15

Are there any mechanisms in the Linux desktop architecture to prevent malicious software keyloggers? What would be an ideal Linux setup to make it very difficult for an attacker to install a keylogger on the target system?

Does is matter if you use X vs Wayland vs Mir? How can grsecurity or SELinux or any other patch help to improve the situation?

Anders
  • 64,406
  • 24
  • 178
  • 215
student
  • 1,433
  • 4
  • 15
  • 23
  • 2
    check out [this post by Steffen Ullrich](http://security.stackexchange.com/a/121915/61443) which points to an article about isolating two X server GUI apps from each other. – Mike Ounsworth May 01 '16 at 14:00
  • 1
    This link may help at some level. http://askubuntu.com/questions/696715/how-to-prevent-keyloggers-viruses-on-my-system – Nabin KC May 24 '16 at 08:42
  • I think this should be for http://unix.stackexchange.com/ – Shadow Jun 04 '16 at 11:22
  • @AnkitGupta Well the question is about security and also about linux, so it might fit do both pages. Is there any specific reason why you think that it fit's better to unix.stackexchange? – student Jun 04 '16 at 13:53

3 Answers3

2

A key logger can be installed at different levels in the system with different detection ways. You already have other answers that explain that it could be installed in a dedicated process and how to detect its activity.

But it could also be installed by changing the part of the X11 server that processes keyboard inputs. If it is presented as an add-on offering additional capabilities like simpler input on non ascii characters, automatic xxx (put you most expected feature here) it can even be willingly installed by the end user on its own machine. Else, it could be installed (if attacker managed to become root) at boot time through a dedicated init module.

It could also be installed as a kernel module and directly monitor physical keyboard activity. The installation procedures could be identical as previous case.

The only way to secure a system if to always follow all security rules:

  • protect it with a strict firewall (easy)
  • never use root to do simple tasks (those two first rules are the principle of least priviledge)
  • never run any uncontrolled piece of software on it

And the latter is the harder to follow. Of course I assume that you only dowload system software and updates from official sources and do control checksums. But this game or add-on or utility looks so cute... And as soon as someone has made you execute code that he wanted while you would not have, it is no longer your system.

TL/DR: as usual, security cannot be reduced to technological tools but highly depends of human practices...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
1

There are plenty of security measures to take, starting with the most basic but most important: good firewall rules. But this can be very complicated in some situations. Instead of taking the approach to try to make something very difficult, why not take the easy detection way ?

In order for a keylogger to function, it would require an active process. Take a snapshot of your processes when the system is initially installed/clean and then from time to time run a process listing check. If new processes appear, then you will be able to quickly detect and eliminate any undesired one. If you require to run new ones, just update the valid process list.

This can be made a little easier: a script to output the process list to a file, or you can even take it a little further and schedule-run a script to compare the running processes with the initial ones you know to be valid.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • This won't help much with an open-source supply chain attack ([this](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) is the most recent of [many](https://link.springer.com/chapter/10.1007%2F978-3-030-52683-2_2)). The firewall won't prevent node/python/etc. from downloading the malicious library, and while the system is running a node/python/etc. process, you won't see a specific process for the key logger. – Dan Dascalescu Feb 27 '21 at 10:08
1

As Overmind said, A simple solution to start with would be to check if you "trust" your currently running processes.

Here is a cute script i wrote, i posted it on my github repo:

https://github.com/holtzilya2008/scripts/tree/master/cleanproc

cleanproc - is watching the currently running processes every 1 second checkproc.sh - checks every process if it is on my whitelist.txt and if not, it promts me in the terminal and logs the "unrecognized processes" to cleanproc.log

Remember though, that anything we do to protect ourselves from a keylogger, is only to minimize the risk. If someone would REALLY want to set a keylogger on your machine without you to notice, at the end he will do it. There is no 100% protection.

Holtz Ilya
  • 111
  • 1