The firewall point I just don’t get. When I set up a server, for every port I either run a service and it is open, or I don’t and it is closed. That’s it. What should the firewall block?
Comment on Alternative to ClamAV?
NaibofTabr@infosec.pub 1 year ago
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.
That said, there are other, simple (and probably more effective) options for hardening your systems:
- Firewall - if your servers are dedicated to specific services and you don’t plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
- Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It’s a lot easier to recognize the things that you do want to run than all of the things that you don’t want to run.
- Secure OS - I assume you’re using Debian because it’s familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).
skilltheamps@feddit.de 1 year ago
NaibofTabr@infosec.pub 1 year ago
A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.
BlueBockser@programming.dev 1 year ago
If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.
anyhow2503@lemmy.world 1 year ago
You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.
XTL@sopuli.xyz 1 year ago
Firewalls set and enforce policy. Closed ports are only incidentally secure. Also, they can do a lot more than answer “nothing is listening here”.
IcedCoffeeBitch@lemmy.world 1 year ago
I don’t use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.
SheeEttin@lemmy.world 1 year ago
A modern firewall might also block connections to known bad sites, in case you do somehow get malware reaching out to a command & control server. Or it might identify malicious application traffic over a port that should be for a more trustworthy service.
But these are usually only a concern in places like businesses or schools where there are a lot more people, devices, etc. on the network, especially if there’s a guest network.
MonkderZweite@feddit.ch 1 year ago
Btw, bash has a restricted mode.