Page 1 of 3 123 LastLast
Results 1 to 10 of 53

Thread: Do I need a Firewall for Ubuntu?

Hybrid View

  1. #1
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Do I need a Firewall for Ubuntu?

    The information in this thread has been moved to https://help.ubuntu.com/community/DoINeedAFirewall

    A thread for discussion of the wiki page only can be found here http://ubuntuforums.org/showthread.p...2#post12088432

    Thread closed.



    I am writing this because the previously posed question is asked consistently on this forum. I am hoping that I can create something of a generally accepted answer that contains all the necessary links to appropriate resources.


    So the question posed : Do I need a Firewall for Ubuntu?


    Truthfully, this is a subjective question. Ultimately it depends on your tolerance for risk and your use case. However, since it is impossible to tailor this discussion to fit everyone's needs we will focus on a model that is in line with best practices.


    What I want to address are some assumptions, or misunderstandings about firewall methodology in general and in regard to Ubuntu Linux.

    What firewall does Ubuntu have?


    Ubuntu , as with all post 2.2/2.4 kernel Linux distributions comes with the netfilter/iptables framework. This framework is a set of kernel modules that can be utilized to create packet filtering rules at the kernel level. Rules are written in iptables format, which is the method of conveyance of instructions to netfilter, and in essence the Linux Kernel.


    Ubuntu also includes an application called Uncomplicated FireWall (UFW). This application is a userspace application that essentially can be used to create iptables rules. There is also a GUI for UFW called GUFW. It provides a graphical interface for UFW. Again remember, UFW is simply writing iptables rules and sending them off to netfilter, and thus the kernel. It is NOT a firewall in and of itself.

    There are other applications such as Firestarter, which essentially cover the same ground as UFW. The Firestarter project is out of development, and was bug prone even when it was developed actively. I do not recommend it, and it is not the default thus it will not be covered. It is important to know that there is nothing that Firestarter can do that you can not do with either UFW or by interacting directly with iptables.


    You need to realize that Ubuntu's firewall is not enabled by default. You have to enable it.


    iptables documentation
    ufw documentation



    I have no open ports, so I don't need a firewall, right?


    Well, not really. This is a common misconception. First , let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection.


    The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture.


    There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.

    Article demonstrating how different types of firewall rules can be bypassed by an attacker.


    If you were setting up a desktop system with best practices in mind you would want both strict inbound and strict outbound firewall rules. This would minimize the impact of either a listening service being bound or a reverse connection being initiated.


    Strong Outbound Rules for UFW
    Strong Outbound rules using UFW, GUFW or iptables



    You just said I have no services listening so then how can an application become compromised?


    You need to understand what I (and others) mean when we say a listening service. When we are saying listening service we are referring to a persistent service listening for incoming connections, examples would be SSH, Apache, MySQL, FTP, VNC, and a myriad of other services you may have running.


    However, you are exposed to creating a new connection to your system many times every single day. In fact, the act of loading this post alone created no less than 1 new connection to your machine, possibly more.


    Now for a moment, assume that this wasn't Ubuntu Forums, and that it was a malicious site you accidentally visited. If this site were crafted in such a way that it could take advantage of a flaw in your browser, it could be used to execute malicious code on your machine. If this occurs a possible outcome would be to open a connection to another machine, so that machine could remotely access yours. Strong firewall rules in some cases can help to mitigate that risk. If the packets used to create that connection are filtered by your firewall, the connection will never happen. Another example that you are likely exposed to would be maliciously crafted media files, or perhaps a malicious ODT or PDF file. These are all common vectors of attack, and something you are relatively likely to encounter.

    As we can see our firewall can mitigate some of this, however there are ways around it. If you read the article in the section about inbound and outbound rules it demonstrated how even a strong firewall can be bypassed. A firewall is a great tool for stopping automated exploitation, but as the article showed a dedicated attacker will find a way around this. Thankfully we have a number of tools at our disposal to help mitigate risk further.


    We can contain what our applications can do utilizing mandatory access controls through applications like Apparmor. Apparmor can essentially harden your applications against a zero day exploit. Limiting what an exploited application can do, to its core functionality. Even if your application were compromised the attacker in theory would only be able to execute the innate functionality of the application.


    Apparmor forum sticky



    Additionally, in terms of browser security we can take another step by using a browser extension like NoScript for Firefox or NotScripts for Chrome. One of the most serious threats to the average desktop user are browser based exploits. These addons go a long way in limiting the ability of a browser based exploit to take place.


    If you utilize all three of these methods; a strong firewall, mandatory access controls, and browser based addons, you will see that we now have a strong 3 layer approach to desktop security. Which is preferable to any one of the approaches by itself. It now gives us three layers of protection a potential attacker has to circumvent. This reduces the odds of an automated attack being successful to almost 0 and greatly reduces the threat of an advanced attacker targeting you.


