date.  You can find the latest version here: .  Read through that page and decide if you want to use that version.  There have been some significant changes, but if you want an easy go of it rather than messing with a tar ball, go ahead and use Synaptic.

On that 1.4.0 page is a link to , which is a good overall use tutorial.  I recommend reading through it.  It has a flow chart that shows a lot.

Another good rkhunter tutorial is here: .  Pay particular attention to the section on updating the rkhunter database.  It is essential that you have an up to date database.

BUT, see my caution about where to run rootkit scans FROM, below.


This is also in Mint12 Synaptic.  Just search “chkrootkit”.  The version in Synaptic is 0.49, and that is the latest, as far as I know.  So, using Synaptic for this download is fine.

To start looking for rootkits, just run “sudo chkrootkit” (WITHOUT the quotes.)

BUT, same caution applies here as in rkhunter.


So what is this mysterious caution?

Well . . . first of all, you have to understand a little about the nature of rootkits.  Basically, they attack and infect your system kernel, and often can gain root privileges (“administrator” privileges in Windows), and can even hijack your rootkit scanners and make them show clean results.

If you’re infected with one, there is no safe way to eliminate it from within the rooted operating system, because if your kernel is compromised, you can’t trust anything it says about your files, etc.

Consequently, you want to run your rootkit scanner FROM OUTSIDE THE OS, like from a USB stick or a customized LiveCD ( .  BTW. “uck” is in Mint12 Synaptic.)  Running these rootkit scanners from within the OS is not trustworthy.

Fortunately, the incidence of a rootkit on a desktop-usage Linux system is very low. The odds are a little worse for a server-usage installation, but still very low.


As I said, ClamTK is in your repository.  BUT, the GUI version in the repository is 4.32.  The latest GUI version is 4.42 ( )  Plus, the package from the repository shows the engine as out of date:


(BTW, it shows “Last scan never” simply because I’ve never used the one from the repository.)

The GUI won’t update and it won’t update the engine:

Clam GUI won't update

I could maybe live with the GUI being out of date, but the out of date engine is the deal breaker.

There is a way through the terminal to update it all, but it’s very complex and tedious.

Just flat out easier to install the latest in a .deb from the ClamTK web page:

Scroll a little more than halfway down and click on the “Debian/Ubuntu” link under “Downloads”.  Double click that .deb.  It works just fine in Mint 12.  The download will be “clamtk_4.42-1_all.deb”, and it will open like this:


Be aware, though, that you will get the typical “use the repository” warning when you run that downloaded .deb:

Typical "use the repository" warning with.deb

Just click through it and install the .deb.  Am I encouraging users to go outside the repository and take the risk of downloading malware?  Perhaps, but in the case of antivirus software it’s critical to get the latest version.


Again, this is in the Mint12 repository, but you can just as well download it from the Avast web page,  In fact, and here again I’m violating the “repository rule”, go ahead and download it from the site.  Again, I want the latest version.  Outdated versions are useless.

Now there is a major flaw in Avast when you first try to run it.  (Well, the flaw may be the Linux developers, depending on how you want to argue it.)

When you first try to run it, you’ll get this:

Major flaw in Avast

But don’t worry, there’s a way to solve this.

I’m going to simplify this explanation.

For some reason, the developer’s allotted an anemic size in /proc/sys/kernel/shmmax:

Avast Flaw in Linux

(Remember, I just said this was a simplified explanation.  There’s a lot more to it than what I’m saying, but you don’t need that information.)

Again, though, you needn’t worry.  There’s a fix.

In the terminal, type in “gksudo gedit /etc/init.d/rcS” (WITHOUT the quotes.)

Now add the line “sysctl -w kernel.shmmax=128000000″ (WITHOUT the quotes) and put it just above the line “exec /etc/init.d/rc S”.

The file should now look like this:

#! /bin/sh


# rcS


# Call all S??* scripts in /etc/rcS.d/ in numerical/alphabetical order


sysctl -w kernel.shmmax=128000000

exec /etc/init.d/rc S

Now save that file.

To confirm it took, in gedit navigate to /proc/sys/kernel/shmmax.

It should now look like this:Avast fix using Linux

What you’ve done, essentially, is allotted a larger block for some BIG Avast files.  (BTW, if you update your kernel, you’ll have to do this all over again for the new kernel.)

For those that don’t know this manipulation, they probably walk away in frustration thinking “Avast doesn’t work in Linux”.

So now you should be able to fire up Avast and enter your license when Avast gets around to emailing your number (usually within 24 hours, but make sure and check your junk or spam folder . . . sometimes that email from Avast will get routed there.  Plus sometimes they are tardy on the delivery, so you may have to give it a day or so.)

OK, that’s the install routine for the rootkit scanners and the antivirus programs.

