Let's talk about anti virus and anti malware

[1uke_]

Hello forum,

Background information

I am new to Raspbian but learning lots very quickly.

I've recently been taking on projects that allow me to access my Pi when away from my home network.

I have read lots about the potential down falls about opening up your Pi to the Internet so I am now learning as much as I can about hardening my system.

I'm currently looking at installing some Anti Virus and Anti Malware as a precaution.

This tutorial seems to be the most comprehensive that I can find online http://garyhall.org.uk/raspberry-pi-vir ... ction.html

My Questions

Are there any other virus or malware scanners that I could use or are these scanners popular?

Is there anything else similar that I should install to harden my system?

[DougieLawson]

What are you trying to protect? Most AV junk on Linux is there to detect Windows viruses on shared filesystems. It mostly costs a lot of CPU and a lot of I/O for absolutely zero benefit to the Linux user.

To protect your Linux system you need to harden the security (firewall, ids, restricted use of sudo, etc.), not paper over cracks with sticking plasters.

[1uke_]

What are you trying to protect? Most AV junk on Linux is there to detect Windows viruses on shared filesystems. It mostly costs a lot of CPU and a lot of I/O for absolutely zero benefit to the Linux user.

To protect your Linux system you need to harden the security (firewall, ids, restricted use of sudo, etc.), not paper over cracks with sticking plasters.

Hi @DougieLawson,

I am running NextCloud to host my files and I am considering opening my system up so I can access my files when away from my home network.

From what I have read about NextCloud it is a really good idea to harden your system before opening it up to the web.

Any advice you can give me about hardening my system would be really appreciated.

Please keep in mind I am very new to Linux and learning something new everyday.

Thank you in advance for your help

[DougieLawson]

1. Remove the pi user
2. Change /etc/sudoers so that everyone needs to enter a password
3. Change /etc/sudoers so that everyone needs to enter the root password (optional)
4. Set strong passwords for every userid, set the shell for users who can't login to /usr/sbin/nologin
5. Disable ssh using passwords, only allow public/private key pairs
6. Replace Tightvnc with RealVNC
7. Install ufw
8. Install fail2ban
9. Only open router ports that are needed to run your public web service
10. Get a letsencrypt certificate so you can switch http:// to https:// from https://certbot.eff.org/
11. Regenerate the snakeoil certificates sudo make-ssl-cert generate-default-snakeoil --force-overwrite even if you don't use them
12. Regenerate your ssh certificates with sudo /bin/rm -v /etc/ssh/ssh_host_*;sudo dpkg-reconfigure openssh-server

[tpylkko]

Also, stop all services that you don't need. I mean, for example, if you do not use VNC at all, just don't run it or uninstall it. Never allow root ssh, but make users log in as user and then sudo if they need more priv. You can give users sudo for only some commands or for some certain time period.

[1uke_]

1. Remove the pi user
2. Change /etc/sudoers so that everyone needs to enter a password
3. Change /etc/sudoers so that everyone needs to enter the root password (optional)
4. Set strong passwords for every userid, set the shell for users who can't login to /usr/sbin/nologin
5. Disable ssh using passwords, only allow public/private key pairs
6. Replace Tightvnc with RealVNC
7. Install ufw
8. Install fail2ban
9. Only open router ports that are needed to run your public web service
10. Get a letsencrypt certificate so you can switch http:// to https:// from https://certbot.eff.org/
11. Regenerate the snakeoil certificates sudo make-ssl-cert generate-default-snakeoil --force-overwrite even if you don't use them
12. Regenerate your ssh certificates with sudo /bin/rm -v /etc/ssh/ssh_host_*;sudo dpkg-reconfigure openssh-server

Hello again @DougieLawson

Thank you for sharing this information it is really helpful!

Just a few quick follow up questions,

Please could you tell me how or link me to some tutorials showing how I do I do points 1, 2, 3 and 4?

1. How to remove the pi user
2. How to change /etc/sudoers so that everyone needs to enter a password
3. How to change /etc/sudoers so that everyone needs to enter the root password (optional)
4. How to set strong passwords for every userid, set the shell for users who can't login to /usr/sbin/nologin

Can I also ask what are the benefits of doing points 11 and 12.

Thank you for being kind enough to help increase my knowledge in the area of security and hardening. I really appreciate it

[DougieLawson]

1. sudo deluser
2. You should maintain the sudoers file on a user by user basis unless you connect all sudo users to the sudo group

Code: Select all

dougie ALL=(ALL) PASSWD: ALL

3. Add this line in /etc/sudoers

Code: Select all

Defaults        rootpw

4. a. https://xkcd.com/936/
b. sudo nano /etc/passwd
11. The snakeoil certificates are used for default security for some processes, your snakeoil certs are the same as everyone else's as they're a pre-installed part of Raspbian. Regenerating them gives you some protection until your replace the snakeoil certs with ones that have been properly created and certified by an external CA like Verisign.
12. The ssh certs are used to secure ssh operations, they should be regenerated at first boot, but that process didn't work for a long time. If your certs are the same as anyone else's then your system is not secure.