    You can go a step further by protecting your private data via encryption. However that is outside the scope of this discussion. So I will leave you to research that on your own.

    Well, I'm behind a NAT router so none of this is for me, right?


    Wrong again. A NAT router is a great addition to your security, but as I've been enforcing throughout this post, that there is no catch all solution.


    A NAT router will prevent a service from being bound and accessible from the Internet. That being said, it works a lot like strong inbound only rules as we discussed earlier in this post. It does not provide protection against methods like a reverse connection designed to bypass a firewall. Another important thing to note is that the NAT router's protection is not host based. So if another machine on the network with yours is compromised the NAT router will offer your machine no protection.


    When used in conjunction with the other topics we've discussed in this post a NAT router is an excellent hardening measure, however as a stand alone solution it is lacking in many ways.


    Hopefully this has been educational, and given you an idea of ways that you can utilize your firewall and other security applications to increase your level of protection.

    Additional Resources :

    Ubuntu Forums Security Sticky
    Last edited by nothingspecial; July 9th, 2012 at 05:27 PM.

  2. #2
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    I think that covers about everything that has been mentioned in the last few threads on this subject.

    STRENGTH IN DEPTH

    The only thing I'd add to that is the usefulness of Firewall Logs especially SYSLOG from modem detailing ALL inbound & Outbound Traffic. Being able to SEE ( in Real-Time ) what is happening greatly adds to overall security.
    You can take my trousers but you won't take my Freedom !

  3. #3
    Join Date
    Aug 2011
    Beans
    22
    Distro
    Kubuntu 11.04 Natty Narwhal

    Red face Re: Do I need a Firewall for Ubuntu?

    Great post Dangertux, thanks a lot!

    Following your advice (and bodhi.zazhen's) I modified my UFW rules- I previously had the default: deny in, allow out. I now defined stricter outbound rules i.e. deny all except web browsing, mail, skype, ssh and torrents.

    Here is the ufw status. Am I doing this right, Masters, or have I botched it again?


    sudo ufw status
    Status: active

    To Action From
    -- ------ ----
    53/udp ALLOW OUT Anywhere
    22,25,80,443/tcp ALLOW OUT Anywhere
    6881/tcp ALLOW OUT Anywhere
    4444/udp ALLOW OUT Anywhere
    443/tcp ALLOW OUT Anywhere
    995/tcp ALLOW OUT Anywhere
    465/tcp ALLOW OUT Anywhere
    61310/tcp ALLOW OUT Anywhere
    Anywhere DENY OUT Anywhere
    53/udp ALLOW OUT Anywhere (v6)
    22,25,80,443/tcp ALLOW OUT Anywhere (v6)
    6881/tcp ALLOW OUT Anywhere (v6)
    4444/udp ALLOW OUT Anywhere (v6)
    443/tcp ALLOW OUT Anywhere (v6)
    995/tcp ALLOW OUT Anywhere (v6)
    465/tcp ALLOW OUT Anywhere (v6)
    61310/tcp ALLOW OUT Anywhere (v6)
    Anywhere (v6) DENY OUT Anywhere (v6)

  4. #4
    Join Date
    Sep 2011
    Location
    ORYGUN (Oregon)
    Beans
    68

    Re: Do I need a Firewall for Ubuntu?

    I will have to agree with Security in layers, also too, it depends on what you have behind there? some Load Balancers aren't super secure so using a firewall is always a good idea, software or hardware

  5. #5
    Join Date
    Oct 2011
    Beans
    17

    Re: Do I need a Firewall for Ubuntu?

    Excellent post Dangertux. I hope this get sticked.

  6. #6
    Join Date
    Aug 2011
    Beans
    91

    Re: Do I need a Firewall for Ubuntu?

    Yes, another great post. Vote for sticky

  7. #7
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by PeteAsdf View Post
    Great post Dangertux, thanks a lot!

    Following your advice (and bodhi.zazhen's) I modified my UFW rules- I previously had the default: deny in, allow out. I now defined stricter outbound rules i.e. deny all except web browsing, mail, skype, ssh and torrents.

    Here is the ufw status. Am I doing this right, Masters, or have I botched it again?


    sudo ufw status
    Status: active

    To Action From
    -- ------ ----
    53/udp ALLOW OUT Anywhere
    22,25,80,443/tcp ALLOW OUT Anywhere
    6881/tcp ALLOW OUT Anywhere
    4444/udp ALLOW OUT Anywhere
    443/tcp ALLOW OUT Anywhere
    995/tcp ALLOW OUT Anywhere
    465/tcp ALLOW OUT Anywhere
    61310/tcp ALLOW OUT Anywhere
    Anywhere DENY OUT Anywhere
    53/udp ALLOW OUT Anywhere (v6)
    22,25,80,443/tcp ALLOW OUT Anywhere (v6)
    6881/tcp ALLOW OUT Anywhere (v6)
    4444/udp ALLOW OUT Anywhere (v6)
    443/tcp ALLOW OUT Anywhere (v6)
    995/tcp ALLOW OUT Anywhere (v6)
    465/tcp ALLOW OUT Anywhere (v6)
    61310/tcp ALLOW OUT Anywhere (v6)
    Anywhere (v6) DENY OUT Anywhere (v6)
    I'd add ALLOW OUT UDP 123 to that list so your system gets the correct time from the Ubuntu NTP Server.

