Alternative to ClamAV?

Submitted ⁨⁨8⁩ ⁨months⁩ ago⁩ by ⁨lal309@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

TL;DR - What are you running as a means of “antivirus” on Linux servers?

I have a few small Debian 12 servers running my services and would like to enhance my security posture. Some services are exposed to the internet and I’ve done quite a few things to protect the services and the hosts. When it comes to “antivirus”, I was looking at ClamAV as it seemed to be the most recommended. However, when I read the documentation, it stated that the recommended RAM was at least 2-4 gigs. Some of my servers have more power than other but some do not meet this requirement. The lower powered hosts are rpi3s and some Lenovo tinys.

When I searched for alternatives, I came across rkhunter and chrootkit, but they seem to no longer be maintained as their latest release was several years ago.

If possible, I’d like to run the same software across all my servers for simplicity and uniformity.

If you have a similar setup, what are you running? Any other recommendations?

P.S. if you are of the mindset that Linux doesn’t need this kind of protection then fine, that’s your belief, not mine. So please just skip this post.

source

Comments

Sort:hotnew top

just_another_person@lemmy.world ⁨8⁩ ⁨months⁩ ago
Hot take, but depending on your use, there isn’t a lot of reason to run antivirus on a Linux “server”. If you’re using it as a file server and want to scan statically stored files, say, on an SMB share, ClamAV is fine. You need to provide more info for your use-case, but “generally”, you won’t be running into viruses if you’re running basic services and not allowing random executables on it.

source
- lal309@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Okay sure same thing as Windows. If you aren’t reckless with the things you install and run then you are likely fine BUT there’s always a chance. All it takes is one slip up. Same logic as having a lock in the door knob and a deadbolt. By your logic (and many others), the lock on the door knob is sufficient and that may be okay with you BUT I’m gonna put a deadbolt on too just in case.
  
  We can argue about this all day long. You will have valid points and so will I.
  
  source
  - just_another_person@lemmy.world ⁨8⁩ ⁨months⁩ ago
    No…it’s not the same as Windows. The difference is a properly sandboxed execution of binaries. You can Google this, but you sound like you don’t care to understand why it’s different. TLDR: I think you misunderstand what a “server” is, and what a desktop is. Linux is not a server, it’s an Operating System.
    
    source
    -> View More Comments
  - elephantium@lemmy.world ⁨8⁩ ⁨months⁩ ago
    But would you put a deadbolt on your garage door? Or on your fridge door? IMO, arguing by analogy here just obfuscates the points – your servers aren’t physical doorways with locks, and comparing them just confuses the issue.
    
    Can you explain what added security an antivirus package would offer for a Linux server? I haven’t done much with Linux administration, mostly just using Docker images for stuff at work.
    
    I’m not a super Linux expert or anything, but I do grok tech, and I’m curious about this topic.
    
    source
    -> View More Comments
- Chobbes@lemmy.world ⁨8⁩ ⁨months⁩ ago
  To be honest, antivirus software is just not really a security tool. If you’re at the point where malicious software is running on your server you’ve already lost and it’s hard to know what extent the damage will be. Having proper isolation is much more important (something which, tbh, Linux isn’t quite as great at as we’d like to think, at least not with additional effort… mobile operating systems seem to take the isolation of applications a lot more seriously). You could maybe argue that the anti virus software is useful for monitoring, but I’d rather have some stronger guarantees that my application isn’t going to take my lunch money and private keys than a notice a day later that something sketchy is on my machine… I won’t flat out say a virus scanner is completely useless, because of course you can contrive of scenarios where one could be helpful, but they’re kind of dubious.
  
  Also yeah, ClamAV afaik isn’t really used like a typical windows antivirus. It’s mostly used on mail servers to scan email attachments. It’s not necessarily even looking for “Linux viruses”.
  
  source
NaibofTabr@infosec.pub ⁨8⁩ ⁨months⁩ ago
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.

That said, there are other, simple (and probably more effective) options for hardening your systems:

Firewall - if your servers are dedicated to specific services and you don’t plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.

Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It’s a lot easier to recognize the things that you do want to run than all of the things that you don’t want to run.

