Do Linux Servers Need Antivirus?

Having your datacenter audited at the office can be a painful experience. One of the toughest is known by the initialism “PCI”, which stands for Payment Card Industry. The PCI audits are in-depth, and require several layers of security, logging, and documentation. Unfortunately, many of the requirements of such audits are derived from a Windows centric environment, and make little sense in a pure Linux system. At the top of this list is the requirement for anti-virus to be installed on all servers, but how necessary is this precaution in real life?

A couple of my coworkers and I like to play a bit of a game, we pick out a system and see how long we can keep it up without requiring a reboot. (Current winner right now is sitting at 1761 days, not sure if we will be able to beat that.) There are reasons why that machine has not been updated, and we take appropriate precautions to restrict access to the box. There was even a time, years ago now, when we ran our web servers with a default install of SUSE (SuSE? SuSe?) Linux with a public IP address on the Internet, and left them there, unpatched, for years. I’m not saying this was a good idea, it certainly was not, and it is not something I would do today, but requirements were different then. We did frequent checks of the server health and monitored the logs, and never saw a problem. Talking with other Linux sysadmins and open source enthusiasts, I don’t think I’m alone with this experience.

From time to time I hear the Windows sysadmins discussing viruses, and one of them made a point of letting me know about a version of Symantec Anti-Virus for Linux that we had a license for. I politly declined, suggesting instead that the Linux team adopt an open source solution, ClamAV. From his point of view, we might be better off installing the Symantec client for the audit, which seemed to me to be a bit of circular logic.

Symatec employees use this argument as well when pitching their product.

Totally Agree with you..Compliance is major reason why you need Antivirus on your Linux. Audit says every host on your network should have a Antivirus protection. If its a Server for Financial Institutation then governing bodies are actually strict on compliance.

I sympathize with the author of the linked article, I imagine it is a tough position to be in, something akin to selling ice to an Eskimo. However, I have found that by following a few simple rules for security, you can keep a Linux server running lean and mean for a long time.

First, and most important, know your server. Know what services are running, what network daemons are listening, and why. Know what versions of your daemons you are running, so you can know ahead of time if there is a known issue with the software that could possibly be exploited.

Second, run a firewall. Two, preferably, one on the network itself, and one on the host. Knowing what daemons you run and which ports they listen on will make configuring the firewall correctly much easier.

Third, restrict root access and sudo privileges. Most network daemons do not need to run with root access anymore; they should run as their own user, and that user should not have a shell. Which means, you could not SSH to the server as that user and get a shell back. Access to the root account should either be completely disabled, as in Ubuntu, or restricted to only the trusted systems administrators. Also, there should be no remote access to the root account, so SSH access as root should be disabled. (SSH access from the Internet should be disabled too, use a VPN.) That way, each person requiring a shell account must log in as themselves, which provides an audit trail. Auditors love audit trails.

Fourth, only install the software absolutely necessary for running the service that the server is intended for. No X11, Gnome, or other graphical software, no printer daemons, and absolutely no FTP servers, unless you are running an FTP server, of course.

Finally, this only scratches the surface for what is possible. Linux hardening is a field almost all its own, and there seems to be no end to the rabbit hole you could fall down heading down that trail. From file integrity checking tools like Tripwire to application behavior profiling like SELinux, to application jails with chroot, and yes, even to anti-virus, the architecture of Linux lends itself to being very secure. It is a matter of time and responsibility how locked down you need your servers to be.

Wikipedia’s article on Linux Malware lists a fairly short list of Linux viruses, and the research and experience I have tells me that the likelihood of a server I’m responsible for being infected is low. However, in the end, the answer to the question of if Linux needs antivirus or not is not one for a professional systems administrator to answer. It is my responsibility to secure our servers, and build them to ensure that they meet all of our security requirements, regardless of how I personally feel about their validity. Viruses on Linux might not be much of a threat, but I would not want to be the one caught on the misguided assumption that the platform is immune.