Close ports without UFW
- Inicie sesión ou rexístrese para enviar comentarios
Hello all.
So, I was thinking, since Trisquel is installed without UFW, and because UFW always says "it's not verified" or something when trying to install (even if it does, the warning causes me to think if everything is alright), I have came to think, how can I close ports without UFW installed?
Can I make the incoming connections be rejected at least?
Thanks in advance for reading and helping me =)
Ports are closed, unless something is listening on them. There is the sshd by default, a decision I don't agree with. Of course, if you install more servers, you're opening more ports.
I believe that verification error thing will go away if you just wait.
Please, calm down.... C'mon man, breath slowly.... That's good...
Now that you are at peace with the universe, please, explain, what is the matter with those two ports you mentioned? If it is VPRO technology, my computer has no such thing.
Could you please explain in more detail please? Thanks.
Also, I keep asking, how can I close ports without ufw??
UFW is really just a frontend for iptables, and you could just use iptables by itself to close stuff down.. Although honestly, that's a bit of a royal pain in the ass. =x
I'd recommend you just install and use Firestarter, it has a nice gui and can "stealth" your machine.
Unfortunately no. I tested the ports condition and there were a couple of them opened (22 and a couple of others). Like, OPENED! In the RED! That just made me angry ya know, because all my ISP has to do is just have a bot waiting ffor any connection to happen and attack those ports.
I have been trying to find a way around it, but I have no resources (having another computer running a shared wifi connection, with protection already in place would be good, but like I said, no resources).
I really would like to know why ufw (which is less than 1 megabyte) was left out. Is it absolutely necessary? maybe not, but it wouldn't hurt. And for me, yes its necessary.
However, is it possible to close those ports without ufw? What services are running in a Trisquel default installation that leave open ports? If I disabled those before I connected to the internet maybe I could have the ports closed....
Do you have a firewall on your router? You could always use DD-WRT (GPL) or OpenWRT (GPL and other free software licences) if your hardware supports it. Also, if you don't need SSH, then just deactivate sshd.
No unfortunately I don't use a router. But still, yes, deactivating the service is one way to do it, BUT i guess the port itself remains open.
Someone suggested to me to use Firestarter, well that's like using UFW or GUFW, all the same thing. I can use both GUI and terminal commands, however, I didn't want to connect to the internet everytime I install a new Trisquel, BEFORE installing the firewall.
And commands like "iptables" won't do anything, Trisquel does not recognize them.
Put your /home/ directory on a separate partition than your OS (Trisquel) or download it to a flash drive so that you can reinstall Trisquel with a firewall without having to connect to the internet. You can see what ports are open on your computer by entering netstat -nap. The port for SSH should close when you stop sshd, but you can use netstat to make sure. Iptables should be included with Trisquel, so that is strange. I would recommend GUFW over Firestarter, as Firestarter is no longer developed last time I looked into it.
First, thank you very much for your comments. Much appreciated =)
However, I fail to see how copying /home/ directory would help me... I am not afraid people taking a look at my files (the first thing i do is install firewall, so there are still no files there), I worry about an attack that might compromise the system before I install firewall (and stays in the system afterwards).
I agree, GUFW is better.
No problem :). I was just thinking that if you don't have a flash drive available, you could just put the DEB/source in your home directory so you don't have to connect to the internet when you install Trisquel. If you want to install it without any other files, then I would just put it on a CD/DVD or flash drive.
You suggest I download the .deb file of ufw (from debian for example) and use it to install, is that it?
I thought of that, but it seems ufw has dependencies, and even if I was to install those dependencies deb files too, they TOO have dependencies themselves.
I think the only way to install it properly would be using the package manager, but again, that requires network connection already activated.
I really don't get WHY ufw does not come by default, and also WHY the package manager alerts me that the source is not verified or something like that....
As frustrating as it is, you can download all of the dependencies. I build most of my software from source (along with the dependencies), so I have gotten used to it.
The source is fine; it just hasn't updated yet. I am new here, so I can't answer why UFW isn't included, but my best guess is that it is made by Canonical (maker of Ubuntu).
Thank you very much for your help.
I will maybe try doing that, downloading all the deb files needed. Do you have any idea which ones I would have to download (meaning ones that are not already installed in Trisquel) ?
I wouldn't think that was the reason, I remember reading an old thread (before I signed up) where someone (I believe it could have been Ruben, but I am not positive) said "Trisquel doesn't need a firewall, so having one would mislead new users".
So, if I can ask (although OT) what has brought you to Trisquel? Or better, why do you choose a free software only distro?
I am not using Trisquel on the computer I'm using at the moment (I have UEFI), so I'm not sure what is preinstalled in Trisquel.
