I know that Sup Forums isn't anyone's tech support, but I'm running short out of options here as various Linux forums don't have so much info about this...
I've scanned my Ubuntu with Chkrootkit and Rkhunter. The former only finds one possible rootkit (ebury, most likely a false positive) yet Rkhunter finds 10 possible ones. My install is semi-fresh, I don't use SSH, firewall is on and blocking incoming connections, I don't download anything/visit shady sites, I update regularly, and safe-boot is also on from the BIOS-level.
The only way it could've been infected is if someone remotely hacked it.
What could've caused this? How do I fix this? Also general security thread.
Alright, thank you, I've read that SElinux is better than AppArmor which I use atm. Which one of those mentioned would be the best if I just want to play a few games through some Wine-alike programs, and without too much hassle given my limited knowledge of Linux in-general? And I assume I can install any desktop I want (i.e. Mate)..?
Did you just come by the thread to say that while not giving any advice?
Carter Bell
yes, >Sup Forums is NOT your personal tech support team or personal consumer review site.
Jonathan Thompson
Thank you for the bump tho
Logan Myers
>Ubuntu doesn't have the best security defaults.
Why do you lie? Ubuntu has apparmor on by default.
William Sanchez
Ubuntu has cryptographic integrity checking all the way from patch commit to install, which can be verified.
>Ubuntu has apparmor on by default. Apparmor is just 2nd rate SE for people who don't feel like using free as in freedom NSA software on their PC.
No real good direction you can take it but I trust many eyes on SElinux considering the NSA is fairly open about their documentation. Makes pretty good recruiting material.
>Rkhunter finds 10 possible ones. Well, check them out and see if they look like false positives. If unsure, maybe scan a fresh Ubuntu install so you can compare.
Angel Wright
I've Googled each one of them, and most just say it's false positives, that it's notorious doing so on Ubuntu. I just don't know why it shows more now than on the previous one.Haven't done anything differently. Will try what you said
Maybe Rkhunter's latest version detects more false positives?
Colton Martinez
>SELinux is usually just disabled. Yea. I always go for a month or two of permissive and flip the switch.
Peace of mind on sitting boxes.
Caleb Jenkins
While we're on topic.
How can a Linux become infected remotely if everything in the OP is done? Even a 0-day exploit seems pretty difficult considering almost nothing is installed here.
Adrian Barnes
Don't open ssh and don't have a root password "12345"
Josiah Cook
>he fell for the linux on desktop meme
Robert Nguyen
I wrote that I don't use SSH but atm I'm a bit confused. It's disabled by default, right? And regarding root-password: This is possible to bruteforce & crack from afar, right? Fail2ban is sufficient to deal with that?
Connor Perry
Nvm one google search cleared the first part for me. But what about the last part?
Hunter Flores
Root account is password locked on Ubuntu. If you have ssh running, generate an ssh keypair and set 'PasswordAuthentication no'.
Camden Hill
You can run programs as a different user if you like. Create a sandbox user for example opisafaget. Give that account access to your X display and run some programs as that user.
>Root account is password locked on Ubuntu. Sure, but how plausible is it that someone could bruteforce it? And is fail2ban a good enough measure to counter it (don't know jack-shit about it, but as far as I know it can block some spamming ip's)?
Cooper Peterson
No, you can't bruteforce root on Ubuntu. Password is locked and sshd default is deny root password.
Nolan Thompson
Cool, hopefully I'm safe then.
Nathaniel Rogers
If you do enable ssh make sure you DISABLE PASSWORD AUTHENTICATION and use authorized_keys only.
Levi King
Infected iso? >notorious on Ubuntu I run rkhunter/chkrootkit on literally dozens of Ubuntu servers daily and have never had this issue
Robert Russell
I've done an integrity check against the bootable USB I have, both "check cd for defects" when booting, and I ran the "md5sum -c md5sum.txt" command from my desktop after I navigated to the usb. No errors. Don't have the original .iso anymore and I guess it's futile to download another one if this is also infected, but these tests' results were error-less, so I don't think it's necessarily that.
