Do I need a Firewall for Ubuntu?

[ubunbu]

Thanks for this, I remember when I first discovered Ubuntu in 2008 I was consumed with the desire to secure it. I'm not sure why and for my needs it was technically overkill. All the time I would see people saying "Ubuntu is secure by default" "There's no ports open so a firewall is redundant." I didn't think that made sense as there is no such thing as redundant security, it will almost always just mean more secure. So basically, ha-ha-ha to those people

[roffisserver]

Firewalls of definitely necessary. I made a custom firewall for my server. It is great! I had a friend try to hack into it, he failed !

[BitShark]

What do you lose by implementing a few firewall rules? A few minutes of your life? Minimal processor cycles? Not much really when you consider how much you value your data and all that might be associated with it.

[Johnny3]

I just have a desktop PC and I use this site to set up mime.
http://blog.bodhizazen.net/linux/fir...untu-desktops/

All I use is sudo ufw enable and sudo ufw default deny. I known I could do more but this is OK for me and better than what most people that us windows default fire wall.
Thanks and God Bless Johnny3 65+++

[IronArjen]

Great post, really good introduction for laymen like me.

So how about if you want to have remote access? I have a small network with a powerful machine that I would like to access from where ever I am, as well as that I need it open for some my co-workers that work elsewhere. Would there be anything special to do? Use special settings in the UFW or install an additional thing?

I feel like including somehow the MAC address, then it would be dependent on the machine not the IP I have in a hotel.....

[1clue]

In IPV4 the mac address is local network only. The MAC address isn't mapped to anything in a normal IPV4 packet.

In IPV6 the original spec used the mac address because the IPV6 address space is plenty big enough to use that as a key. Privacy advocates poo-poo'd that (rightfully so IMO) so even there it's not a reliable key.

IMO the remote access thing is no big deal. You open a port on your external hardware, then send that to a specific IP and a specific port inside.

The more layers you can get the better within reason, and it's best for small office/home office (SOHO) routers to have completely separate hardware so you're positive no software flaws let the bad guys get around some security flaw. I have the cable modem plus 2 completely separate routers, the "inside" one having the radios turned off so it's much more secure.

For me, my inside network has no penetration from the outside. I can connect out on a few ports, but nothing outside can initiate a connection in.

The key to remember here is to enable what MUST be there, and deny everything else. If you turn on a service, make sure you understand what that service is and know what its weaknesses are.

[youknowme]

Humm - seems a bit paranoid to me. Script kiddies would not know how to bypass my router even if they had the admin password to it. If a serious attacker really wanted to get you, they would probably get you regardless with some zero day exploit.

I think a firewall is good if you have the time to configure / understand it. But how far do we take security? IDS, snort, tripwires, reading logs every day??? Router security is often enough for a home user IMHO - But this was a jolly good thread.

[1clue]

Every security measure seems a bit paranoid until you get owned for not implementing it.

So really what you need to ask is, what's more valuable: The time to set up decent security, or the value of everything you keep on your computers at home, the ability to do everything you do with them, the value of whatever is in your bank accounts that you access online, and/or whatever might be seen or heard when they turn on your webcam(s) without your knowing it.

It's up to you really.

[youknowme]

Every security measure seems a bit paranoid until you get owned for not implementing it.

So really what you need to ask is, what's more valuable: The time to set up decent security, or the value of everything you keep on your computers at home, the ability to do everything you do with them, the value of whatever is in your bank accounts that you access online, and/or whatever might be seen or heard when they turn on your webcam(s) without your knowing it.

It's up to you really.

You seem to miss the point i am making. What you call 'decent security' implemented by your firewall is an illusion. A real cracker - NOT a script kid, would not really be challenged. How long do you think it would really take for a group of (for example) state sponsored ultra smart Chinese hackers or secret intelligence services to 'own' your home pc - if that was their intention? Firewalled or not?

Btw - if my webcam is switched on, a bright blue light illuminates!

[1clue]

You seem to miss the point i am making. What you call 'decent security' implemented by your firewall is an illusion. A real cracker - NOT a script kid, would not really be challenged. How long do you think it would really take for a group of (for example) state sponsored ultra smart Chinese hackers or secret intelligence services to 'own' your home pc - if that was their intention? Firewalled or not?

Btw - if my webcam is switched on, a bright blue light illuminates!

No I'm not missing your point. Yes, somebody who was truly skilled could probably get in no matter what you tried, especially since the US military can't seem to keep the bad guys out. But those guys are mostly interested in bigger fish.

A good setup has multiple layers of security, generally on multiple physical machines. Several layers of mediocre security CAN BE better than a single layer of good security. The idea is to block any single compromised device from easily getting information out in an unconventional fashion.

The biggest mistake you can make is to leave your device running with the default configuration, or to leave it with mostly default settings. That sort of thing enables a black hat to "profile" your lax settings, correctly assuming most people take it out of the box, plug it in and leave it alone.

Web cam: A good share of web cams have no light, and a good share of the ones that do have the light have a separate software switch to turn on the light which is independent of the one to turn on the camera. They SHOULD all have a light, and they SHOULD all have the light wired to the same switch as the camera, but assuming yours is wired that way is a really dangerous mistake.