What about security on the N900?

As this is a Linux system is it possible to use some intrusion
detection software?
How about the Linux versions of antivirus software like AVG,
Avast, F-Prot, Clamav, Avira AntiVir ?

Why use an antivirus on a linux system?

There really isn't any for the platform, it seems.

The main use for virus scanning software on Linux is for those running a mailserver and wants to prevent virus laden email from reaching hapless Windows users.

the main use for virus scanning software on linux is for those running a mailserver and wants to prevent virus laden email from reaching hapless windows users.

looooooool .. :D

What about security on the N900?

As this is a Linux system is it possible to use some intrusion
detection software?
How about the Linux versions of antivirus software like AVG,
Avast, F-Prot, Clamav, Avira AntiVir ?

binary-only versions are out unless the vendor specifically provides maemo builds, source you can try to compile yourself. Anyway antivirus is mostly useless on device like this (though AFAIRecall clamAV package is in repo)

Same for IDS.

See my sig for links with more info.

Actually, there are a number of exploits for Linux that are worth scanning for (and of course, the ones we're not aware of) so it's always worth being at least a little paranoid. The chances of getting infected/hacked on Linux in this way is pretty low because it's just simply not a common enough target and, even if it were, it's still harder to exploit generally because of all the variations of the kernel, drivers, distributions, etc. Operating system monoculture is bad... the very thing Microsoft tried to attack about Linux (maybe you remember the MS ads with the penguin bodies and other animal heads, poking fun at the Linux mutations and kernel customization!) is, in fact, a strength.

That being said, it's still a good thing to use a scanner even though the chances are low that you'll get infected--but you're mainly just trusting that someone isn't targeting your platform, not that it's just that strong.

You can use iptables with titans kernel. What i miss is a Userland (Application)-based Firewall for Maemo...

I second that security wise a good firewall software is more useful than an Antivirus software.
I want to see what application is phoning home whereto!

Does anybody know how to block N900 Maemo out of the box connection to mail.lotuslive.com?

IP:8.12.152.72
Port: 993
State: ESTABLISHED

Reverse DNS: 8-12-152-72.mail.lotuslive.com

You can use iptables with titans kernel. What i miss is a Userland (Application)-based Firewall for Maemo...

So, once again, you have to basically do a root-like flash to replace the kernel with a more feature-packed one with more security too? Maemo's kinda lookin' a little more like everyone else here. Except, at least I think Android has iptables already compiled in (mine does, anyway--I played with it a bit). Not sure about WebOS.

But anyway, yeah. I would generally tend to agree as far as priorities go. Is that true that only the Titan kernel has iptables on the N900?

I second that security wise a good firewall software is more useful than an Antivirus software.
I want to see what application is phoning home whereto!

Does anybody know how to block N900 Maemo out of the box connection to mail.lotuslive.com?

IP:8.12.152.72
Port: 993
State: ESTABLISHED

Reverse DNS: 8-12-152-72.mail.lotuslive.com

Add an entry to /etc/hosts:

127.0.0.1 mail.lotuslive.com

So, once again, you have to basically do a root-like flash to replace the kernel with a more feature-packed one with more security too? Maemo's kinda lookin' a little more like everyone else here. Except, at least I think Android has iptables already compiled in (mine does, anyway--I played with it a bit). Not sure about WebOS.

But anyway, yeah. I would generally tend to agree as far as priorities go. Is that true that only the Titan kernel has iptables on the N900?

As far as i know the stock-kernel comes with out the netfilter modules, anyway i read somewhere around the forum that basic filtering is supported just by installing the iptables (userland-tools) package.

Actually, there are a number of exploits for Linux that are worth scanning for (and of course, the ones we're not aware of) so it's always worth being at least a little paranoid. The chances of getting infected/hacked on Linux in this way is pretty low because it's just simply not a common enough target and, even if it were, it's still harder to exploit generally because of all the variations of the kernel, drivers, distributions, etc. Operating system monoculture is bad... the very thing Microsoft tried to attack about Linux (maybe you remember the MS ads with the penguin bodies and other animal heads, poking fun at the Linux mutations and kernel customization!) is, in fact, a strength.

That being said, it's still a good thing to use a scanner even though the chances are low that you'll get infected--but you're mainly just trusting that someone isn't targeting your platform, not that it's just that strong.

The point with firewall issue made in this thread is a good one.

I also found this one interesting:
http://www.h-online.com/open/news/item/Root-privileges-through-Linux-kernel-bug-Update-1061563.html

Btw. which Kernel is used for Maemo 5?
I only found
"Maemo 5 is based on Linux 2.6 operating system."
here:
http://maemo.org/intro/platform/
and
"~/maemo_kernel/kernel-2.6.28"
here:
http://wiki.maemo.org/Documentation/Maemo_5_Developer_Guide/Kernel_and_Debugging_Guide/Maemo_Kernel_Guide
?

For incoming connections the N900 as stock doesn't run any network facing services and thus in that sense things are rather good.

Due to the nature of the device a simple user-level-privileges trojan will totally ruin the users day and I don't think you can scan for all of them (at least without running everything in sandbox and doing behaviour scanning, not exactly usable with these resources).

Stock kernel should be able to do basic iptables filtering, haven't tried it personally (I run titans kernel), but some of the modules exist; it's just the more advanced netfilter features (like NAT) that are not supported.

Local privilege escalation exploits (most of the linux kernel exploits are in this class) are moot on the device when one can get root anyway with a single package install.