Secure OS - I assume you’re using Debian because it’s familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).
source
- MonkderZweite@feddit.ch ⁨8⁩ ⁨months⁩ ago
  Btw, bash has a restricted mode.
  
  source
- skilltheamps@feddit.de ⁨8⁩ ⁨months⁩ ago
  The firewall point I just don’t get. When I set up a server, for every port I either run a service and it is open, or I don’t and it is closed. That’s it. What should the firewall block?
  
  source
  - NaibofTabr@infosec.pub ⁨8⁩ ⁨months⁩ ago
    A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.
    
    source
  - BlueBockser@programming.dev ⁨8⁩ ⁨months⁩ ago
    If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.
    
    source
  - anyhow2503@lemmy.world ⁨8⁩ ⁨months⁩ ago
    You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.
    
    source
  - XTL@sopuli.xyz ⁨8⁩ ⁨months⁩ ago
    Firewalls set and enforce policy. Closed ports are only incidentally secure. Also, they can do a lot more than answer “nothing is listening here”.
    
    source
  - IcedCoffeeBitch@lemmy.world ⁨8⁩ ⁨months⁩ ago
    I don’t use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.
    
    source
  - SheeEttin@lemmy.world ⁨8⁩ ⁨months⁩ ago
    A modern firewall might also block connections to known bad sites, in case you do somehow get malware reaching out to a command & control server. Or it might identify malicious application traffic over a port that should be for a more trustworthy service.
    
    But these are usually only a concern in places like businesses or schools where there are a lot more people, devices, etc. on the network, especially if there’s a guest network.
    
    source
jlh@lemmy.jlh.name ⁨8⁩ ⁨months⁩ ago
I’m a senior Linux/Kubernetes sysadmin, so I deal with system security a lot.

If you’re not already running your servers in Docker, you should. Its extremely useful for automating deployment and updates, and also sets a baseline for isolation and security that you should follow. By running all your services in docker containers, you always know that all of your subcomponents are up to date, and you can update them much faster and easier. You also get the piece of mind knowing, that even if one container is compromised by an attacker, it’s very hard for them to compromise the rest of the system.

Owasp has published a top 10 security measures that you can do once you’ve set up Docker.

github.com/OWASP/…/owasp-docker-security.pdf

This list doesn’t seem like it’s been updated in the last few years, but it still holds true.

Don’t run as root, even in containers

Update regularly

Segment your network services from each other and use a firewall.

Don’t run unnecessary components, and make sure everything is configured with security in mind.

Separate services by security level by running them on different hosts

Store passwords and secrets in a secure way. (usually this means not hardcoding them into the docker container)

Set resource limits so that one container can’t starve the entire host.

Make sure that the docker images you use are trustworthy

Setup containers with read-only file systems, only mounting r/w tmpfs dies in specific locations

Log everything to a remote server so that logs cannot be tampered with. (I recommend opentelemetry collector (contrib) and loki)

The list goes into more detail.
source
- just_another_person@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Big eyeroll on this shit here 🙄
  
  Containers aren’t more secure, they are just less likely to be a propagation point to something that might ransack a Windows network.
  
  An vulnerable runtime is a vulnerable runtime. If it’s exposed to a public network, it will eventually be found and breached. Stop spouting this “containers everywhere” bullshit in the name of security. It’s asinine, and makes you sound bad your job. A bare metal server running any runtime version of anything is just as vulnerable as any container, you twat.
  
  source
  - jlh@lemmy.jlh.name ⁨8⁩ ⁨months⁩ ago
    I dont see how anything I said justifies you calling me names and calling me bad at my job. Chill out.
    
    Containers allow for more defense-in-depth, along with their multiple other benefits to maintability, updatability, reproducibility, etc. Sure, you can exploit the same RCE vuln on both traditional VMs and containers, but an attacker who gets shell access on a container is not going to be able to do much. There are no other processes or files that it can talk to or attack. There’s no obvious way for an attacker to gain persistence, since the file system is read-only, or at least everything will be deleted the next time the container is updated/moved. Containers eliminate a lot of options for attackers, and make it easier for admins to setup important security systems like firewalls and a update routine.
    
