TL;DR - What are you running as a means of “antivirus” on Linux servers?
I have a few small Debian 12 servers running my services and would like to enhance my security posture. Some services are exposed to the internet and I’ve done quite a few things to protect the services and the hosts. When it comes to “antivirus”, I was looking at ClamAV as it seemed to be the most recommended. However, when I read the documentation, it stated that the recommended RAM was at least 2-4 gigs. Some of my servers have more power than other but some do not meet this requirement. The lower powered hosts are rpi3s and some Lenovo tinys.
When I searched for alternatives, I came across rkhunter and chrootkit, but they seem to no longer be maintained as their latest release was several years ago.
If possible, I’d like to run the same software across all my servers for simplicity and uniformity.
If you have a similar setup, what are you running? Any other recommendations?
P.S. if you are of the mindset that Linux doesn’t need this kind of protection then fine, that’s your belief, not mine. So please just skip this post.
Behavior-based antivirus is extremely difficult, failure-prone, and almost entirely unnecessary because of how secure Linux is, so they don’t exist to my knowledge. Signature-based antivirus is basically useless because any security holes exploited by a virus are patched upstream rather than waiting for an antivirus to block it. ClamAV focuses on Windows viruses, not Linux ones, so it can be a signature-based antivirus, but not many people run an email server accessed by Windows devices or other similar services that require ClamAV, so not many people use it, and nobody made any alternatives.
If you’re worried about security, focus on hardening and updates, not antiviruses.
I’m a senior Linux/Kubernetes sysadmin, so I deal with system security a lot.
I don’t run ClamAV on any of my servers, and there’s much more important ways to secure your server than to look for Windows viruses.
If you’re not already running your servers in Docker, you should. Its extremely useful for automating deployment and updates, and also sets a baseline for isolation and security that you should follow. By running all your services in docker containers, you always know that all of your subcomponents are up to date, and you can update them much faster and easier. You also get the piece of mind knowing, that even if one container is compromised by an attacker, it’s very hard for them to compromise the rest of the system.
Owasp has published a top 10 security measures that you can do once you’ve set up Docker.
https://github.com/OWASP/Docker-Security/blob/main/dist/owasp-docker-security.pdf
This list doesn’t seem like it’s been updated in the last few years, but it still holds true.
-
Don’t run as root, even in containers
-
Update regularly
-
Segment your network services from each other and use a firewall.
-
Don’t run unnecessary components, and make sure everything is configured with security in mind.
-
Separate services by security level by running them on different hosts
-
Store passwords and secrets in a secure way. (usually this means not hardcoding them into the docker container)
-
Set resource limits so that one container can’t starve the entire host.
-
Make sure that the docker images you use are trustworthy
-
Setup containers with read-only file systems, only mounting r/w tmpfs dies in specific locations
-
Log everything to a remote server so that logs cannot be tampered with. (I recommend opentelemetry collector (contrib) and loki)
The list goes into more detail.
Hey, kinda off topic but what’s the best way to get into a Linux/Kubernetes admin role? I’ve got a degree in networking, several years of helpdesk experience and I’m currently working as an implementation specialist.
Is that something I could simply upskill and slide into or are there specific certs that will blow the doors open for new opportunities?
Sure! I got my start with this sort of tech, just running docker containers on my home server for running stuff like nextcloud and game servers. I did tech support for a more traditional web hosting MSP for a while, and then I ended up getting hired as a DevOps trainee for a internal platform team doing Kubernetes. I did some Kubernetes consulting after that and got really experienced with the tech.
I would say to try running some Docker containers and learn the pros and cons with them, and then I would say to start studying for the CKAD certification. The CKAD cert is pretty comprehensive and it’ll show you how to run docker containers in production with Kubernetes. Kind is a great way to get a Kubernetes cluster running on your laptop. For more long term clusters, you can play around with k3s on-prem, or otherwise, I would recommend Digital Ocean’s managed Kubernetes. Look into ArgoCD once you want to get serious about running Kubernetes in production.
I think with a CKAD cert you can land a Kubernetes job pretty easily.
I would probably only recommend the CKA cert on the path to CKS. CKA gets into a lot of the nitty gritty of running a kubernetes cluster, that I think most small-to-medium companies would probably skip and just run a managed solution.
Kubernetes has a steep learning curve, since you need to understand Operations top-to-bottom to start using it, but once you have it in your tool belt, it gives you endless power and flexibility when it comes to IT Operations.
-
I think you’re about to find out that the “belief” that Linux doesn’t need antivirus isn’t just held by everyone in this community, it’s held by the whole Linux community. Hence there being no active projects in the space.
Heck you almost don’t need any antivirus in windows anymore. Just windows defender and half a brain when it comes to what you download.
Many security experts I know consider AV software to be snake oil. I do so too. They are so complex and need so far reaching permissions to be somewhat effective, that they become the attack vector and/or a large risk factor for faulty behavior.
Add in lots of false positives and it just numbs the users to the alerts.
Nothing beats educating users and making sure the software in use isn’t braindead. For example Microsoft programs that hide file extensions by default is a far bigger security problem than a missing AV tool. Or word processors that allow embedded scripts that can perform shit outside the application. The list goes on …
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.
That said, there are other, simpler (and probably more effective) options for hardening your systems:
- Firewall - if your servers are dedicated to specific services and you don’t plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
- Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It’s a lot easier to recognize the things that you do want to run than all of the things that you don’t want to run.
- Secure OS - I assume you’re using Debian because it’s familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).
The firewall point I just don’t get. When I set up a server, for every port I either run a service and it is open, or I don’t and it is closed. That’s it. What should the firewall block?
If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.