Now this is VERY IMPORTANT for you to realize.  There are no automated rootkit removal tools for Ubuntu, only tools to check for rootkits, and, as far as I know, there are NO virus removal tools for Linux.  The rootkit scanners will simply detect an infection and nothing more, and the best you can do with the antivirus programs is put the infected file, if it finds one (and I’d be surprised if they did . . . I said in the beginning that Linux viruses are rare, but they DO exist), in quarantine.  But they will not “repair” the file, like some tools in Windows would (I’m thinking of ComboFix, which is a WINDOWS removal tool . . . there is nothing like that for Linux.)

But that’s just as well, because if you find an infection (a Linux virus that is . . . if it’s a Windows virus, it won’t impact Linux), you should just flat out reinstall (either with a LiveCD or this method, which I recommend:

That’s because when you try a removal routine (unique to Windows anyway), you’ll never know if you got it all.  Rootkits, especially, are very hard to remove.  Better to just flat out restore a clean image, and that way you’ll be sure it’s gone.  The only time a removal routine makes sense is if the user hasn’t backed up data on removable media, and removal is the only option to save the data.  That’s why it’s always critical to . . . backup, backup, BACKUP!!!!  (And use removable media for your data, like a USB stick or an external HDD.)

And here’s another important thing to realize.  These scanners, both rootkit and antivirus, are ON-DEMAND only, out of the box.  IOW, they won’t check your files in real time (ON-ACCESS scans).  You can make them on-access scanners by using a program called “DAZUKO” (and making them daemons . . . “TSR’s” in Windows lingo) in conjunction with the antivirus program, but it’s heavy on terminal commands, buggy, and is no longer maintained.  Avira developed it, but then dropped it.  Even I, security fanatic that I am, think trying to make antivirus programs in Linux do on-access scans is a bit of overkill.

You can try to do so, but you really don’t need to.

A word on “Security Best Practices”.  This is essentially common sense.  One of my favorite quotes is “Ultimately, the only protection against phishing, forged Web pages, downloading malware, and other threats is the technology located between the user’s ears.”

Things like NOT clicking on links you get in emails from either less-than-security-conscious individuals or completely unknown individuals, or opening attachments in emails from those same folks, or links in IM’s, or visiting questionable web sites, or keeping your virus defs up to date, are examples of “Security Best Practices”.  Here’s something I wrote years ago when I was a Windows kinda’ guy, and while some of it doesn’t apply to Linux (most does, though), and some of it is out-of-date, the principles are still good: .  Incidentally, read through that whole thread, you may get some good ideas from it.

I said at the beginning that there was a “reason” this was going to be long.

Here it is.

If you don’t have a headache by now, you’ve either not read through or you’re super-human.  I have a headache myself reading back over this.

And that’s the crux of the “reason”.  The complexity and tedious detail should give you a flavor of this security business in Linux, AND CONVINCE YOU THAT PRACTICING SAFE SURFING AND SECURITY BEST PRACTICES (WHICH MEANS MOSTLY EXERCISING COMMON SENSE) is a better alternative to this rootkit/antivirus business.  I’M NOT SAYING THAT YOU DON’T NEED TO RUN A ROOTKIT SCAN OR AN ANTIVIRUS SCAN NOW AND THEN, and can get by JUST with safe surfing and security best practices.  But what I am saying is that the urgency of running a rootkit and antivirus scan can be significantly reduced by just safe surfing and security best practices.

Here’s what I recommend you do.  Play around with rkhunter and chkrootkit ’till you’re confident that you can run them “right”, the rootkit scanners from a USB stick or a customized LiveCD of course.   Practice running Avast and Clam also . . . just get familiar with them.  When you’re confident that you’ve run them properly and they show no detections, IOW you have NO infections (and I’m almost 99% sure that will be the case), THEN make an image (See this thread for how: .  Old but still valid.), store it on a large-capacity USB stick, and you will always have a “clean restore point” (to use a Windows term) you can use if you get infected.

It may take you about 20 minutes or so to restore the image, but that’s a heck of a lot better than the several days or more it might take to remove the infection (if that’s even possible . . . as I said, as far as I know there are NO malware removal tools for Ubuntu) and you’ll never be sure you “got it all”.  Restoring a clean image removes that doubt.  And you will have peace of mind that if you ever DO get infected (unlikely if you surf safely and exercise security best practices and use Linux, but still possible), you’ll be able to recover quickly.

And if you DO have a Linux infection, especially a rootkit, get off line IMMEDIATELY while you install the clean image.

BUT, as I keep saying, it’s likely that you won’t get infected as long as you surf safely and use security best practices, and use Linux.  Immune?  Certainly not.  Is malware for Linux rare?  Yes.  Do you need to be security conscious if you use Linux?  Yes!

One Response to “Linux Security Explained”

  1. cheese

    Oct 21st, 2012

    I have another parameter in proc/sys/kernel. Very strange… What should I do then??