Here is the list of all dependencies:
http://pastebin.com/DKMzjWZV
I'm not sure why it wouldn't need a firewall...
I am starting to use Trisquel because I am tired of free software and my privacy being abused. I switched from Ubuntu to more free alternatives after Ubuntu started taking advantage of their userbase, and started taking the contributions of the community, then profiting off of them.
Thanks for the reply and.... man I am so sorry you have to put up with UEFI =S
Hope you recover fast and can ever speak again =S
Ok, jokes aside, thanks for the link ;)
I don't think I will venture myself into installing all of that on my own =S I would get mad before I ended and would probably give up on Trisquel and security and freedom altogether xD lol.
I agree, ANY OPERATING SYSTEM NEEDS FIREWALL!
Yeah, my choosing Trisquel also had to do with that. I was not with Ubuntu for some time (gave up on them once they picked Unity) and after trying many distros, I settled for Mint. And I have to say, as a end user, if you don't care much about privacy and security, you know if you just want a "free of charge replacement for windows", Linux Mint actually was the best option. I think IT IS the best operating system for USERS who want a FREE WINDOWS.
But as a power user who has privacy and security as a primary goal, the thought of having Java and Flash always opening security holes in the system, proprietary drivers spying on me, and not being able to trust the computer because I didn't know how much of "Ubuntu evil code" was still present in Mint... I decided it was time for a change. Free software only OS, was the choice. Trisquel was the only option that did not required me to learn a LOT of new things all of a sudden. So, here I am.
However, if one wants a true secure system and dreams of becoming "the ultimate nerd" I would suggest OpenBSD. xD ahahaha between being difficult to even boot the damn thing and keeping up with Theo de Raat.... I don't think you can go any further than that xD
Jokes aside, OpenBSD project actually made the computers world more free and secure. We owe them. But if they kill a project like GnoBSD, I just don't want to be a part of that...
And I am happy with Trisquel. Let's see what the future holds but for the time being, here I am =)
No problem!
The UEFI has been awful, as there is no option to disable it. They didn't even include Legacy BIOS :(. It's awful.
It is a huge amount of dependencies to scrap together, so all I can think of is to use a router or physical firewall (Raspberry Pi (not completely FOSS last time I checked), or BeagleBone Black would work as a small physical firewall. You could edit iptables manually, but it's a real pain.
I actually am using Mint on my laptop and Debian on my desktop, but I'm switching the laptop to Trisquel when I have a chance to transfer everything. It definitely is a nice distro for beginners, but it is filled with codecs and flash on my version. Debian is really nice, as it has taught me a lot about Linux, and has a deblobbed kernel. I know that it isn't FSF/GNU approved yet due to the nonfree branch, but if you disable it, it makes a nice system.
OpenBSD looks like fun XD, but it is a shame that the community was so hostile to a project that tried to bring OpenBSD to regular users.
Yes, Debian is a very stable and secure distro. And much of their work as improved the whole free software community, the FSF should remember that!
But again, just because the FSF says something is not free, it doesn't mean it actually isn't ;) Unless they copyrighted the term "free software" xD ahahah
Anyway, I prefer Trisquel mainly because since it has a "free only" policy, it's actually harder for something malicious to get under the radar.
OpenBSD needs a couple of programmers and users who just say "f*** you Theo" and fork the project.
I am actually interested in trying Debian... hum, wonder how that would go...
FSF maintains its definition of "free software". Even if Debian originated within the FSF, it has its own "free software guidelines". Finally, the OSI defines what is "open source". Those three definitions cover almost the same "thing".
Nevertheless, there are small differences that lead to three slightly different sets of guidelines for a distribution to be praised by the related "entity". The differences can be argued. Why would the FSF have to abandon its opinions on what is "free" and agree with Debian on everything?
Also, see if this discussion helps you fix your iptables command:
https://www.linuxquestions.org/questions/linux-newbie-8/iptables-command-not-found-85050/
I still don't understand why you think you need a firewall.
You don't need a firewall.
When there are no programs listening and reading information send through network ports, it doesn't matter what information is send to your computer. The information will just get ignored, wherever it's malicious or not. It won't even be read.
Now, by default in Trisquel there are several programs (called "services") that indeed listen and read messages send through network ports. These are the:
- OpenSSH server, used for remote access to your computer
- CUPS server, used for access to printers
- SMB server, used for file sharing with Windows operating systems
- Dnsmasq server, used for something that has to do with DNS
When you type "ss -ln
" you'll see all ports on which services listen on:
- OpenSSH listens on port
*:22
- CUPS listens on port
127.0.0.1:631
- SMB listens on ports
*:139
and*:445
- Dnsmasq listens on port
127.0.0.1:53
First, notice that CUPS and Dnsmasq ports start with 127.0.0.1
. This means that they will only listen on their ports, if the connection is send by your computer. Messages from other computers will be ignored.
