Ubuntu security

Good link

 

The linked article has a major flaw.
To do anything on the network out bound connections must be made (as the article starts with the basis of no in bound connections to listening ports, therefore no useful network services running). If you didn't you would have no need to be connected, nor need a firewall !
Now you have a firewall (as the article says you need), you must have firewall rules in place. The article assumes something is exploited (a major assumption with no explanation of how it happens) - what if that is the app that you have created a firewall rule for in the first place.
As a result the firewall cannot provide any additional guarantee of security from an arbitrary vulnerability you might get tomorrow.

If your OS is properly secured a firewall is not needed, because the user can not even run the malicious software that could open ports. If you follow a bit of safe hex and only run and install software from trusted sources there is no chance of running malicious software no matter how unsecure your OS is.

Its very specific to your configuration and uses of your system if a firewall will be a help or not.

 

I'm willing to listen, I'm just not sure I'm clear. Yeah, the article is assuming no sockets inbound. That would be a typical desktop user at home I would say. So you're saying that someone that runs no services doesn't need a firewall? And if you have services listening then you'd want a firewall? Or are you saying that a software firewall is never needed as long as you're exercising safe hex and all?

Let's say you have Ubuntu on your laptop and you take it to Starbuck's. Would you recommend a firewall then?

I think you're right, that it's very specific to your configuration. Therefore it's hard to make broad, sweeping recommendations about firewall usage and need. A strong firewall can prevent a new (unauthroized) service from binding to a new/arbitrary port. Yeah, there are lots of other and better ways to prevent it. But a software firewall is part of a layered security approach. I guess my stance is that for someone who doesn't have excellent networking protocol understanding, then a firewall is a good idea. If someone is savvy about traffic, then they may do just as well without one. But the savvy guy didn't need to ask in the first place

 

This was exactly my point and what I was discussing earlier with brandi.

Whether you have a Firewall or not if your application is being exploited it almost certainly has web access already - otherwise how is it being exploited?

If your port is closed it's closed - a firewall changes nothing. If a port is open it's open - a firewall changes nothing. Only if a port is closed and a program that did not have access to ports before is exploited would a Firewall change things but even before that it'll have outbound access as long as your system can connect to the internet.

 

OK I'm not good with networking so a firewall may be a good choice? The GUI firewall in Ubuntu's software service?

Any other good terminal commands?

 

See post #6.

 

Post #6 said:

If you deny everything by default, then you will be running a brick - you can't make any connections incoming or outgoing. You would have to add rules to allow outgoing ports for DNS (53), HTTP (80 & 443), and DHCP (67 & 68 ) at the very least.

Regarding the need for a firewall... Someone earlier in this thread had sshd running without his knowledge. If a firewall were running that did not allow port 22 (ssh), then it doesn't matter that sshd was running. No one could find it from the internet unless port 22 TCP was allowed incoming.

 

My gawd....this is a "security" forum?!

You have multiple users insisting that firewalls are unneeded...*cough* *cough*...
I picked a bad day to give up a life of crime...

I've done pentesting and I would eat your lunch if you put your machine on our network.

It's called 'security in depth', 'layered defense' and just all-around common sense. I don't argue with flat-earthers and I wont argue here. Instead learn some google and use search terms "security best practices". Then do me a favor and resist arguing against the use of firewalls. Some n00b will read your ill informed post and go on their merry way without it, which on the internet today is the equivalent of dancing naked in public. And if you happen to do that in a coffee shop or airport you might as well just hand over your passwords to whomever asks.

Not only is a firewall necessary, its ONLY a start!

Now go google "egress filtering" and mark that down as something you will want to learn and eventually use.
Better yet, use a firewall AND grab an old unused PC and install pfsense on it and put it between you and the internet.

....*walks away shaking head*...

 

dicknixon: since you seem to be so knowledgeable about this topic, I'm interested in your input...

- What advantage would a pure inbound firewall (no outbound filtering) have over no firewall and no open ports, were an attacker to employ a direct network attack?

- What advantage would an outbound firewall provide, were an attacker to compromise an application capable of making outbound connections?

- What advantage would any typical firewall provide, were an attacker to attempt a network exploit via a connection made by the target, e.g. a connection to a hostile website? Assuming in this case that a "typical" firewall is not capable of deep packet inspection.

I'll admit that I find the attitude you've expressed somewhat regrettable, but I'm genuinely curious (assuming you're as knowledgeable as you say).

 

In regard to your first question, how do you know you have no open ports? That's precisely the problem. People routinely install software and have no idea of its behavior or what ports it responds to. Even in a hardened system a firewall is in place just in case something is misconfigured or missed altogether. At the very very least, ALL unsolicited packets you dont specifically want should be default denied.

All of your other question I already answered: a firewall is ONLY a start. At least it will stop unsolicited hostile packets. Now if your system IS soliciting hostile packets, the only way your going to stop it is with egress filtering, which if you noticed I already pointed you towards.

I find 'regrettable' that you seem unaware of industry best practices AND argue as if this is a confusing topic....rather than the slam dunk that it is among security professionals.

 

i think it's only default deny on incoming.

that's pretty much the way standard firewalls with factory settings operate these days:
Outgoing = Allow
Incoming = Deny

perhaps a firewall if not needed for our more knowledgeable members.
but i feel better having some kind of basic firewall protection.

i don't know much about firewalls, except to test them once in awhile at Steve Gibson Shield's Up website.

 

Fair enough, most users don't run netstat every time they open a new application.

(OTOH, if you can't trust netstat then a software firewall won't help much. No?)

Wouldn't filtering by a software firewall on the local host be suspect, if the host were compromised? And being behind a dedicated hardware firewall is desirable, but not always practical for end users.