    Obviously containers aren’t always going to be the best choice for every situation, architecting computer systems requires taking into account a lot of different variables. Maybe your application can never be restarted and needs to have a more durable, VM solution. Maybe your application only runs on Windows. Maybe your team doesn’t have experience with kubernetes. Maybe your vendor only supplies VM images. But running your applications as stateless containers in Kubernetes solves a lot of problems that we’ve historically had to deal with in IT Operations, both technically and organizationally.
    
    source
    -> View More Comments
- Trainguyrom@reddthat.com ⁨8⁩ ⁨months⁩ ago
  Hey, kinda off topic but what’s the best way to get into a Linux/Kubernetes admin role? I’ve got a degree in networking, several years of helpdesk experience and I’m currently working as an implementation specialist.
  
  Is that something I could simply upskill and slide into or are there specific certs that will blow the doors open for new opportunities?
  
  source
  - jlh@lemmy.jlh.name ⁨8⁩ ⁨months⁩ ago
    Sure! I got my start with this sort of tech, just running docker containers on my home server for running stuff like nextcloud and game servers. I did tech support for a more traditional web hosting MSP for a while, and then I ended up getting hired as a DevOps trainee for a internal platform team doing Kubernetes. I did some Kubernetes consulting after that and got really experienced with the tech.
    
    I would say to try running some Docker containers and learn the pros and cons with them, and then I would say to start studying for the CKAD certification. The CKAD cert is pretty comprehensive and it’ll show you how to run docker containers in production with Kubernetes. Kind is a great way to get a Kubernetes cluster running on your laptop. For more long term clusters, you can play around with k3s on-prem, or otherwise, I would recommend Digital Ocean’s managed Kubernetes. Look into ArgoCD once you want to get serious about running Kubernetes in production.
    
    I think with a CKAD cert you can land a Kubernetes job pretty easily.
    
    I would probably only recommend the CKA cert on the path to CKS. CKA gets into a lot of the nitty gritty of running a kubernetes cluster, that I think most small-to-medium companies would probably skip and just run a managed solution.
    
    Kubernetes has a steep learning curve, since you need to understand Operations top-to-bottom to start using it, but once you have it in your tool belt, it gives you endless power and flexibility when it comes to IT Operations.
    
    source
- lal309@lemmy.world ⁨8⁩ ⁨months⁩ ago
  This is pretty much what I have setup. I’m not logging to a separate server but I do have other things setup like fail2ban, changes default ports, secrets management, etc. Good resource tho
  
  source
tuff_wizard@aussie.zone ⁨8⁩ ⁨months⁩ ago
I think you’re about to find out that the “belief” that Linux doesn’t need antivirus isn’t just held by everyone in this community, it’s held by the whole Linux community. Hence there being no active projects in the space.

Heck you almost don’t need any antivirus in windows anymore. Just windows defender and half a brain when it comes to what you download.

source
- aksdb@feddit.de ⁨8⁩ ⁨months⁩ ago
  Many security experts I know consider AV software to be snake oil. I do so too. They are so complex and need so far reaching permissions to be somewhat effective, that they become the attack vector and/or a large risk factor for faulty behavior.
  
  Add in lots of false positives and it just numbs the users to the alerts.
  
  Nothing beats educating users and making sure the software in use isn’t braindead. For example Microsoft programs that hide file extensions by default is a far bigger security problem than a missing AV tool. Or word processors that allow embedded scripts that can perform shit outside the application. The list goes on …
  
  source
  - surewhynotlem@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Well that’s just not fair. Snake oil doesn’t get auto updated by the vendor, and then lock my production processes and cause an outage. I’d take a bottle of snake oil any day over Symantec.
    
    source
- peter@feddit.uk ⁨8⁩ ⁨months⁩ ago
  I don’t really understand that belief. There is plenty of Linux malware, you just need to have an unsecure service running to find that out
  
  source
  - Zeth0s@lemmy.world ⁨8⁩ ⁨months⁩ ago
    I have been using linux for almost 2 decades, never seen a virus. And I never heard of a colleague or friend who got one on Linux. That’s why no one has ever installed an antivirus, because, till now, the risk has been practically zero.
    
    On windows, on the other hand, I saw so many viruses on friends and relatives computers…
    
    People install antiviruses depending on the experience.
    
    To be fair, we all know on Linux viruses exist, but is objectively pretty difficult to get one. It is not worth installing an antivirus if one doesn’t actively install garbage from untrusted sources
    
    source
    -> View More Comments
  - skilltheamps@feddit.de ⁨8⁩ ⁨months⁩ ago
    What happens in the Windows world: Microsoft is not capable of creating and distributing a patch timely. Or they wait for “patch day”, the made up nonsense reason to delay patches for nothing. Also since Windows has no sensible means of keeping software up to date, the user itself has to constantly update every single thing, with varying diligence. Hence Antivirus: there is so much time between a virus becoming known and actual patches landing on windows, that antivirus vendors can easily implement and distribute code that recognizes that virus in the meantime.
    
    What happens in the linux world: a patch is delivered often in a matter of hours, usually even before news outlets get to report about the vulnerability.
    
    source
    -> View More Comments
LinuxSBC@lemm.ee ⁨8⁩ ⁨months⁩ ago
Behavior-based antivirus is extremely difficult, failure-prone, and almost entirely unnecessary because of how secure Linux is, so they don’t exist to my knowledge. Signature-based antivirus is basically useless because any security holes exploited by a virus are patched upstream rather than waiting for an antivirus to block it. ClamAV focuses on Windows viruses, not Linux ones, so it can be a signature-based antivirus, but not many people run an email server accessed by Windows devices or other similar services that require ClamAV, so not many people use it, and nobody made any alternatives.

If you’re worried about security, focus on hardening, not antiviruses.

source
Norgur@kbin.social ⁨8⁩ ⁨months⁩ ago
Okay, I think we can wrap this up: OP started with "I don't want to be convinced of the predominant oppinion about security" and kept their word.
OP: You got your answer. There is no alternative to ClamAV. ClamAV is open source so it will always be slower than apt update in fixing vulnerabilities.
You can wonder why the whole community that created tons and tons of cool shit for Linux with armies of talented people with way more IT knowledge than all of us combined didn't dedicate their time to Viruses. You can ask yourself how a virus would even get on your server... or you can not. Your choice. But the answer is: There is no alternative to ClamAV and ClamAV is set up mainly to detect Windows-Viruses that get spread by Mail-Attachments and the like.

source
- Dagamant@lemmy.world ⁨8⁩ ⁨months⁩ ago
  I could fork ClamAV and call it OysterAV then there would be a less maintained alternative
  
  source
nexusband@lemmy.world ⁨8⁩ ⁨months⁩ ago
There are none. ClamAV is the only one there is, because it has a very specific and narrow purpose. There are no viruses for Linux.

Chrootkit and rkhunter are also built for very specific things (detecting rootkits - or making them) and are not designed to protect, they are designed to analyse.

My writing here also isn’t specifically to OP, but to all others that may find this thread - Anti Virus for Linux is BS and unless you are running SMB and still have lots of Windows in your network, it’s absolutely not needed, especially if you follow the basics (like not doing stuff as root, using sudo and not giving out any system rights).

source
- Kangie@lemmy.srcfiles.zip ⁨8⁩ ⁨months⁩ ago
  
  There are no viruses for Linux.
  
  Blatant lies.
  
  en.m.wikipedia.org/wiki/Linux_malware
  
  source
  - nexusband@lemmy.world ⁨8⁩ ⁨months⁩ ago
    
    …some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.[
    
    Which is exactly what I said. ClamAV serves a very specific purpose and that’s this one.
    
    There are still no viruses for Linux specifically designed to break in to Linux, because it’s not possible.
    
    source
    -> View More Comments
adamth0@lemmy.world ⁨8⁩ ⁨months⁩ ago
I also use ClamAV, but only in specific circumstances, such as when a Linux server will be hosting end-user files. Perhaps a SAMBA server with a file share, or a web server which accepts user uploads.
In those cases, I might want to have it monitor the relevant part of the disk, but I also need to make sure my web application won’t fall over when the file it just accepted is unceremoniously ripped away from it. You can test that out using the EICAR file as your payload.
On a jump box, I might also have it turned on for scanning user home directories, by including /home, and then excluding any home directories for applications and daemons which might not deal well with having their IOPS nuked or delayed.

source
9tr6gyp3@lemmy.world ⁨8⁩ ⁨months⁩ ago
Honestly, the best antivirus for Linux is Arch.

source
- TenTypekMatus@lemmy.world ⁨8⁩ ⁨months⁩ ago
  No, it’s NixOS. Every package is self-contained in its own directory, which acts as chroot.
  
  source
  - Chobbes@lemmy.world ⁨8⁩ ⁨months⁩ ago
    AFAIK this is not what happens on NixOS. Every package gets installed into a directory that’s a hash of its dependencies in the nix store, but there’s no special isolation or anything on NixOS (well, when the packages are built there’s some isolation, but that’s mostly to keep the builds honest). That said, NixOS is a little better than most distros about creating separate daemon users for services with different permissions, but I don’t think it’s done universally.
    
    source
- lal309@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Hahahahaha this actually made me chuckle. Thanks for that!
  
  source
  - 9tr6gyp3@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Its a rolling release, so will always have the most up to date and patched packages the fastest. That concept is the antivirus.
    
