Ubuntu security

Discussion in 'all things UNIX' started by ComputerSaysNo, Aug 14, 2012.

Thread Status:
Not open for further replies.
  1. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    So I've got ubuntu installed a SSD and I'm wondering how do I configure it properly security wise? How to configure the firewall, apparmor etc

    I'm a newbie so be kind and can you list the terminal commands please!
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Thanks that's a bit more clear than most guides.

    Anything else I should have to worry about besides AppArmor?
     
  4. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    firestarter is a very good alternative to GUFW.
     
  6. tlu

    tlu Guest

    Neither is normally needed, IMO, because all ports are closed by default as Hungry already mentioned. And even if you're sceptical about this, simply executing

    sudo ufw enable
    sudo ufw default deny

    should be sufficient.
     
  7. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    that's not what Steve Gibson Shield's Up website said about my machine.

    i had to install firestarter or gufw to pass the tests.

    i'd rather use a GUI whenever possible instead of trying to remember a whole bunch of commands. ;)
    i have problems remembering what i had for supper the day before. ;)
     
  8. tlu

    tlu Guest

    What exactly did it say? And are you behind a router?

    EDIT: BTW - I passed the test ...
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i just turned off the firewall for the test.
    i don't have a router.

    here's what i get:

    - Solicited TCP Packets: RECEIVED (FAILED)
    - Unsolicited Packets: PASSED
    - Ping Reply: RECEIVED (FAILED)
    - Port 22, service: SSH * Port Open * (all the other ports are closed except 1 that's stealthed)

    with firestarter at default i pass everything the except the Ping Reply test.

    to also pass the Ping Reply test you have to go into Firestarter, edit the Preferences/Firewall/ICMP Filtering and enable ICMP.
     
    Last edited: Aug 14, 2012
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Yes I think it's nonsense recommending no firewall, to what, save you 2ms on data latency? It's not like uwf is resource intensive...

    What happens if you install a program that opens ports? What happens if the user joins a hostile WiFi network? Yeah no firewall might be fine for YOU to manage, but recommending it to users really isn't a good idea.
     
  11. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I was under the impression that Firestarter is no longer being developed/maintained. That was quite some time ago.
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    it works pretty good it seems and easy to use for a newb like meself. ;)

    GUFW is also very easy to use but Firestarter has a little more options.
     
  13. tlu

    tlu Guest

    Do you have an openSSH server running?

    For what it's worth,

    sudo netstat -tulpen | grep -v '127.0.0.1' | grep -v '::1:'

    shows:

    netstat.png

    This is as it should be. (dhclient is needed for DHCP , and regarding avahi-daemon see here.)
     
  14. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i don't even know what a SSH server is,so i doubt i have one running. :p

    here's the output from my terminal:

    Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 8573 883/sshd
    tcp6 0 0 :::22 :::* LISTEN 0 8575 883/sshd
    udp 0 0 0.0.0.0:68 0.0.0.0:* 0 8854 1339/dhclient
    udp 0 0 0.0.0.0:5353 0.0.0.0:* 106 8079 935/avahi-daemon: r
    udp 0 0 0.0.0.0:35742 0.0.0.0:* 106 8081 935/avahi-daemon: r
    udp6 0 0 :::51793 :::* 106 8082 935/avahi-daemon: r
    udp6 0 0 :::5353 :::* 106 8080 935/avahi-daemon: r
     
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i did check into Synaptic for anything called SSH and indeed i have openssh-client and open-ssh server installed.


    i have read the descriptions in Synaptic but i have no bloody idea what apps need those for.
    those 2 do not break anything if you uninstall them but apparently there would be conflicts .
    better leave it alone.
    the system probably needs them for all i can tell...

    Firestarter stealths all the ports anyway so i am happy with the situation.
     
    Last edited: Aug 14, 2012
  17. DX2

    DX2 Guest

    I'm behind a router, I pass all except the ping reply, why is that? NVM, it was a setting in my router. It was set to low, instead of typical, now it passed.
     
    Last edited by a moderator: Aug 14, 2012
  18. tlu

    tlu Guest

    Well, that's the answer. I don't know why it's installed on your system - it's definitely NOT installed by default. That's why Hungry's statement is correct. If a server is running on your system you usually have (an) open port(s).

    EDIT: You might want to test if

    sudo ufw enable
    sudo ufw default deny

    is sufficient in your case. Should be IMO.
     
  19. BrandiCandi

    BrandiCandi Guest

    Wow.

    1. Please read the Ubuntu Basic Security Wiki for exactly that: basic security measures you can deploy on your desktop machine. IMO if you do everything in the wiki you will have a very strong desktop setup.

    2. if you have sshd running on your system and you don't know what it is, then you should uninstall it. If you care to know, sshd is a protocol that allows you to access your computer from a remote computer. Ubuntu comes with ssh installed by default, which means you could ssh to any machine that you have credentials on. There's no reason to remove ssh. Ubuntu does NOT come with sshd by default. sshd will allow other machines to ssh into your computer. You should remove sshd.

    Find out if you really have sshd installed by opening a terminal (ctrl + alt + t) and typing
    Code:
    dpkg -l | grep sshd
    If you do then type in the terminal
    Code:
    sudo apt-get remove --purge <type the name of the sshd program you see>
    3. Firestarter has not been actively developed since 2005 or so. There's no good reason to use it. I promise that GUFW can do everything Firestarter can do if you just read the UFW / GUFW documentation.

    4. I fundamentally disagree with Hungry Man on the need for a firewall. It's a simple layer of defense that is easily deployed by someone without major technical knowledge. A firewall is part of a good layered approach to security. Here's a discussion on why you should use a firewall in Ubuntu. At some point I will prove by demonstration to Hungry Man that a targeted attack could have been prevented by a simple firewall (which he refuses to run). :p
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I run an inbound firewall lol but I don't even know why. The only ports that ever get opened are for dhclient and dnscrypt-proxy.

    If an exploited application wants outbound they'll get it no matter what I do with IPFilters (outside of some weird stuff). If they exploited a program they already have inbound access.

    So I must be missing something/ not understanding what it's really doing.
     
  21. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i use mint KDE. maybe it comes included in this distro?
    ----
    from BrandiCandi:

    i use mint KDE but i will read that page after i am finished with this post. :) Tnx!
    i just checked with the instructions you provided and no, SSHD is not installed.
    i will be installing GUFW then.
    cool! i will give this a look as well.

    tnx for the tips everyone.
    it is well appreciated! :thumb:
     
  22. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    GUFW fails the Ping Reply test.

    does it really matters that Firestarter has not been updated since 2005?
    at least, it can pass all the tests at Shield's Up.

    unlike GUFW
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ping reply doesn't mean anything. Assuming that's about 'stealthing' ports it's irrelevant.
     
  24. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i had read previously on the web that it is not that important (Ping Reply).

    thanks for confirming it! :thumb:
     
  25. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tlu.
    i have disabled GUFW and tried your commands.
    i wrote them down to a text file do i don't forget.
    matter of fact i'm starting to collect a few commands.

    this seems to work pretty good as i get the same results on Shield's Up as when using GUFW.

    no sense having Firestarter or GUFW installed if this does the job.
    small is beautiful and all that! ;)

    tnx for the help tlu! :)
     
    Last edited: Aug 14, 2012
Loading...
Thread Status:
Not open for further replies.