(Unless you would suggest that a dedicated firewall should be considered necessary at all times? Not being sarcastic, just wondering if you think the security situation is that bad.)

You won't change many people's views here if you come across as insulting and arrogant - even if you're actually correct.

 

How many users can even spell 'netstat' let alone use it?
Application or Host firewalls are inherently suspect since they reside on the very machine they intend to protect. But remember, layered security! They help and can mitigate a lot of problems before they become so.

I pointed to pfsense at the very bottom of my original post. I do think external dedicated firewalls are necessary at home and work for everyone, and with pfsense, ipcop, smoothwall, etc, they can be set up by regular knowledgeable users on a low end unused PC. They can easily be set up for friends and family to just plug in unmonitored (ugh....but its much better than nothing). But that's for home and work - at the airport you had better have your application firewall up because that is almost certainly a VERY hostile network and it will give you a fighting chance. Next time you take a flight or go to a coffee shop, put your wifi in monitor mode and take a half hour wireshark packet capture. Then read thru it on the flight to keep ur self occupied. You might just scare yourself straight.

Just a few months ago I saw a freshly installed/updated hardened and protected ubuntu laptop cracked in under 15 min with no services turned on.

Even with the best of security, its just a matter of when, not if, you will get hacked. There is no such thing as 'safe', only 'safe enough'. Living with the knowledge of that causes you to act differently, which is good. Proper layered defense raises the cost of incursion to the hacker so that all but pros are stopped. Now if you do have a pro after you, you probably don't need my advice or can afford a security consultant, and if not, you probably have allowed the wrong kind of people on to your home wifi

 

Hmm. Was this by a script kiddy on a public wifi, or a penetration tester?

 

15 minutes isn't impressive when you consider the hours spend actually developing whatever exploits were used. It's not like someone whipped up remote code execution in 15 minutes.

And I think there are varied degrees of 'hardened'

Can you tell me the problems it solves?

 

Yeah, I think I already did. You should not trust that you know what ports your machine is responding on at all times. And there are ports I want open to certain lan machines and gateways but never to anything else. A misconfiguration, forgetfulness, or a newly installed app that suddenly responds to incoming packets is an open invitation to disaster.

Do you nmap your machine regularly? Your DDWRT router/firewall? Do you ever allow visitors onto your lan/wifi?

I noticed in the link to your security setup, you put quite a lot of effort into GR sec and apparmor. Yet you run UFW (GUFW is just the gui) on DDWRT as your gateway firewall? You should know that DDWRT is notoriously insecure and should never put it facing the internet. Instead get an old 500mhz+ PC and drop a 2nd network card into it and install ipcop/pfsense/smoothwall or the like. If you can, configure snort to watch things. Put that in front of everthing. At least that will give your DDWRT a chance at a decent life.

The ubuntu laptop that got cracked was mine, on my own network and the kid who did it was only on the lan for 15 minutes before the firewall (which was watching internal traffic as well) threw a particularly nasty alarm. I powered down everything until I could figure out what happened, which I did pouring through log files over the next 24 hrs. When I turned the laptop back on several drivers were broken AND a connection that was invisible on the laptop but the firewall noticed was patiently dumping hundreds of megabytes into a tor node. Game over. Nuke and pave (reformat, reinstall). The kid it turned out was a mid level member of a notorious hacker collective.

 

Interesting. Do you have any idea how you'd gotten on his hit list, or do you think this was a random attack?

 

a friend invited him over. I'm not positive he was aware of the attack coming from his laptop. Who knows what attention he had attracted to himself previous.

 

Not to be overly nosey, but do you know how your laptop was actually compromised?

 

Uh guys, Googling on this subject turns up some interesting stuff. Take a look at this vulnerability:

http://technet.microsoft.com/en-us/security/bulletin/ms11-083

Evidently ports cannot be trusted even when definitely closed due to such TCP/IP stack vulnerabilities. No reason holes like that couldn't exist in Linux as well.

(BTW, my apologies for the skepticism, dicknixon; my instinct is to doubt seemingly extraordinary claims, but it appears your statements have at least some validity.)

 

Well, behaviorally, it was dumping a lot of data to a tor node and several drivers broke right then. Forensically, the check sums on a some system stuff was changed from 24 hrs before w/o a system update in between and didnt match any known ubuntu binaries. Tripwire/systraq, etc is your friend! In fact I now checksum my friends.

 

I was thinking more the mechanism of compromise, but N/M, I can guess how it could be done once the attacker was inside your network.

Edit: and also, more stuff on TCP/IP vulnerabilites here:

http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html

A quote re firewalls...

 

Apologies for butting in on this interesting discussion, but I would be interested to know what you all think of remote desktop sharing. I have never used that feature in Linux.
I am asking because our S.African revenue service, SARS, has recently announced with big fanfare that they will be offering the undermentioned service to efilers:-

I assume that would mean remote desktop sharing ? In that case what would a Linux user need to install, teamviewer perhaps ?
I personally would never use their new feature, but it would be interesting to hear from the experts posting here re. security concerns etc.

 

I don't need to nmap my machine. If I'm somehow at a point where I can't see which ports are open/ closed I probably have already been compromised.

Yeah, the router has always been my weakest link. I have an old laptop I've been meaning to use with pfsense for months I just haven't gotten to it.

But no I've never heard of security issues with DDWRT. I'd rather have it than the manufacturer firmware, which hasn't been updated in ages.


@Gullible,

I remember this vulnerability. Actually I believe that the overflow was in the Firewall itself... there was some counter in the Firewall software that would overflow.

 

Why the did you even bother to post this ?
You make assumptions and bold claims with no basis of fact or evidence.
Then pretty much tell people to google some generic terms which will lead to people reading about information which may or may not be accurate.
Some noob is going to read your post and still be no better off because you have been no help what so ever in providing any useful information.