Mageia forum

[schroedingerscat]

Hello everybody

I've started using Mageia about two years ago (Mageia 2) and I think I've never had problems with malware. Last week, I've installed Mageia 4 on my mother's laptop. She keeps asking me about anti-virus software and is worried about secutity. I tried to explain her that Linux is secure by architecture and that, as it is not very popular as desktop OS, it is not attractive enough for malware programmers. Altough, I installed Clam AV. But the german ClamAV Wikipedia page says that in the worst case, it only recognizises about 50% of all malware. My question is: Is Mageia really secure using standard configuration? Is there a difference in security between KDE and Gnome (or Enlightenment)? What can I do to get as close to 100% safety as possible? And most important: Do I need a better AV software (which surely will spy for the NSA)?

Thank you in advance and have a nice weekend
schroedingerscat

[Lebarhon]

Hello,
I don't know much about viruses, all I can tell you is that I use exclusively Linux since 2006, I never installed any AV, my security is always at standard level and I never saw any malware.

[nigelc]

Anti virus software is really only for windows machines.
Windows is insecure for lots of reasons.

[doktor5000]

Altough, I installed Clam AV. But the german ClamAV Wikipedia page says that in the worst case, it only recognizises about 50% of all malware.

That's correct. Also when you don't exchange files with windows machines, there's pretty much no point using it at all IMHO. The only people that I know that use clamav are using it to provide more safety to the people using windows machines if they exchange files with them - for Mageia itself this is pretty much irrelevant, to put it simple.

My question is: Is Mageia really secure using standard configuration?
[...]
What can I do to get as close to 100% safety as possible?

The answers to your first question is non-trivial, and neither yes or no are valid answers. Best bet to be honest: It depends.
It depends what your definition of 100% safety really comes down to. As there's a user in front of the computer, you can never achieve something even close.
If a user runs some software with administrator permissions to watch some video or whatever, and that's actually malware, you're doomed no matter what security level your box is.

To put it another way: Does Mageia offer a similar level of security like any other linux distro out there, when using it in a sensible and conscious manner? Definitely.

Some more practical details: Which security level did you choose during installation? Do you plan to run any services, where other machines
or users can connect to your box? E.g. ssh server, webserver, database or something similar? How many users will be using that box?

How much 3rd party software do you plan to install (anything that's not open source, e.g. Skype, Teamviewer or similar)?

Is there a difference in security between KDE and Gnome (or Enlightenment)?

In general no. In detail, one difference is how fast those projects will react to fix security issues and severe bugs.
Another is their size and number of features compared to their exposure (number of users). E.g. KDE offers much more features as Enlightenment,
so it is more vulnerable as it offers a greater attack surface. On the other hand, there are much more people working on KDE and a huge number of users,
so bugs could be reported and fixed in a much more timely manner. On the reverse, you can't say that E is less secure, and you cannot simply
compare those. As mentioned, it depends.

[jiml8]

A lot of the Microsoft Windows design was driven by their marketing department, and by a strong desire to make life difficult for third party developers who might compete with microsoft on microsoft's platform against microsoft products - wordperfect vs Microsoft Office is the classic example of this, as is the old Netscape vs Internet Explorer war.

The consequence is that much of the Windows design is tortuous and convoluted - and this plays a significant role in making it hard to secure. Later versions of Windows have become much more secure, but they have done so by employing a tortuous and convoluted security model - one which most people don't understand very well, and one that tends to be "in your face", requiring a lot of user action to read notifications and click them away. Consequently, most users get tired of it, and click them away without reading them. Also, there are many things you might need to do in Windows that require you to be an administrator, and as a result many people just define themselves as administrators in order to make their lives easy. This is a very bad thing, because it means any program running with that person's permissions can do just about anything.

In contrast, Linux was developed by developers for themselves. Linux is built to welcome third party apps, and the result is a rational, well encapsulated environment. The resulting security model is pretty simple and easy to understand. Users are not constantly bombarded with popups demanding they do something. Instead, the normal user in the normal environment isn't bothered by any of that stuff...until he tries to do something that requres elevated privileges, and then he must enter a password. And there are only a few things that the ordinary user might need to do that require elevated privileges, so he is not constantly bombarded with demands to enter his password.

Given this architecture, the default Linux configuration is pretty secure. Not absolutely secure, no. But usually, the user has to play a major role in order to breach the security.

It is very difficult to crack the typical linux box from outside, though they can be opened right up if you have the hardware in front of you. Thus, malware seldom gets a foothold in a linux box, and even if it does, if the basic default security model is being followed by the user (only browse as an ordinary user, and only use root for things you absolutely must have root to do), then that malware can't spread far. It CAN damage that user's files, but CAN'T damage the system (though there have been some privilege escalation exploits in the past, and likely will be in the future...).

There is another characteristic of Linux that in many instances is a disadvantage, but in the current case is a profound advantage, and that is the extreme and steadily growing diversity of the Linux infrastructure. Linux is not an operating system, Linux is a family of closely related but distinct operating systems. This diversity is a bad thing for commercial developers; the test matrix can be horrendous, but it is a good thing for anti-malware purposes. Malware written to exploit one particular distro very possibly will not work on another distro.

The upshot? If you are running a firewall (and the default configuration of shorewall is just fine), and if you don't let bad guys have actual, physical access to the hardware, you are unlikely to have a malware problem with Linux.

[schroedingerscat]

Thank you very much, you seem to know a lot about security. Because of Snowden, I'm a bit concerned about the NSA hacking a random innocent person's computer, e. g. installing a trojan. What about this risk?

[toomuchcoffee]

Don't worry too much about the NSA getting into your data. Make it as hard as you can, by all means, but if they really want to hack your computer, they will. They have unlimited resources and if all else fails, they can always put a gun to your head.

Seriously though, the first step when you secure your computer is to decide who the enemy is, i.e. who you want to defend the machine against. Spouse/kids/coworkers casually snooping on your files while you're in the bathroom? Amateurs with some hacking experience? Professional hackers in the employ of a company or organization with a decent budget? Gov't organizations with unlimited resources?

The first two groups are fairly easy to keep out of your data, then it gets a lot harder and the level of security you can achieve depends on how many resources you are willing to throw at it. Keeping gov't organizations like the NSA out of your data if they absolutely want in is probably not something you have the means to do.

[schroedingerscat]

Thank you very much for your precise answer. I was just wondering if it was possible to protect a computer against RANDOM (not directed) attacks, e. g. sending a virus as an attachment of an e-mail. Surely, if a government wants to crack your hard disk encrytion, it can. My point is just the following: I want it to be as hard (and because of that as unattractive) as possible. If 100Mio. people would encrypt their e-mails, it would be impossible to crack RANDOM private messages, I guess. And it is not very efficient to randomly crack private messages of citizens just because they hope to hit the 0.000001% of criminal communication.
So what can I do to protect my system against undirected attacks?

[XTVEngr]

While this is an old topic, it covers an interesting subject for me.
While Linux is, by design, more secure than ...that other popular operating system, there is still one big hole in that security: The User. If somebody downloads malware, being tricked into thinking it's something else, and then installs it while using root authority--there's nothing to prevent that malware from doing whatever it was designed to do.

I'm starting to wonder about my most recent Firefox 31.2 update from Mageia, actually. I keep getting what look like Google 404 error pages despite my not having visited Google, and the URL in the Firefox address bar still showing whatever page I had intended to visit (various pages, none of which was Google) so it is impossible to tell where the 404 page actually originated.

The same problem occurs when using the other browser provided with Mageia, and the usual clearing of all cookies, history, and cache files provides no solution. As a diagnostic experiment, I've booted into Win7, and found that this particular problem doesn't appear while using that OS. This test at least rules out any hardware problems or anything external to my computer, I think.

I'll just leave this here as a thought-provoker for any interested parties, while I go back to working on it.

[doktor5000]

Why do you seem to think that this is the result of some virus or malware?

For the websites that seem to show 404 pages, did you try to check the connectivity e.g. via curl or wget to see what the problem is?
Did you check if the browser is set to offline mode or maybe some proxy is configured that cannot be reached?

And no, it's not impossible to tell where those 404 pages originated. Simply have a look at the page source.

[jiml8]

As a relevant and rather important aside to this, there is a source other than the user who provides a weakness to the system. That other source of weakness is the vendor who provides the Linux distro, if that vendor is focused on "convenience" rather than maintaining security.

A recent - and very serious - example of this was the Synology ransomware debacle, where Synology NAS devices, using a custom Linux distro provided by Synology, configured as Synology recommended and supported, and not patched with the most recent security updates, were hacked from outside and had ransomware installed, which proceeded to encrypt every file on every affected NAS. Users had to pay a very expensive ransom to get a key from the bad guys in order to decrypt their files. That one is still playing out...it happened in August.

Earlier this year, Synology was hit with another attack, where their NAS devices were hacked from outside and turned into a 'bot net to mine bitcoins.

The point is that any OS can be a target. Linux is actually a high-value target because of the huge percentage of the internet that runs on it. It is seldom hacked because it is basically a very secure design. My own systems are under constant attack; I monitor that continuously. One attacker in the last decade has succeeded in penetrating part way into one system (it had a weak password on one service), and I kicked them out within 20 minutes.

