Does anyone know of a good tool for protecting linux servers from spyware and viruses? I know they are rare for linux but certainly something is better than nothing. Something centralized in one location for all your servers would be best
I would say it is unnecessary to protect your servers from viruses, unless they are mail servers (and you are scanning messages for viruses), serving windows shares (samba), or general content servers (CMS) sharing information with Windows based machines. As for spyware, a server does not need this.
Rather than a virus scanner, I would go for a file integrity system like Tripwire, Aide or BART. What these do is create a hash (like a digital fingerprint) or every important file on your system and store it somewhere only root can access. You can then have it check all the same files against the stored fingerprints every hour and email you if anything is out of place. You will usually need to tune it's configuration a bit so that files that change automatically on a regular basis (like log files) don't set it off every day but once you have, it can have extra benefits such as detecting when a rootkit is installed or when a new user is added. File integrity systems aren't foolproof; a hacker can simply update the database after he's made a user account and installed his rootkit but with only an hour to find which system you have in place, figure out how to use it and install everything he needs you will probably get at least one warning email.
I agree that a system such as tripwire would do the trick, the issue is if you are running something like cpanel you will get a TON of false positives. These systems automatically update themselves and therefore the hashes change. That means you get a false positive. For a non-auto updating system these systems work great, but as most people use a control panel to control their system its just annoying. I run tripwire on my own servers, but I manage them without any of these control panels for the most part. I tried to put it on a cpanel server and I got about three alerts each night as things update. That means you start totally ignoring the messages and the entire reason for the tool is null. For a control panel controlled server I would just rather see APF and BFD with some strict rules. This and hardening the server should get rid of most if not all attacks.
You have raised a tricky issue there... My first suggestion would be to configure your tripwire to ignore the cPanel directory but, of course, that's the most likely place for an attack to occur. You should be able to ignore certain files in the directory, but if it's an auto-update thing then you won't know in advance which files are going to be updated. Unfortunately, I don't have a solution to that. Of course, it's still worthwhile running a tripwire and ignoring that directory for all of it's other benefits.
cpanel/whm updates all system software by default. If you allow it, the software will keep the entire system up to date. While this can be disabled most people don't. They always pump out updates to software making it easy for someone to manage a server. It truly cuts down on the overhead of running a web server for the first time. It is a true security risk, but I would much rather see cpanel updating a server automatically rather than the server never being updated. If you have never ran cpanel before the sucker takes over most of the server. To install the software you have to start from a fresh image and let it install all of its own RPMs. You can then tweak aspects of it to make the server secure, but only after it is done. The panel only allows you do update certain aspects of the server without being replaced. These control panels are far from ideal in the world of security, but from an ease of use standpoint they are great. At least that is for the non-sysadmin. I started out running some various control panels and now find it better to run without them as they are a pain. Most normal people never make this switch as it is just not worth their time.
cPanel/WHM is a server woftware, not anti virus or security center. You need many : rootkithunter, spf, bfd, Alter etc.