[wayne.dolesman]

There will never be a turnkey system for real security, there will just be a "club" like device. The automotive anti-theft device "the club" works on the premise that its easier to steal someone elses car than yours. It is not hard to remove (most steering wheels are plastic and easily cut) but it takes time and effort. Sure if someone really wants into your device they can get in but if you make the hurdle high enough they will just move on to someone elses device. Off the shelf malware/av scanners raise that bar to stop the casual attacker, they do not stop the determined attacker.

Security and usability is always a tradeoff. You cannot have a lot of one without reducing the other. You could for example set the write protect switch on the SD card and work solely off tempfs partitions but that greatly decreases usability. Periodic reboots would mean that anything installed is purged.

You must also define "secure from whom." A vending application where the device exists somewhere outside a secure facility (such as your home) can be compromised differently than one that is locked up somewhere. Physical security is just as important for certain types of threats. The steps you take should be largely determined by the realistic threat model for your specific environment and data. I suggest a paper on "Attack trees" which you can read here https://www.schneier.com/academic/archi ... trees.html

If you are worried about random internet things, like the millions of scanners out there right not actively looking for devices with a username of "pi" and password of "raspberry" then you can do a couple things. 1. disable ssh (which is the default since last Nov). 2. if enabled make sure the password is changed. 3. try putting ssh on an alternate port (most of the scanners are really dumb just connecting to port 22 and trying a bunch of user/pass combos until one works or the list is exhausted). 4. look for "honey pot" software that will trigger alerts if accessed. Could be a simple daemon on a port and if your box is portscanned it will alert you that someone is looking (be ready for a slew of alerts that are better ignored). Honey pots can also be quite complex depending on need (Pi users probably do not have that high of a need on their devices).

If you are worried about browser related attack vectors there are plugins for browsers that are platform independent. You must of course run a compatible browser.

For malware/av you can look for vendors, probably specializing in mobile devices, that do various things. Although many will require things like an android base layer and wont scan much outside of that environment so look carefully. Stuff does exist generically for linux like https://www.rfxn.com/projects/linux-malware-detect/ which can be compiled if arm binaries are not available and then periodically run. Of course if there is a rootkit successfully installed that rootkit can mask itself and never be seen. To scan for such things you would need to get a clean known install and build a DB of what the files look like and then pull the card, mount it RO somewhere and scan it. Tripwire is one such application that is designed to accomplish this task.

Threats evolve, what is secure today may not be secure tomorrow. You can also periodically scan your Pis with tools, several are available. http://www.openvas.org/ is open source as is metasploit (but I think openvas is easier for the non-tech people to use).

Then there are a slew of network based scanners and filters. These would be installed between your Pi and the network, they will monitor network traffic for suspicious activity. Snort is one such tool but there are many. Proxies can also provide web filtering. However they may miss things like embedded stuff in PDF documents, word documents (OOO does support some of this), etc.

You can also look into tools like systrace which you can read more about here http://niels.xtdnet.nl/papers/systrace.pdf Basically its a wrapper that will prevent system calls (file open, socket open, etc) that are out of scope for the app. So if someone does manage to exploit an application, lets say a web server, they are unable to access files outside of /var/www or whatever. They are unable to open new ports say for a reverse shell. Its not 100% but it is one of many components that can help to harden a system.

I guess the question is how far do you want to take this?

[wayne.dolesman]

1. How to remove the pi user

two options, replace "pi" in /etc/passwd and /etc/group and /etc/sudoers (if its there and not group based) to something else (they have to know both the username and password to log in, having a stock username gives them part of the info needed).

You may also

Code: Select all

sudo adduser --home /home/newuser -m --shell /bin/bash --add-extra-groups sudo newuser
# make sure the newuser account works!!! if it does not you will have a really bad day
sudo --remove-home pi

]

2. How to change /etc/sudoers so that everyone needs to enter a password

%sudo ALL=(ALL:ALL) ALL
that line in the text file /etc/sudoers lets anyone in the group "sudo" sudo without a password. If it is changed to
%sudo ALL=PASSWD ALL
a password will be required (I believe this still allows a few minute repeat sudo no pass on the same tty/session)

3. How to change /etc/sudoers so that everyone needs to enter the root password (optional)

defeats the purpose.

4. How to set strong passwords for every userid, set the shell for users who can't login to /usr/sbin/nologin

http://www.linux-faqs.info/security/for ... -passwords

Can I also ask what are the benefits of doing points 11 and 12.

if everyone has the same cert then the cert is worthless. However I thought that Jessie did a new cert on initial boot. I never looked into it so I could be mistaken.

[Gavinmc42]

This reminds me of the early days of the Pi, when I told the Uni network guys I'm going to stick Pi's on their network. Their first question "which antivirus are you using"

Situation is now a little different, Pi's are getting hacked.
Timely answers to a current issue.
Things like this should become a sticky.

I had been using Linux and Busybox which is exploitable, but using a ram based OS like piCore helps.
Been moving to baremetal for nearly a year, still exploitable but probably with less zero day holes.
Not sure what the solution is going to be for Pi's used in IoT stuff.
I just know something needs to be done and I still see some heads in the sand.
Lucky for Pi users it can be as simple as swapping SD cards.

I am a little more concerned for CM users with eMMC that go into ??????
Hopefully they know more than me, which isn't hard when it comes to software

[jamesh]

I'm currently working on a security page to go in the documentation - this thread is quite useful!

Also note that removing the Pi user may cause some things to stop working due to some reliance on the Pi user being there. This is in the issue list and will be fixed at some point.

[darksky]

...
6. Replace Tightvnc with RealVNC
...

This is odd advice. Tigervnc is opensource and actively developed, but as far as I can tell, Realvnc comes as precompiled binaries without source. How is that superior?

[Gavinmc42]

Replace Tightvnc with RealVNC

I noticed that too but Linux stuff is nearly of no concern to me these days.
Maybe Dougie got it round the wrong way?
Or he knows something we don't, shh.
Open source can be checked for holes, harder for closed source.
But since the recent Wikileaks about CIA/iPhone, I am sure anything can be got at, open or closed.

“I still don’t know how to reliably defend a modern phone against a state-level adversary,”

That will change one day to read any adversary.

A person's main computer these days is their smartphone.
Which it turns out are open to those who want to know.
Never mind running Kali on your Pi, that's so old now, but RPF has to start somewhere.
And since I have dozens of Pi's and no smart phone I will be paying attention.

Maybe grab a dongle and make my own phone with a Pi?
I already got an idea for a CM3 DPI LCD, Pi tablet that will run my software.
Since I don't have a CM3 yet, prototype with my first Zero W?

Also note that removing the Pi user may cause some things to stop working due to some reliance on the Pi user being there

And yep messing with Pi user does cause lots of problems, tried it a few times over a year ago and gave up, way beyond my skill level.

Hmm, Sticky post names? "Paranoia is a survival skill", "Learn this or be hacked".

[DougieLawson]

...
6. Replace Tightvnc with RealVNC
...

This is odd advice. Tigervnc is opensource and actively developed, but as far as I can tell, Realvnc comes as precompiled binaries without source. How is that superior?

Because RealVNC are a British company who have offices down the road from Raspberry Towers and have grasped VNC on the Raspberry Pi with both hands and have added some seriously useful function.

I don't care whether things are open source when the functions they provide are orders of magnitude better than the open source stuff and cost exactly the same to me (until I get over five Raspberries and three clients that need VNC).

RealVNC has better support for running a mirror of the desktop, better security, better support (they're on the forum & twitter) and has their exciting cloud service which allows me to access a RPi desktop from anywhere in the world.

[jsfrederick]

I'm currently working on a security page to go in the documentation - this thread is quite useful!

Also note that removing the Pi user may cause some things to stop working due to some reliance on the Pi user being there. This is in the issue list and will be fixed at some point.

Yes PLEASE! I am working on securing a number of Pi's now and looking ALL over the place is difficult. I would be more than happy to review your writeup and provide feedback when you are ready.

Also, can we get a "test build" of software for removing the Pi user? This is a big PITA.

Thanks!

[mfa298]

2. How to change /etc/sudoers so that everyone needs to enter a password

%sudo ALL=(ALL:ALL) ALL
that line in the text file /etc/sudoers lets anyone in the group "sudo" sudo without a password. If it is changed to
%sudo ALL=PASSWD ALL
a password will be required (I believe this still allows a few minute repeat sudo no pass on the same tty/session)

'%sudo ALL=(ALL:ALL) ALL' would normally require the users password to be entered, you need the NOPASSWD: tag in there to not need a password. The '/etc/sudoers.d/010_pi-nopasswd' file on raspbian is what allows no password sudo access for the pi user (and can be deleted)

This reminds me of the early days of the Pi, when I told the Uni network guys I'm going to stick Pi's on their network. Their first question "which antivirus are you using"

You were obviously at the wrong uni, I was a Uni network guy when the pi came out and upon hearing that a few people in the student union had connected a Pi up to the video wall my response was to ask why they were only telling me after the event. I'd have been there to see it in action and helped out getting it going

[Gavinmc42]

I was a Uni network guy when the pi came out and upon hearing that a few people in the student union had connected a Pi up to the video wall my response was to ask why they were only telling me after the event.