But when that security is compromised by design - as happened with Synology - Linux can be and will be attacked

[XTVEngr]

Why do you seem to think that this is the result of some virus or malware?

For the websites that seem to show 404 pages, did you try to check the connectivity e.g. via curl or wget to see what the problem is?
Did you check if the browser is set to offline mode or maybe some proxy is configured that cannot be reached?

And no, it's not impossible to tell where those 404 pages originated. Simply have a look at the page source.

Thanks for replying, however, I really don't know where it originated. It might have been generated within my own computer.
I do have a slow and unreliable (Clearwire) ISP, and at first assumed that could be part of my problem. However, other computers here function correctly.
I am not attempting to surf in offline mode, and there is no proxy.

If you'd like to see a copy-and-paste of the page source, here it is. In this particular incident, the "404 Page" appeared while I was viewing a web forum. It is not actually associated with the forum page, as it happens at other websites as well. This page source links to Google only to get the image files. If the 404 page didn't come from the forum page or from Google, where did it come from?
This 404 Page appears only when using a fully-updated version of Mageia. Another computer with a version of Mageia that hasn't been updated for three weeks functions properly, with no errors. Knowing no better, I can only suspect some connection between the most recent updates and this problem.

<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 404 (Not Found)!!1</title>
<style>

*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-
height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0
22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-
width:none;padding-right:0}}#logo{background:url(//www.google.com/images/errors/logo_sm_2.png) no-repeat}@media only screen and (min-resolution:192dpi){#logo
{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/errors/logo_sm_2_hr.png)
0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat;-webkit-background-
size:100% 100%}}#logo{display:inline-block;height:55px;width:150px}

</style>
<a href=//www.google.com/>
<span id=logo aria-label=Google></span>
</a>
<p>
<b>404.</b>
<ins>That’s an error.</ins>
<p>The requested URL <code>/Forum/posting.php?mode=reply&amp;f=9&amp;t=1759</code> was not found on this server.
<ins>That’s all we know.</ins>

[jiml8]

Error 404 is "not found". You can get this error if your transmission is corrupted, and the receiving system is ignoring checksums (as it very well might).

Such corruption is seldom a software or OS problem (it could be, but usually only on a system that is under development). You should look at your NIC, your cables, your modem, and the wires (or fiber) from your house back to your ISP for the source of the problem. Your problem is almost certainly someplace along that path, and not with your OS.

[Atticrat]

Error 404 is "not found". You can get this error if your transmission is corrupted, and the receiving system is ignoring checksums (as it very well might).

Such corruption is seldom a software or OS problem (it could be, but usually only on a system that is under development). You should look at your NIC, your cables, your modem, and the wires (or fiber) from your house back to your ISP for the source of the problem. Your problem is almost certainly someplace along that path, and not with your OS.

It might not be a real 404.
Why would anyone get an "Error 404" alleging to be from a Google server when they are not viewing Google or Google-associated pages?

[jiml8]

Unless you explicitly block it, you very probably are hitting google with almost every page you load from the web. Everyone uses google-analytics. Very many sites access google.com for scripts. Then, there is maps.google.com, ajax.googleapis.com, and a whole raft of others that I presently don't remember.

For the record, I explicitly block all contact with Google, unless something I really need to see requires a google script...and then, I only allow contact through TOR.

[XTVEngr]

Pardon my stumbling along like this, but I think I've finally found a clue.
At random times, clicking any link or pressing F5, or refreshing a page by other means, will cause Firefox or other browsers in my installation of Mageia 4 to drop the domain name from the URL. Because of that, instead of it looking for "domain_a/directory_b/page_c" it tries to find "/directory_b/page_c" from other domains with predictable results. So far, it has gone most often to Google to find "/directory_b/page_c" and a few times it has gone to Facebook instead.

This happens even if I've cleared the browser history before clicking the link.

Once the problem appears, it tends to continue for several minutes before mysteriously resolving itself. It may be doing just that during the interval it takes me to shut down Mageia and then reboot into Windows to continue testing or to post here. If that's the case, this could still possibly be a DNS problem caused perhaps by congestion of the Clearwire 4G system.

Much later:
Wish me luck, guys... I found that the dns servers for clear.com couldn't be found by nslookup, I tried putting their IP addresses into my Mageia networking settings manually instead of relying on DHCP, and for the several hours since then... The problem has not reappeared. This was an ignorant shot-in-the-dark on my part, but if it works... I'll go with it. I'm still studying for my CompTia Network+ certificate, so you know I'm a newbie at this stuff.

[united4]

This sounds like DNS hijacking, check your router settings and security, chances are someone has gained access and changed DNS settings.