>I run rkhunter/chkrootkit on literally dozens of Ubuntu servers daily and have never had this issue Well... fuck. No idea what could've caused this.
Jayden Jackson
>bruteforce and crack from afar Is your computer behind a NAT? If so, did you open port 22 to the world? If not, there is almost zero chance someone brute-forced. Fail2ban will not do very much if you're not running snything public facing.
Ryan Taylor
What checksum are you comparing that against? A defective iso prob wouldnt boot or install. An infected one would however, like what happened with Linux Mint for example.
Sebastian Stewart
Both Ethernet and wireless, don't think port 22 is open, no.
Maybe I fucked up here. I followed the instructions on this site, but maybe it's not meant to check for an infection:
So the md5 sum of your installation image matched the checksum on Canonical's download page? That's generally done to verify the image didn't get corrupted during download, but an infected image also wouldn't match up either.
Adam Richardson
>So the md5 sum of your installation image matched the checksum on Canonical's download page Did everything that was suggested in the first post on the link I posted, and it find zero errors.
> but an infected image also wouldn't match up either. So... then it's all good? Really? Still wondering why Rkhunter gives these warnings though
Owen Ortiz
Have to add, have run lynis as well, it gives only 1 warning which isn't a serious one at all
Ryder Foster
It's probably nothing to worry about. Lynis is pretty picky anyway, what was the warning? Anything weird come back when you run nmap localhost?
Joseph Hall
2 ports are open...
Ryder Carter
Which?
Cooper Jenkins
25 and 631
Andrew Gutierrez
>port 25 You running an email server? >Port 631 Or a print server? Are you sure these ports aren't open on your internet facing firewall (provided you don't need them to be?)
Evan Russell
Neither doing either of those, so it's pretty strange. Don't use a firewall either. I blocked them in ip tables now, but if the damage is already done...
Jonathan Myers
firewall as in a hardware one/router*
Bentley Morales
But I just looked now through the firewall, the applications going through those ports are legitimate, although a rootkit would probably hide its presence if it got through them.
So if I were to reformat, how would I make it secure from the start? I've not opened any ports manually.
Bentley Barnes
And when I ran zenmap now, it says that they are all closed.
Owen Peterson
It's fine to have them open on the lan, foolish to open them to the wan Use a hardware firewall Disable ssh if you're not using it, set up a public/private keypair with a strong password and disable password authentication. Use UFW/GUFW if you're unsure about iptables. Not sure what you could be running other than a mail server that requires port 25 to be lert open, but look into using ssl/tls authentication for it instead. This is a decent guide on the basic stuff thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics
David Ramirez
You sure those ports are required open for incoming traffic and not outgoing?
Jayden Watson
>It's fine to have them open on the lan, foolish to open them to the wan I just have to apologize for how noobish I am with this, but is there also a LAN with an ethernet-based connection? I always thought it was only for routers.
>Use a hardware firewall Sure, will do
>link Thank you very much. I see that it's for a server so I guess SSH isn't relevant, but other stuff seems logical.
What do you mean? sorry, I'm very tired atm. That they are open to send to the world, but not to receive anything through those ports? I have no idea btw, I blocked them
Jeremiah Cook
Just a quick question > Secure shared memory. I tried this earlier, but I don't know if it worked. How do you save a command line like that?
Aaron Watson
If you're running a program that requires others to be able to connect from outside your network, you would open a port to allow access to your network. If that's not the case, you want to allow network traffic to flow freely outgoing and e blocked from entering your network/computer. Generally, the out-of-box condiguration for most routers is to allow all outgoing requests and block incoming.
Xavier Jones
Use nano or gedit text editor instead of vi...
John Miller
>Generally, the out-of-box condiguration for most routers is to allow all outgoing requests and block incoming. Yeah, that's the default setting I've had forever.
Just very strange that those came up when I did a scan.
Again, are these meant for LAN -- is that even a thing on ethernet?
Thank you, will do.
Easton Wilson
>than a mail server that requires port 25 to be lert open Is it possible that it might have something to do with Thunderbird being installed?