Outgoing connections are a good point, however from general usability perspective blocking them by default and asking user for confirmation would really suck (users are much less likely to install random crap that hasn't been at least on some level vetted by the community)

So, yes "There is nothing to worry" is "lies to children" but discussing the real risk cases gets too technical to those who "ask for AV/FW just because their Windows PC needs it" rather quickly.

I would like if someone could port to n900 a simple to use firewall.

I fear the use of the word "virus" these days are a threat in itself, as it makes people relax their overall security sense. Even on Windows, the real threat isn't viruses any more.

There are lots of exploits to worry about on Linux as well as on Windows. Server logs are full of probes for weaknesses in PhpMyAdmin, Gallery2, PhpBB. Probes on SSH exploits are also common. And where does the term "root kit" come from, you might ask yourself, as there is no root user in Windows? While Windows is easier to infect, Linux machines are more attractive because they're often servers, internet hubs, where you want to use their resources, take over their services, has more interesting content, whatnot.

At home, I have a Linux based router. It is old now, and I worry that the outdated linux packages have known issues.

Thankfully, IPTables seems to do a commendable job on Linux, but even so, for a desktop Linux machine I would have liked a ZoneAlarm-like GUI on top, to set rules and see activity. And yes, Antivirus. Although there aren't many Linux viruses running around yet, I'd still like to notice if there were other machines on my network sending out infected traffic.

But on any Linux desktop as well as on any Windows desktop, I'd really feel better if there was a hardware firewall (ie. router modem) between me and the internet.

I haven't been bothered with what-actually-is-viruses on my computers since, well honestly not since MS DOS disk swapping. But other malware, that's always a real threat.

What about security on the N900?

As this is a Linux system is it possible to use some intrusion
detection software?
How about the Linux versions of antivirus software like AVG,
Avast, F-Prot, Clamav, Avira AntiVir ?

Is worse than just "antivirus are not needed in Linux", even if existed a binary virus on the wild for linux (traditional virus have troubles running on it anyway), it will surely be for intel processors, would not run in the N900's ARM.

But security is more than just antivirus. Trojans are malware too. When you are downloading a program (even a .deb) from an untrusted private repository you are not open just to potential bugs of that program that could render the device unusable, it could eventually have some evil code in. At least the normal repositories apps are somewhat peer reviewed (not saying that any programmer of the community, specially the ones that put links to download their apps for testing before putting in the repositories doing that, but just don't discard that someone new jumps in and post a link to something that could not be exactly clean)

Firewalls are to protect people to access services running in your computer using services not intended for others. You can see with netstat which services are your device listening, if you install a web server, or i.e. irreco that listen in port 8765, you have something that potentially could be accessed by the outside world and you may or may not want that, or that have a remotely explotable vulnerability.

There are more things that "listen", i.e. bluetooth, that by default should be secure, but how you use it could be insecure. Or connections that you open that could turn things insecure, like using untrusted/open wifi that could enable people to peek at your traffic or redirect you to rogue sites.

Actually we have almost no security at all. Our system has vulnerable flash player capable of remote code execution and no one is going to bother to fix it.

Actually we have almost no security at all. Our system has vulnerable flash player capable of remote code execution and no one is going to bother to fix it.

And that's a particularly valid point. Nokia's lack of frequent updates and significant closed-minded source code helps make exploits more likely.

Is there a way to look at the running processes like the Windows Task Manager, in order to check if something "strange" is running?

Is there a way to look at the running processes like the Windows Task Manager, in order to check if something "strange" is running?

From x terminal: ps

And to list ip connections and listening processes, as root: lsof -i

Although a rootkit will probably hide itself so you wouldn't see it by using these commands anyway.

A more user friendly way of examining running processes is htop (available in one of the repositories). You can scroll through the list of processes and kill the ones you don't like the look of (be careful!)

Although a rootkit will probably hide itself so you wouldn't see it by using these commands anyway.

As far as I understood, there is no way at all to discover a rootkit on n900, isn't it?

As far as I understood, there is no way at all to discover a rootkit on n900, isn't it?

There are rootkit detection and related packages for Linux (e.g. chkrootkit, tripwire etc), but I've not seen any of them ported to the N900.

There are rootkit detection and related packages for Linux (e.g. chkrootkit, tripwire etc), but I've not seen any of them ported to the N900.

The last time I was looking for tripwire I did not find a newer
and free release.
Found AIDE
http://www.cs.tut.fi/~rammer/aide.html
instead.

Now I see that there is
http://sourceforge.net/projects/tripwire/
with "Release Date: 2010-03-11"
Did anybody check this on a Linux system (not necessarily N900)?

As far as I understood, there is no way at all to discover a rootkit on n900, isn't it?

Doing a "clean boot" is kinda hard without reflashing the whole firmware. tripwire requires a known-good configuration to check against and I'm fairly sure a proper rootkit can fool it pretty easily (it's been a while but AFAIRecall tripwire only checks against file hashes and proper rootkit can hide all modifications [see below]).

As for windows not having root user, it does have admin user and privilege separation etc so getting stuck with what the superuser happens to be called is kinda pointless.

Besides rootkit these days refers to a program that hides it's presence in the system (by patching itself to filter things like process list and disk access and simply serving "clean" versions to any other process that asks). Rhus a clean boot (from known-good CD for example) is needed so that the unpatched view of system can be gained, this can then be compared to what the normally booted system looks like (explanation simplified, see "lies to children").

F-Secure (I used to work for them about 9yrs ago) has a tool called Blacklight for detecting rootkits, read the white papers if you want to know more.