    You could always be even more secure by restricting POP3S ( 995 ) and Secure SMTP ( 465 ) to the IP address of your mail server instead of 'Anywhere'. Same goes for SMTP ( port 25 ).

    Some network functions won't work with this setup such as WHOIS ( port 43 )and TRACEPATH. ( 44444-44544 ? ). Also Adobe Flash might have problems unless you open port 1935 but using this might expose you to Flash vulnerabilities .

    If using a shared printer on your network then you might have to open port 631 too ( ALLOW both in and out ). Otherwise keep it closed.
    Also maybe open port 5353 ( MDNS ). Although I'm not to sure about this.

    Are you using static IP's or are you using DHCP. If using DHCP does it work with this configuration?
    Last edited by SparTacux; November 3rd, 2011 at 04:55 PM.
    You can take my trousers but you won't take my Freedom !

  8. #8
    Join Date
    Aug 2011
    Beans
    22
    Distro
    Kubuntu 11.04 Natty Narwhal

    Re: Do I need a Firewall for Ubuntu?

    Thanks for the suggestions, SparTacux!

    I enabled UDP 123. Flash is working fine even without 1935.

    I'm using DHCP and everything seems to be working OK with this setup. The one thing I noticed so far that's having a little trouble is Ubuntu One- it can't tell me how much space I'm using (gives some connection error message); however it is syncing fine so I'm not too worried. Do you know which port is it the U1 might be missing?

    As for specifying IP addresses for the mail servers- I'm using Gmail via Thundrbird- I doubt I would be able to specify a single IP for that(?). I tried to look online for the IP of googlemail.com servers but couldn't find anything relevant.

  9. #9
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by PeteAsdf View Post
    Thanks for the suggestions, SparTacux!

    I enabled UDP 123. Flash is working fine even without 1935.

    I'm using DHCP and everything seems to be working OK with this setup. The one thing I noticed so far that's having a little trouble is Ubuntu One- it can't tell me how much space I'm using (gives some connection error message); however it is syncing fine so I'm not too worried. Do you know which port is it the U1 might be missing?

    As for specifying IP addresses for the mail servers- I'm using Gmail via Thundrbird- I doubt I would be able to specify a single IP for that(?). I tried to look online for the IP of googlemail.com servers but couldn't find anything relevant.
    I'd check your UFW logs. If logs are enabled then you will see BLOCKS to port 1935 when using Flash Player ( Not always though - it depends if the content provider use this feature ) . I haven't quite worked out why it's needed as it does SEEM to work ok without. I've not used Ubuntu one but again if I was having problems I'd be looking at the UFW logs to see what ( if anything ) is getting BLOCKED.
    Last edited by SparTacux; November 4th, 2011 at 12:25 PM.
    You can take my trousers but you won't take my Freedom !

  10. #10
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by PeteAsdf View Post
    As for specifying IP addresses for the mail servers- I'm using Gmail via Thundrbird- I doubt I would be able to specify a single IP for that(?). I tried to look online for the IP of googlemail.com servers but couldn't find anything relevant.
    Here's an interesting article about Gmail hack done in Iran. If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack and get your account and password details and go through your email to see what your political views are.

    ARTICLE

    Iran has tricked a web firm into issuing fake security certificates for Gmail, Skype, Hotmail and more.
    Comodo Group, a US-based certificate authority firm with 15% of the market, admitted that one of its affiliate's accounts in Southern Europe had been hacked, letting the attackers create fake SSL security certificates for six websites.
    Such digital keys let websites offer secure services, and fake versions could be used to spoof sites, gather login details and watch user activity.
    The fake certificates target Microsoft's Live platform, Gmail and Google, Skype, Yahoo, and Mozilla Firefox extensions. The attack was quickly discovered, with the attacker still using the account when it was shut down.
    Comodo's CEO Melih Abdulhayogl said the attack appeared to originate in Iran, as it would have required access to the country's DNS infrastructure. "We believe these are politically motivated, state-driven/funded attacks," he said in a blog post, adding it was the first such state attack he'd seen against the authentication layer of the web.
    Phillip Hallam-Baker, principal scientist for Comodo, said the timing of the attack was no coincidence.
    "It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of internet use by dissident groups," he said in a blog post.
    "The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the internet and in particular social-networking sites as a major organising tool for the protests," he added.
    You can take my trousers but you won't take my Freedom !

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •