Trend Micro, the world leader in Internet data protection and cloud security, has detected a few days ago a new rootkit that targets Linux-based devices. The rootkit is able to strike 32 bits or 64 bits systems based on both Intel or ARM processors. Even embedded systems (such as routers) are at risk.
The name of the rootkit is Umbreon, in the video game Umbreon is a Pokemon that is hiding in the shadows, hence the name of the virus.
After infiltrating your PC Umbreon creates a user account that hackers uses to access the device via SSH. The picture below shows the welcome screen shown when this backdoor account is accessed via SSH.
You can never be too careful when it comes to online security, especially if you’re dealing with highly sensitive data. Adding an extra layer of security to your linux server it can only be a good thing.
This guide works for Ubuntu 14.04, 14.10 and 15.04.
Google Authenticator is a security application which implements time-based security tokens and it’s also known as ‘two factor authentication’. Every time you’ll login through ssh, it will ask you for your username, password and security code which is generated every 30 seconds by the Google authenticator application. This means that even if an attacker knows your username and password, he will still won’t be able to login.
Researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.
A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
psad (Port Scan Attack Detection) is an Intrusion Detection System written in Perl that analyzes iptables logs to monitor and block potential attackers that scan your system for open ports. What it does is actively monitor the networking logs, report suspicious activity to an email address and block the attackers using iptables.
Even if Linux systems are very hard to break (as long as everything is up to date), you’ll feel safer if network traffic is monitored automatically and potential attackers are blocked before they even try anything.
Ubuntu desktops don’t have a firewall set up by default so setting up an app like psad is an option to consider in the matter of security.
Every time something goes wrong with your system or programs, something has been modified or it needs your attention, an entry is created somewhere in the /var/log/ directory. LogWatch analyzes that data every night and it sends you an email with a short report of the changes. That’s pretty useful, don’t you think? Also, LogWatch doesn’t run a daemon so it won’t interfere with any services running on your computer.
Many Linux users, especially new ones, run their computers with nothing but the Linux OS. No network monitoring is performed, no IDS is running and no firewall is set up. While running a Linux distribution, the probability of being hacked is infinite lower than while running Windows, but still, it’s better to be safe than sorry.
This post will describe how to setup a very basic firewall using iptables by dropping all traffic by default and allowing only the traffic you really need.
OSSEC is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.
Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan.