Ubuntu 8.04 Hardy Heron security

Hi there,
My son got a new laptop, and I inherited his old desktop. I thought what a wonderful opportunity to try out Linux. So I managed to install Ubuntu 8.04 Hardy Heron (very odd names they have, sounds almost like exotic animals), and surprise, everything works out of the box (I haven't tried everything, but as far as browsing with Firefox, and doing common operations there isn't really much difference from a Windows OS (I'm not about to say goodbye to Windows at all).

Mrkvonic states that there isn't any need to have an AV or a FW with Ubuntu because any change to the system needs privileges (a bit like UAC in Vista). What about scripts, while browsing? Does one need 'NoScript' with Firefox? And keyloggers, would there be any remote chance for them, without physical access?

It really feels strange not to have a single security application, what a liberating thought!

 

If you don't have a router w/firewall you should really install a firewall.
In Hardy ufw is installed by default but it needs to be 'engaged'.
Best solution is to install Gufw - a frontend for iptables ..
http://gufw.tuxfamily.org/index.html and set it to Deny All** (plus any
other ports you want to either allow or block eg. ssh, netbios etc.)
Then in the terminal enter sudo iptables -nL to check your settings.
** i.e. Deny Incoming traffic.
An AV like Avast is needed if you don't want to pass on any virus
to Windows users. eg. you might forward an email attached file, which
contains bad stuff that can't execute on Linux but can on Windows platforms.
For Firefox you would need NoScript and maybe also Adblock Plus.
You can also install Opera.

Happy New Year !
(Am on my second Scotch after the security alarm techie brought the ceiling
down while attending to the transmitter in the roof - a big mess !)

 

There are more reasons. You don't need a FW as Ubuntu doesn't have any open ports by default. If you still think a FW is necessary you can use - as Ocky already mentioned - ufw, but again it's not necessary on a desktop system. An AV is not necessary as there is no need to install any (possibly infected) applications from 3rd party sites since you'll get everything you'll ever need from the official repositories which contain open-source packages controlled by the Ubuntu staff and community. (Just start Synaptic and have a look what the repositories offer for you.) And not only Linux itself but also your installed applications will be kept up-to-date through security patches via the repositories. - This is also the answer to your question regarding keyloggers.

Yes, since browsing related risks like XSS are independent from the OS you're using.

Linux is very different from Windows. You'll find out that it makes no sense to fiddle around with HIPS and all that stuff. Once you've understood the Linux philosophy you'll see that its maintanance is much easier than it was with Windows.

 

Thanks. Happy New Year to every one! I'm actually on champagne and wine.

 

Happy New Year, having Laphroaig and smoked salmon here.

 

tlu pretty much explained it for you.

You manage software from official repos, so no need to install unknown stuff, and none of those things can work without the root password, so you don't need any anti-malware stuff. Firewall is optional.

Happy New Year!

Mrk

 

A question for Mrk or someone who knows, will Flash and Shockwave online games work in the latest Ubuntu using Firefox? My kids live off of this stuff so it's mandatory that it works for them I haven't used Ubuntu for some time, and I remember only Flash worked in that version (Hardy heron) but not Shockwave.

 

It worked for me ...
But as always, try for yourself and see what gives ...
Mrk

 

Go to /System/Administration/Synaptic Package Manager and type "guard" in the search box. Click on "guarddog" and mark it for installation. Click "Apply" and it will install. This is a GUI based front end for iptables so you don't have to know any "command line" syntax.

But with that said, there are basically two groups of people who feel the need to use a software firewall behind a router's hardware one in Linux. The first group are the ones who feel it necessary to wear both a belt and suspenders to make sure their pants don't fall down in public.

The second group are those who's "homes" have been invaded so many times using Windows that they don't feel safe without "double locks" on their doors, even though they've "moved to a safe neighborhood."

Firewalls in Linux are really only there because there are people who use dialup and don't have a hardware firewall.

 

I have never used a hardware firewall (With Windows I always rely on software firewall, and had no problems so far). I 'll follow your instructions, thanks.

 

If you using a router of some sort to connect to the internet?

 

No, I don't use a router, I live in a fairly new apartment building, and all you have to do is plug in your internet cable into a socket very similar to the telephone one, as a matter of fact we have one for the phone and one for internet in every room (it is obviously broadband, and fairly strong too).

 

Shockwave will only work if you install Wine, download the Windows version
of Firefox and have mozplugger installed. See here:- https://help.ubuntu.com/community/Shockwave
Flash of course is no problem as you already know.

 

If you used a router rather than dialup, you used a hardware firewall. You just didn't know it. All routers have firewalls built in.

 

Then the apartment building is using a router and switches to distribute the connections from, at least, a t1 connection.

 

IMO one of the most important security features for any OS is a basic firewall with default deny for incoming connections.

Two additional front-ends for iptables are lokkit and firestarter. lokkit is set and forget after you run it and configure.

The firestarter GUI can be setup to run on startup (via sessions) with a small change to the sudoers file in /etc. Then one can view and query tcp connections by bringing up the GUI from the taskbar.

Alternatively, to view tcp connections one can run in a terminal window: "sudo netstat -cpa | grep ESTABLISHED'.

 

Everyone is entitled to their own opinion but do you have any documentation to back this one up? The hardware firewall in the router comes "with default deny fo incoming connections." If a software firewall doesn't also provide protection for OUTgoing connections, it is redundant. Just like suspenders with a belt.

 

@lewmur

"IMO one of the most important security features for any OS is a basic firewall with default deny for incoming connections.

This is a generic statement and makes no distinction between a hardware-based and software-based firewall. If one has a properly configured hardware-firewall, then a software firewall is possibly redundant depending on your requirements. However, the OP stated:

" ... all you have to do is plug in your internet cable into a socket very similar to the telephone one, as a matter of fact we have one for the phone and one for internet in every room (it is obviously broadband, and fairly strong too).

Maybe the hardware-based firewall is properly configured (e.g., default password changed - just an example) and maybe it is not. In this case, since a tenant at the apartment complex has no knowledge of the configuration, I would opt for the redundancy of a software-based firewall.

Also, one can configure iptables to block outgoing connections via IP address range or port.

 

"for an OS" makes it software.
I have both an anti-virus app and a software firewall on my Windows system. I still have to remove malware on a regular basis. I have NEVER encountered malware, other than "phone home cookies," on my Ubuntu system. So that "security feature" does not qualify as "important."

 

Thank you Ocky! My apologies also to all for posting my question in this thread. It's really about Ubuntu security

 

Also note the Flash is slower in Linux (compared to Windows), video generally is acceptable, eg Youtube. What you will notice with games is that slows downs are more likely to happen as the complexity of the screens increase.

For some reason as well Flash can suffer performance issues on certain configurations when resizing the window (eg going to full screen), this is well known with youtube like video playback for example.

 

Flash movies work fine using x64 Flash 10, I have used them in full screen as well, also from whatever Flash intensive sites I have used, it has worked out fine.