I love IP Tables....

Wed May 30 00:11:58 UTC 2007

From: "Les Mikesell" <lesmikesell at gmail.com>
> jdow wrote:
>
>>>
>>> Are you saying vulnerability to viruses is acceptable and end users are 
>>> supposed to be smarter then the OS vendors in working around it?
>>
>> Good anti-virus protection, regular updates, and good malware protection
>> for malicious scripts are all important for all operating systems.
>
> Agreed on updates.
>
>> AV
>> for Linux is pretty much lacking.
>
> There's no reason to expect a 3rd party to be able to improve it.

Do you understand how AV software functions? One mode checks file
signatures for known virus signatures and prevents them from running.
The cycle from discovering a virus to developing a signature for
catching it is MUCH faster than the usual bug report or even security
bug report to update cycle. Your period of vulnerability is reduced.
That is "a good thing." (tm)

>> However, something I've picked up sort
>> of sideways is that ClamAV scanning of email is a handy way to tag some
>> kinds of email that are perhaps not harmful to Linux but are annoying
>> as they clutter the mailbox. I rather imagine an install of FC6 raw off
>> the original ISO sources might not do too well if left alone on the
>> network with no other protection than it comes with. It'd last longer
>> than XP. But I rather suspect a naive "everything" sort of install
>> would get you into trouble with too many daemons you don't need running.
>
> Yes, you need to keep up with the updates.  What's "too many" daemons? The 
> point of having a computer is the services and often the remote access it 
> provides.

If you do not need a web server on your desktop do not install it let
alone run it. If you need to run it (for documentation) limit its access
from off the machine. If you must access it remotely don't enable
scripting facilities. And so forth.

If you do not need to run smtpd on your machine, then don't. If you do
not need to run a POP3 tool on your machine, then don't.

Worse yet if you don't need to run a geewizzilator daemon on your
system, then don't. (That is to say a "gee I wonder what's that"
daemon.)

>> There are defenses to setup. And I will note that the active anti-virus
>> activities in the Windows world is a quicker way to protect your machine
>> than to wait for updates. If crackers start seriously looking to crack
>> security in Linux I suspect it will suffer its own "I wish I had a Linux
>> AV tool" episodes. It's inevitable. Bugs are a feature of software unless
>> that software has gone through more thorough checks than even what I see
>> on the LKML. When there are an NP number of paths through the system over
>> all preventing any possible cracking is not possible. Anyone who thinks
>> otherwise about a system the size of a Fedora Core package is nuts.
>
> There may be undiscovered bugs in Linux distros, but as they are 
> discovered there is no excuse for not fixing them in the product itself. 
> What possible good can come from a third party product (just as likely to 
> contain even more unknown vulnerabilities) being used as a band-aid 
> solution instead of just fixing issues as they are discovered?  And that 
> applies to all services - someone needs to run them and they should not 
> make their system any easier to crack beyond adding passwords that might 
> be guessed.

How many different "products" exist in the Red Hat and Fedora Core Linux
distributions?

{^_-}