    Can’t infect your machine if the vulnerabilities are already fixed.
    
    source
    -> View More Comments
corship@feddit.de ⁨8⁩ ⁨months⁩ ago
I don’t understand your intention, as for tips and hints and end you post on this line:

“Ps: if you have a different opinions than I do skip this post”

That’s the perfect recipe for a circle jerk.

source
beerclue@lemmy.world ⁨8⁩ ⁨months⁩ ago
I would recommend just setting up iptables & crowdsec. Open only the ports your services need, and add the relevant plugins to crowdsec. Nothing should come through.

If you have services that allow people to upload files, that’s a different story.

source
- lal309@lemmy.world ⁨8⁩ ⁨months⁩ ago
  I am running SMB although it’s not publicly available and setup with specific users having specific access to specific shares.
  
  Good note on crowdsec
  
  source
Decronym@lemmy.decronym.xyz ⁨8⁩ ⁨months⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

IoT Internet of Things for device controllers

LTS Long Term Support software version

SSH Secure Shell for remote terminal access

[Thread #141 for this sub, first seen 17th Sep 2023, 06:25] [FAQ] [Full list] [Contact] [Source code]

source
h3ndrik@feddit.de ⁨8⁩ ⁨months⁩ ago
You’re probably doing it wrong. But I’m keeping quiet, as requested.

source
Alami@lemmy.world ⁨8⁩ ⁨months⁩ ago
I am not a expert in Linux, and I mostly rely on very strong passwords. I also discovered recently basic stuff like changing the default SSH port. Anyone knows of implementation of 2FA on Linux?

source
- RepulsiveDog4415@feddit.de ⁨8⁩ ⁨months⁩ ago
  I have a yubikey and use their pam-module for 2FA on sudo and ssh. Took a bit of time to configure, but now it works like charm: wiki.archlinux.org/title/YubiKey#Linux_user_authe…
  
  source
  - Alami@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Thanks, I’m looking into it
    
    source
- just_another_person@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Key only authentication is your easiest and safest bet. If you want something a little more elegant, look at setting up port knocking if this is a 24/7 service exposed to the public internet. Add a brute-force monitor like fail2ban or crowdsec as an added layer of protection if you want.
  
  source
  - Alami@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Yes I do have fail2ban
    
    source
    -> View More Comments
- PlexSheep@feddit.de ⁨8⁩ ⁨months⁩ ago
  Changing the default porta is security through obscurity, which is not security but just a waste of time. Don’t rely on attackers “maybe not finding stuff” but rely on your stuff being secure, even if someone had all information about your network and system architecture.
  
  For 2fa, the other commenter mentioned yubikey pam modules. Those are probably useful, but if you want to secure your ssh server, the best solution is to use ssh keys and disable password login. I can really recommend that as its one of the few things in security that improves both usability and security.
  
  source
  - Alami@lemmy.world ⁨8⁩ ⁨months⁩ ago
    What’s an ssh key? Nvm I’ll research
    
    source
    -> View More Comments
  - adam@kbin.pieho.me ⁨8⁩ ⁨months⁩ ago
    One of the first things my base ansible role does is disable password logins. All keys, all the time.
    
    source
    -> View More Comments
- ChillPill@lemmy.world ⁨8⁩ ⁨months⁩ ago
  If at all possible, do not expose things like ssh, RDP, etc to the internet. Use traditional VPN or something like tail scale. Just because ssh is on a different port than normal doesnt mean an attacker couldn’t figure out that your running ssh on port 335.
  
  source
  - Alami@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Well fail2ban went from very active to very quiet. It is definitely worth not leaving 22
    
    source

Fewer Letters	More Letters
IoT	Internet of Things for device controllers
LTS	Long Term Support software version
SSH	Secure Shell for remote terminal access