See, ask for permission afterwards, just in case you guys say no

[DougieLawson]

'%sudo ALL=(ALL:ALL) ALL' would normally require the users password to be entered, you need the NOPASSWD: tag in there to not need a password. The '/etc/sudoers.d/010_pi-nopasswd' file on raspbian is what allows no password sudo access for the pi user (and can be deleted)

And requiring a password is badness and a horrible problem because it makes the system more secure.

My sudo users need the root password.

[jamesh]

'%sudo ALL=(ALL:ALL) ALL' would normally require the users password to be entered, you need the NOPASSWD: tag in there to not need a password. The '/etc/sudoers.d/010_pi-nopasswd' file on raspbian is what allows no password sudo access for the pi user (and can be deleted)

And requiring a password is badness and a horrible problem because it makes the system more secure.

My sudo users need the root password.

Somehow I think that is not something to do when trying to make things more secure.

[DougieLawson]

'%sudo ALL=(ALL:ALL) ALL' would normally require the users password to be entered, you need the NOPASSWD: tag in there to not need a password. The '/etc/sudoers.d/010_pi-nopasswd' file on raspbian is what allows no password sudo access for the pi user (and can be deleted)

And requiring a password is badness and a horrible problem because it makes the system more secure.

My sudo users need the root password.

Somehow I think that is not something to do when trying to make things more secure.

It is more secure you now need to a) login as the sudo user and b) know the root password to use sudo. If you only compromise the first you still won't get sudo.

[mfa298]

And requiring a password is badness and a horrible problem because it makes the system more secure.

My sudo users need the root password.

Somehow I think that is not something to do when trying to make things more secure.

It is more secure you now need to a) login as the sudo user and b) know the root password to use sudo. If you only compromise the first you still won't get sudo.

In that case why not just 'su' and setup the system to restrict su to the wheel group (as originally intended).

I would suggest a password should always be required for things that need extra permission. As to whether it's the user password with sudo or root password with su is a separate debate for which I'm not sure there's one true answer (both have advantages which may suit different circumstances).


Dougie also seems to have taken my original comment out of context where I was correcting a previous poster who incorrectly stated:

%sudo ALL=(ALL:ALL) ALL
that line in the text file /etc/sudoers lets anyone in the group "sudo" sudo without a password. If it is changed to

Personally I'd only ever suggest the NOPASSWD option being good in limited scenarios usually only when running specific commands or changing to specific non-root users.

[DougieLawson]

I can't see any value in NOPASSWD unless your system is never going to connect to the Internet. Every compromised machine that's been reported on here has had ssh open and the pi user with default password and passwordless sudo.

That's why the RPF introduced the slightly flawed libpam-chksshpwd stuff.

For my systems I've set the root password because I find it easier to login as root on a console because lots of my userids have a shared /home directory on my NAS box. I can login as root with ssh using a public / private key from anywhere.

[Milica]

I'm currently working on a security page to go in the documentation - this thread is quite useful!

Also note that removing the Pi user may cause some things to stop working due to some reliance on the Pi user being there. This is in the issue list and will be fixed at some point.

Hi Jamesh, did you manage to produce a security page in the end? I am a beginner and have started using my Pi 3B+ for internet browsing on my home WiFi and am just wondering if I need to download an antivirus software for running on the Pi? I use Avast Internet Security for my home PC. Thanks.

[fruitoftheloom]

I'm currently working on a security page to go in the documentation - this thread is quite useful!

Also note that removing the Pi user may cause some things to stop working due to some reliance on the Pi user being there. This is in the issue list and will be fixed at some point.

Hi Jamesh, did you manage to produce a security page in the end? I am a beginner and have started using my Pi 3B+ for internet browsing on my home WiFi and am just wondering if I need to download an antivirus software for running on the Pi? I use Avast Internet Security for my home PC. Thanks.

You do not need Anti-Virus Software, there are very few Linux exploits, considering the minuscule market share of Linux Home Computers it is not worth hackers the time and effort required.

That being said there are a few changes you should undertake when running Raspbian:

https://www.raspberrypi.org/documentati ... ecurity.md

[Milica]

I'm currently working on a security page to go in the documentation - this thread is quite useful!

Also note that removing the Pi user may cause some things to stop working due to some reliance on the Pi user being there. This is in the issue list and will be fixed at some point.

Hi Jamesh, did you manage to produce a security page in the end? I am a beginner and have started using my Pi 3B+ for internet browsing on my home WiFi and am just wondering if I need to download an antivirus software for running on the Pi? I use Avast Internet Security for my home PC. Thanks.

You do not need Anti-Virus Software, there are very few Linux exploits, considering the minuscule market share of Linux Home Computers it is not worth hackers the time and effort required.

That being said there are a few changes you should undertake when running Raspbian:

https://www.raspberrypi.org/documentati ... ecurity.md

Many thanks!