Ubuntu security

[NGRhodes]

Quote:

Originally Posted by dicknixon

Even in a hardened system a firewall is in place just in case something is misconfigured or missed altogether. .

So you admit in a properly hardened and correctly configured system a firewall is not needed (which is what I said )?

[mack_guy911]

@dicknixon

i agree pfsense ...etc or if you had tried astaro security gateway/untangle they give you more power to your security then pfsense UTM

this thread belong to Ubuntu security for more if you like to debate on UTM...etc please we can continue on below thread

http://www.wilderssecurity.com/showthread.php?t=284339

now as far port scanning

you can try zen-map/nmap to check your system locally

example: i check my system from zen-map/nmap local or on LAN side or wan side they may/maynot give me same/different results on all 3

again it complex what you trying to achieve

for wan side you can try grc.com if block it enough


example 2 : now second case 90% what hacker do they try your system if they see normal firewall ....etc ......not to much bla bla to interest him/her/them they move forward but if your system security piss them off and hurt their ego what they do is put a bounty on your system on irc.....etc and calling all the F#%^^ to S#%^ your system and they keep doing it unless their ego satisfied.


so what i mean to say here is hacking is complex

sometimes great wall of firewalls breaks and sometimes average user never get hacked in this lifetime because he/she to boring and unchallenging.

for me security is somewhere between not to hard and complex or not to easy for every one to come in.


maybe you agree or disagree you have your right

Quote:

Originally Posted by dicknixon

It's called 'security in depth', 'layered defense' ... use search terms "security best practices". Then do me a favor and resist arguing against the use of firewalls. Some n00b will read your ill informed post and go on their merry way without it, which on the internet today is the equivalent of dancing naked in public. And if you happen to do that in a coffee shop or airport you might as well just hand over your passwords to whomever asks.

That's the main reason for my constant and vigilant argument on the topic. I want everyone at least to be aware that security professionals recommend a firewall. Everyone is free to make their own decision, but it should be an informed decision. If Hungryman and Nick Rhodes decide they don't want a firewall then I have no problem whatsoever with it.

Listen to the pros. Here are some links from pros for "home network security best practices."

http://www.zdnet.com/blog/hardware/a...ractices/12589 (this article links to the NSA's recommendations in a pdf)
http://www.ethicalhacker.net/compone...6/topicseen,1/
http://www.sans.org/reading_room/whi...e-home-pc_1514 (pdf)
http://www.sans.org/reading_room/whi...ome-front_1033 (pdf)
http://www.sans.org/reading_room/whi...me-network_610 (pdf)
http://www.sans.org/reading_room/whi...me-network_611 (pdf)

I guess I would ask those that advocate against recommending software firewalls to offer some professional sources that DON'T recommend a firewall (or specifically say one isn't needed). I couldn't find any.

[Hungry Man]

If a Firewall provides nothing of use than it only provides attack surface. Look at the Windows exploit that allows for RCE by exploiting a counter in the Firewall.

So the argument, as with all security software, is whether or not the benefits outweigh the potential for exploitation.

I'm not a professional, but I advocate against adding any software that does more harm than good. Whether a firewall does more harm than good is what I want to know - I want to know what it's providing, other than exploitable code.

I'll give those links a read in hope that they provide information.

[NGRhodes]

Just to be clear.
I am not advocating against using firewalls in general, just trying to make it clear that they are not always needed and there are alternative ways of achieving the same level of security.
I have not even said I do or don't run a firewall either.

If you on a secured and controlled network there is no need for a firewall on your desktop, but if you are connecting to unknown network and with a OS which you have a config that is untested/unsure how secure it is a firewall is a good defense layer.

As I have already said its very specific to your configuration and uses of your system if a firewall will be a help or not and thats assuming you know you can configure your firewall correctly AND check/test it is working correctly (and that applies to any security/hardening, you need to know what you are doing works !).

[tlu]

Quote:

Originally Posted by BrandiCandi

That's the main reason for my constant and vigilant argument on the topic. I want everyone at least to be aware that security professionals recommend a firewall. Everyone is free to make their own decision, but it should be an informed decision. If Hungryman and Nick Rhodes decide they don't want a firewall then I have no problem whatsoever with it.

Listen to the pros. Here are some links from pros for "home network security best practices."

http://www.zdnet.com/blog/hardware/a...ractices/12589 (this article links to the NSA's recommendations in a pdf)
http://www.ethicalhacker.net/compone...6/topicseen,1/
http://www.sans.org/reading_room/whi...e-home-pc_1514 (pdf)
http://www.sans.org/reading_room/whi...ome-front_1033 (pdf)
http://www.sans.org/reading_room/whi...me-network_610 (pdf)
http://www.sans.org/reading_room/whi...me-network_611 (pdf)

I guess I would ask those that advocate against recommending software firewalls to offer some professional sources that DON'T recommend a firewall (or specifically say one isn't needed). I couldn't find any.

