TL;DR - What are you running as a means of “antivirus” on Linux servers?

I have a few small Debian 12 servers running my services and would like to enhance my security posture. Some services are exposed to the internet and I’ve done quite a few things to protect the services and the hosts. When it comes to “antivirus”, I was looking at ClamAV as it seemed to be the most recommended. However, when I read the documentation, it stated that the recommended RAM was at least 2-4 gigs. Some of my servers have more power than other but some do not meet this requirement. The lower powered hosts are rpi3s and some Lenovo tinys.

When I searched for alternatives, I came across rkhunter and chrootkit, but they seem to no longer be maintained as their latest release was several years ago.

If possible, I’d like to run the same software across all my servers for simplicity and uniformity.

If you have a similar setup, what are you running? Any other recommendations?

P.S. if you are of the mindset that Linux doesn’t need this kind of protection then fine, that’s your belief, not mine. So please just skip this post.

You are viewing a single thread.
View all comments View context
2 points

The firewall point I just don’t get. When I set up a server, for every port I either run a service and it is open, or I don’t and it is closed. That’s it. What should the firewall block?

permalink
report
parent
reply
10 points
*

A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.

Also, you can configure the firewall to drop packets coming in to closed ports, rather than responding to the sending device that the port is closed. This effectively black-holes the incoming traffic, so it looks like there’s just nothing there.

permalink
report
parent
reply
8 points

If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.

permalink
report
parent
reply
4 points

You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.

permalink
report
parent
reply
3 points

Firewalls set and enforce policy. Closed ports are only incidentally secure. Also, they can do a lot more than answer “nothing is listening here”.

permalink
report
parent
reply
3 points

I don’t use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.

permalink
report
parent
reply
1 point

A modern firewall might also block connections to known bad sites, in case you do somehow get malware reaching out to a command & control server. Or it might identify malicious application traffic over a port that should be for a more trustworthy service.

But these are usually only a concern in places like businesses or schools where there are a lot more people, devices, etc. on the network, especially if there’s a guest network.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 4.9K

    Monthly active users

  • 3.5K

    Posts

  • 75K

    Comments