Firewall, ssh server... security in general
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
Hi all,
I’m a new users of Trisquel, and I’d like to give it a thorough tryout — I do like it a lot so far. My question is about firewalls and related security items — I’ve done some research and now I have specific questions.
First, I’ve read on the Trisquel forum that gufw (which is a GUI front-end to ufw, which is a front-end to iptables) is a popular and possibly even recommended “firewall” for Linux. Now, I had recently been using Debian, and after merely installing and enabling ufw, I listed out the output of “iptables -L” and posted it to the debian-user mailing list, asking whether this set of rules appeared to provide basic, block-all-incoming-connection protection. However, after at least one person pointed out several “holes” in these rules, I started to get very disconcerted… Really, all I’m looking for is to feel as “relatively comfortable” as someone who uses Windows or Mac and merely enables the built-in firewall. I certainly am not interested in delving into any arcane logic within the various iptables rules… I just want something simple yet secure!
I’ve also read various forums that say various things in this regard, such as:
1) A firewall is not needed in Linux;
2) A firewall is only needed if the Linux box is running an ssh server;
3) A firewall is not needed as long as one does not use public wifi;
4) Trisquel evidently included an ssh server by default in version 6, but not in version 7.
Please help! Any advice would really be welcome here. I would define myself as someone who has done some shell scripting in the past (mainly in Unix) although currently, I want my Linux setup to be as simple and straightforward as possible, while offering a high level of security.
Thanks in advance.
-Harris
I am a translator!
On a default Trisquel installation there are very few open listening ports if I remember correctly.
*sudo netstat -tulpn | grep LISTEN* will give you the info on which ports are **open and listening** to the netz. You can quietly ignore those listening on the localhost (127.0.0.1) for those are not visible externally.
> A firewall is not needed in Linux
True, when and if there are no open listening ports (Ubuntu by default).
An excellent practice IMHO is to purge any and every service you don't need. For example, if you don't have a printer do you really need cups?
Mind that we are very precise with some words here - we call linux the kernel and GNUx the OS.
Btw, welcome!
On Mon, Apr 25, 2016 at 6:54 PM, name at domain wrote:
> *sudo netstat -tulpn | grep LISTEN* will give you the info on which
> ports are **open and listening** to the netz. You can quietly ignore
> those listening on the localhost (127.0.0.1) for those are not
> visible externally.
>
Hey thanks. After I enabled ufw, here's the output of the command you
mentioned:
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1272/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2120/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 2120/cupsd
I will leave CUPS, as I'll definitely be installing a printer. Any
thoughts on the other output line?
>
> Btw, welcome!
Thank you! I hope I'll be staying with Trisquel, and if I do, I'll do
my part to help with the project in any way I can.
Cheers
Harris
dnsmasq is actually supposed to be like a local proxy for dns requests for security purposes. But I always feel like its more a vulnerability just having it running but I could be wrong, maybe cause i just feel better with nothing listening or broadcasting to anything thats not nescessary.
You can disable it in /etc/NetworkManager/NetworkManager.conf
With a "personal firewall" (I am not talking about professional usages), proprietary software users protect themselves from the programs they installed (that can be remotely controlled by their real owners, that can send private information to them, etc.) and from those they have not willfully installed but that are there anyway (such as Troyan horses). With free software, the first issue basically is inexistent (except for Ubuntu's spyware): the users control the software. And because crackers do not usually attack GNU/Linux (less users, who are not easily duped, who run a great variety of applications, who do not run them as root, who have automatic security updates, etc.), the second issue essentially is inexistent as well.
On Mon, Apr 25, 2016 at 9:21 PM, name at domain wrote:
> With a "personal firewall" (I am not talking about professional
> usages), proprietary software users protect themselves from the
> programs they installed (that can be remotely controlled by their
> real owners, that can send private information to them, etc.) and
> from those they have not willfully installed but that are there
> anyway (such as Troyan horses). With free software, the first issue
> basically is inexistent (except for Ubuntu's spyware): the users
> control the software. And because crackers do not usually attack
> GNU/Linux (less users, who are not easily duped, who run a great
> variety of applications, who do not run them as root, who have
> automatic security updates, etc.), the second issue essentially is
> inexistent as well.
Thanks for your comments. I wonder if the crackers will ever start
attacking GNU/Linux... as an aside, there's a really fun new TV show
called Mr. Robot (here in the USA) that features a really good cracker,
and he uses GNU/Linux at his day job... cool show, if you get a chance
to see it.
-Harris
I am a translator!
We who present free software as a defense against malware do not say it is a perfect defense. No perfect defense is known. We don't say the community will deter malware without fail. Thus, strictly speaking, the Ubuntu spyware example doesn't mean we have to eat our words.
But there's more at stake here than whether some of us have to eat some words. What's at stake is whether our community can effectively use the argument based on proprietary spyware. If we can only say, “free software won't spy on you, unless it's Ubuntu,” that's much less powerful than saying, “free software won't spy on you.”
- Vous devez vous identifier ou créer un compte pour écrire des commentaires