I admit that I haven't read all these articles in detail but I believe actually all of them are related to Windows. And yes - Windows has open ports by default, and that's why the Windows firewall is enabled by default since Windows XP SP 2 (if I remember correctly). But again - a default Ubuntu installation has no open ports, so the situation is different.

EDIT: Every security professional recommends to also install an AV. But that also applies to Windows and is not needed in Linux (at least on a desktop system). Summary: Linux is not Windows.

Quote:

Originally Posted by tlu

I admit that I haven't read all these articles in detail but I believe actually all of them are related to Windows. And yes - Windows has open ports by default, and that's why the Windows firewall is enabled by default since Windows XP SP 2 (if I remember correctly). But again - a default Ubuntu installation has no open ports, so the situation is different.

EDIT: Every security professional recommends to also install an AV. But that also applies to Windows and is not needed in Linux (at least on a desktop system). Summary: Linux is not Windows.

Yes, several of the links assume home users are running Windows. But several of the links don't mention what type of operating system is in use. They contain OS-agnostic advice.

Again, I will shut up forever about it if anyone can provide a link where professionals recommend the absence of a firewall on linux.

[moontan]

well,

FWIW, i think it's good for any noob like meself to test your firewall at GRC to see if there are ports open.

and to plug the holes if there are.

[tlu]

Quote:

Originally Posted by BrandiCandi

Again, I will shut up forever about it if anyone can provide a link where professionals recommend the absence of a firewall on linux.

Well, I'm sure you'll find such statements via Google, like this one. And this is what the Ubuntu documentation says.

The problem is that most people used to use Windows before, and a lot of Windows users - I'd say: particularly members of this forum - use so-called Personal Firewalls aka package filters in order to iron out Windows design flaws. I guess that leaves an indelible mark for the rest of their life, particularly if they enable outbound filtering They often keep that attitude once they move to Linux.

But, as already mentioned, a standard Ubuntu installation has no open ports. It's therefore not attackable by "intruders". This is also true for client applications like browsers or email programs: They are usually attacked through downloaded content - and a firewall wouldn't help here.

However, that's not true if you install server services like samba, ssh or apache as they are usually used to allow access from "outside". If you don't want that, you have to close the ports opened by that server with a firewall.

Having said that, I nevertheless agree that it might still be a good precautionary measure to execute

sudo ufw enable
sudo ufw default deny

- just in case openssh or something like that is installed by accident

[moontan]

well said tlu

that's exactly my case, and the case of other people, like you mentioned. (though i don't use outbound filtering anymore)
i feel safer knowing what's happening with my machine.

[tlu]

Some basic info regarding open ports here and here and regarding port scanning here.

Quote:

Originally Posted by tlu

But, as already mentioned, a standard Ubuntu installation has no open ports. It's therefore not attackable by "intruders".

Not if there's a vulnerability in the TCP/IP stack itself. I don't believe any such vulnerabilities are known in Linux, but you never know when one might crop up.

(OTOH iptables could also have vulnerabilities. Not sure which of those is more likely.)

Quote:

This is also true for client applications like browsers or email programs: They are usually attacked through downloaded content - and a firewall wouldn't help here.

Umm. Can't connections to a client program be spoofed?

[tlu]

Quote:

Originally Posted by Gullible Jones

Not if there's a vulnerability in the TCP/IP stack itself. I don't believe any such vulnerabilities are known in Linux, but you never know when one might crop up.

(OTOH iptables could also have vulnerabilities. Not sure which of those is more likely.)

Exactly - there could be vulnerabilities in iptables, too. I'm not sure if that is an argument pro firewall.

Quote:

Umm. Can't connections to a client program be spoofed?

Spoofed in what way? Let's take some recent Firefox vulnerabilities : You'll notice that they're talking several times about "opening a specially crafted page" in order to execute code or whatever. How would a firewall be able to prevent that? The connection is already established.

[tlu]

Quote:

Originally Posted by tlu

Having said that, I nevertheless agree that it might still be a good precautionary measure to execute

sudo ufw enable
sudo ufw default deny

- just in case openssh or something like that is installed by accident

I should have said:

... and openSSH has a vulnerability. If it doesn't, the open port shouldn't normally do any harm.

Quote:

Originally Posted by tlu

Well, I'm sure you'll find such statements via Google, like this one. And this is what the Ubuntu documentation says.

I don't know if I would qualify those links as "professional" advice, as much as I like Ubuntu Forums and psychocats.

Quote:

Originally Posted by tlu

Having said that, I nevertheless agree that it might still be a good precautionary measure to execute

sudo ufw enable
sudo ufw default deny

- just in case openssh or something like that is installed by accident

[wat0114]

A question regarding the following ufw rule:

Code:

sudo ufw allow out proto tcp from any to any port 80,443,554,1755,1935

will this rule allow all applications outbound to only these ports?

I first did

sudo ufw enable
sudo ufw default deny

[ComputerSaysNo]

I would like to know too!

What's the command to just allow 53,80 & 443 out?

[wat0114]

I think I may have figured it out. Besides the above rule, I then added:

Code:

sudo ufw reject out proto tcp to any

Then checking status I get:

Code:

~~~:~$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80,443,554,1755,1935/tcp   ALLOW OUT   Anywhere (out)
[ 2] Anywhere/tcp               REJECT OUT  Anywhere/tcp (out)
[ 3] 80,443,554,1755,1935/tcp   ALLOW OUT   Anywhere (v6) (out)
[ 4] Anywhere/tcp (v6)          REJECT OUT  Anywhere/tcp (v6) (out)

I checked the "Reject" rule by deleting the "Allow" rule and I was not able to connect with Firefox - as I would expect. Because ufw processes rules from top - bottom, the Reject rule is observed only after the Allow rule is processed. I had tried a sudo ufw block out proto tcp to any rule but that always blocked the browser from connecting out even with the Allow rule first so a Reject worked.

Quote:

Originally Posted by wat0114

A question regarding the following ufw rule:

Code:

sudo ufw allow out proto tcp from any to any port 80,443,554,1755,1935

will this rule allow all applications outbound to only these ports?

I first did

sudo ufw enable
sudo ufw default deny

You have to allow port 53 TCP and UDP, which is DNS. If you don't include that you can't resolve any web addresses to actual web servers. That's why your current ufw rule sets aren't working.

You also should allow DHCP Access - Ports 67 and 68 UDP if you're using DHCP (which you probably are if you have a router).

As far as the rule you posted, you don't need to include the "from any to any" part because it's a bit redundant. if you just say "allow out 80,443,554,1755,1935/tcp" what you're telling ufw is that you will only allow traffic out of your computer on those ports to any address. You asked "will this rule allow all applications outbound to only these ports? Kind of. It will only allow applications that are configured to use those ports to function. So if you have email on your computer, it won't work because you need to allow it to use ports 25, 110, and 143. Make sense?

I would recommend that you delete what you've done and then use these rules:

Code:

sudo ufw default deny incoming && sudo ufw default deny outgoing

Code:

sudo ufw allow out 53,80,443,554,1755,1935/tcp

Code:

sudo ufw allow out 53,67,68/udp

[wat0114]

Hi Brandi,

I didn't have to create a udp rule to or from port 53. The default config is deny inbound only, so if a connection is initiated from pc to outbound, inbound will be allowed anyway. I could probably create an allowed outbound udp to port 53, then a deny udp to any. I'll experiment. What I did have to do, however, was create email tcp out to ports 143 & 110 to get Thunderbird to work

If you're denying all incoming and allowing all outgoing, you should be fine. And if you do it that way then you wouldn't have to worry about DNS because it will be allowed automatically.

You only have to explicity allow ports if you're denying outgoing. Your post above showed that you were rejecting all outgoing except the ports you listed.

Glad you got it sorted out.

[chronomatic]

I use Ubuntu and have disabled UFW all together. I use a router flashed with Tomato and turned the firewall on (which is just iptables since Tomato is Linux). No ports are open outside of my home network. I think a router is the best way to go.

I agree that a firewall is not really necessary on an Ubuntu box since there are no open ports and no services listening. Iptables is not an application firewall, so it wont block specific applications or warn when applications try to make an outgoing connection, thus I see no reason to enable it at all on a *desktop* box as long as you are aware of what services (if any) are listening.

[tlu]

Quote:

Originally Posted by chronomatic

I use Ubuntu and have disabled UFW all together. I use a router flashed with Tomato and turned the firewall on (which is just iptables since Tomato is Linux). No ports are open outside of my home network. I think a router is the best way to go.

I agree that a firewall is not really necessary on an Ubuntu box since there are no open ports and no services listening. Iptables is not an application firewall, so it wont block specific applications or warn when applications try to make an outgoing connection, thus I see no reason to enable it at all on a *desktop* box as long as you are aware of what services (if any) are listening.

You're absolutely right. On the other hand, ufw default deny doesn't hurt, and you'd be safe if you installed a service by accident as happened to moontan.

[wat0114]

I like Chronomatic's approach too. All I'm trying to do is control to which remote ports applications are allowed to connect to, just for fun and to get myself into using the Terminal a bit more often

[wat0114]

Final rule set which I'm happy with:

Code:

                       To                         Action      From
     --                         ------      ----
[ 1] 80,110,143,443,554,1755,1935/tcp ALLOW OUT   Anywhere (out)
[ 2] 192.168.1.254 53/udp       ALLOW OUT   Anywhere (out)
[ 3] 208.67.222.222 53/udp      ALLOW OUT   Anywhere (out)
[ 4] Anywhere/tcp               DENY OUT    Anywhere/tcp (out)
[ 5] Anywhere/udp               DENY OUT    Anywhere/udp (out)
[ 6] 80,110,143,443,554,1755,1935/tcp ALLOW OUT   Anywhere (v6) (out)
[ 7] Anywhere/tcp (v6)          DENY OUT    Anywhere/tcp (v6) (out)
[ 8] Anywhere/udp (v6)          DENY OUT    Anywhere/udp (v6) (out)

Funny thing is, "Deny" now works Anyway, as Brandi alluded to, it's all sorted