Then there are OpenSSH and SMB which ports start with *
. This means that they will listen to messages send by other computers. But that doesn't mean your computer will get cracked. These programs were written by many people who understand and are concerned with computer security.
One thing you should keep in mind is, if someone knows your username, password and IP-address, he may be able to access remotely your computer through SSH.
There's the possibility that there's might be a security hole in OpenSSH or SMB. A hole of which only bad people know. If that concerns you, then you should just stop those two services. You don't need a firewall.
I also stop CUPS, just because I don't use it. To stop those services, you do:
echo "manual" | sudo tee /etc/init/cups.override echo "manual" | sudo tee /etc/init/smbd.override echo "manual" | sudo tee /etc/init/ssh.override sudo stop cups sudo stop smbd sudo stop ssh
Now if you do "ss -ln
", you'll probably see only dnsmasg listening on port 127.0.0.1:54. I don't know if dnsmasg is useful for me. It doesn’t listen to other computers anyway, so I leave it be.
When I want to start the SSH server, I do "sudo start ssh
". When I finish, I do "sudo stop ssh
".
Your concerns arise from you not understanding. I suggest you try to learn how computers and GNU systems work. I suggest to you the website http://codeschool.org/. There you'll find video lesson on programming, operating systems and how computers work. The lessons that most closely concern this topic are:
- "Hardware and operating system basics"
- "The Internet"
- "Unix system calls"
A firewall is important in case the system is compromised...
In what use case can the firewall give you significant protection, when your system is already compromised? If you run a malicious program, that program is be able to do anything you can. If you are the one who installs and enables the firewall, then the malicious program can disable it.
A firewall allows you to more easily control network connections, but it definitely isn't an essential security measure for a typical system.
That is why a physical firewall is the best route. Telling people not to use a firewall is telling them to undermine their security. See how it worked out for Sony... The best route is to use a physical firewall and an IDS, such as Snort.
You are assuming that the malicious program has root privileges. That is often not the case.
Don't forget that a firewall can show you how someone tried to attack your network, so that you can report it.
PS: In tutorials I've seen the firewall is configure to only deny some or all incoming connections. That's all it does. This doesn't give you more security than simply disabling services listening on ports. If you run a malicious program, it can just use an outgoing connection, which makes more sense in any case.
By default that is true. But many malicious programs communicate over non-standard ports where a firewall could have blocked. Firewalls can block incoming and outgoing communications. Personally, I combine my physical firewall with Snort IDS, which will alert you about most malicious activity.
-The CAPTCHA glitched and posted twice-
Firewall is not a "magical solution for all problems". But it certainly helps.
It makes you harder to detect on the web (stops wannabe hackers from messing with you).
It makes a log of what happens in your network.
It prevent that a program connects to a outside server without you wanting it (at least makes it more difficult).
I believe and maintain that Trisquel should come with ufw at least. Gufw would be good too.
And I would like to use a physical firewall, but at the moment I cannot. =(
If you don't mind me asking, why can't you use a physical firewall? Even a Raspberry Pi can run as a firewall XD.
I don't mind you asking, not at all =)
However, I can't give much details, suffice to say I have no other machines available at the time. I have only one computer, and no way to set a physical firewall.
So, I really need to go with ufw.
But thanks for asking =)
> You are assuming that the malicious program has root privileges. That is often not the case.
It definitely is the case. It's very typical to run a one-user system. When you install a program on a system such as Trisquel, you most often do it with root privileges. But even in cases you run the malicious program without first installing it as root, it's typically done by the same user who has sudo privileges. The next time this user enters his password to gain root privileges by a sudo command, the malicious program can find out the password.
> Telling people not to use a firewall is telling them to undermine their security.
What I'm trying to say to people is, that installing a firewall on your computer to block incoming connections ports such as 22 (SSH) or similar is meaningless.
But I do care to learn of a good use case, where a firewall installed on my one-user system can give me significant protection.
You are referring to the software firewall. I agree that it isn't very helpful, but in GNUuser's case, it is better than nothing. The best option is to use a physical firewall, which cannot be affected by the malicious program on the computer. A firewall is definitely not an end-all solution, but it does help in some scenarios. As I mentioned earlier, my IDS has been one of the most useful tools as far as network security goes.
Agreed. It's better than nothing.
Anyway, I would like to thank both of you, both have provided very helpful comments (Mampir actually told me what services to stop and how to do that, thank you very much).
I am not an inexperienced user when it comes down to security, mind you, but I make a point to always try to learn more and more =)
Thank you both!
And of course, thanks vPro for more insanity =P
eheheh
- Inicie sesión ou rexístrese para enviar comentarios