Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 53

Thread: Do I need a Firewall for Ubuntu?

  1. #11
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by PeteAsdf View Post
    As for specifying IP addresses for the mail servers- I'm using Gmail via Thundrbird- I doubt I would be able to specify a single IP for that(?). I tried to look online for the IP of googlemail.com servers but couldn't find anything relevant.
    Here's an interesting article about Gmail hack done in Iran. If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack and get your account and password details and go through your email to see what your political views are.

    ARTICLE

    Iran has tricked a web firm into issuing fake security certificates for Gmail, Skype, Hotmail and more.
    Comodo Group, a US-based certificate authority firm with 15% of the market, admitted that one of its affiliate's accounts in Southern Europe had been hacked, letting the attackers create fake SSL security certificates for six websites.
    Such digital keys let websites offer secure services, and fake versions could be used to spoof sites, gather login details and watch user activity.
    The fake certificates target Microsoft's Live platform, Gmail and Google, Skype, Yahoo, and Mozilla Firefox extensions. The attack was quickly discovered, with the attacker still using the account when it was shut down.
    Comodo's CEO Melih Abdulhayogl said the attack appeared to originate in Iran, as it would have required access to the country's DNS infrastructure. "We believe these are politically motivated, state-driven/funded attacks," he said in a blog post, adding it was the first such state attack he'd seen against the authentication layer of the web.
    Phillip Hallam-Baker, principal scientist for Comodo, said the timing of the attack was no coincidence.
    "It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of internet use by dissident groups," he said in a blog post.
    "The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the internet and in particular social-networking sites as a major organising tool for the protests," he added.
    You can take my trousers but you won't take my Freedom !

  2. #12
    Join Date
    May 2011
    Beans
    20

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by SparTacux View Post
    If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack and get your account and password details and go through your email to see what your political views are.
    I don't know the specifics of how that particular Iran attack was implemented but in the general case this is NOT true. Using DNS is just one possible way of doing this attack and there is nothing stopping the ISPs from implementing a transparent proxy in which case from your end it would look like you are connecting to the real IP address but it will actually go through the malicious server at the ISP which will do the MITM on the SSL connection. And given the potentially grave consequences in this particular scenario I would be very careful not to give people a false sense of security.

  3. #13
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by secret resistor View Post
    I don't know the specifics of how that particular Iran attack was implemented but in the general case this is NOT true. Using DNS is just one possible way of doing this attack and there is nothing stopping the ISPs from implementing a transparent proxy in which case from your end it would look like you are connecting to the real IP address but it will actually go through the malicious server at the ISP which will do the MITM on the SSL connection. And given the potentially grave consequences in this particular scenario I would be very careful not to give people a false sense of security.
    Ok - Don't use the internet ( full stop ) if you want privacy.

    The idea was to add more levels of protection - in this context what I said holds true.
    You can take my trousers but you won't take my Freedom !

  4. #14
    Join Date
    May 2011
    Beans
    20

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by SparTacux View Post
    Ok - Don't use the internet ( full stop ) if you want privacy.

    The idea was to add more levels of protection - in this context what I said holds true.
    I'm not saying that limiting the IPs does not help - security in layers is always good. I was objecting to this part of your post: "If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack". I interpreted this as meaning that if you restrict the IP addresses then the ISP cannot intercept your traffic which is false and in cases where people's lives are at stake is not a wise thing to be suggesting. If I misunderstood you then I apologize.

  5. #15
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by secret resistor View Post
    I don't know the specifics of how that particular Iran attack was implemented but in the general case this is NOT true. Using DNS is just one possible way of doing this attack and there is nothing stopping the ISPs from implementing a transparent proxy in which case from your end it would look like you are connecting to the real IP address but it will actually go through the malicious server at the ISP which will do the MITM on the SSL connection. And given the potentially grave consequences in this particular scenario I would be very careful not to give people a false sense of security.
    This is true. In this case a firewall wouldn't do much to help you, especially since allowing only select ip's for your mail servers is difficult due to the fact that large providers are load balancing. So you would more realistically be filtering by hostname in which case a MITM would be successful.

    In the particular attack the new CA's were pushed out almost immediately, this is why. Since the only real way to mitigate it was to insure the proper warnings were still thrown for non-matching certificates.

  6. #16
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by secret resistor View Post
    I'm not saying that limiting the IPs does not help - security in layers is always good. I was objecting to this part of your post: "If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack". I interpreted this as meaning that if you restrict the IP addresses then the ISP cannot intercept your traffic which is false and in cases where people's lives are at stake is not a wise thing to be suggesting. If I misunderstood you then I apologize.
    I think you are right to pull me up on that. It was probably a bad example to use and I understand the implications of giving a false sense of security on the internet. I stand corrected. But... From the write up it appears that the DNS infrastructure was hacked so that users were directed to a spoof site which gleaned their information. For my mail server I use direct IP addresses so I have no problems resolving mail server names. I did a ping on the mail server and used that IP address. I've Never had any problems with it.
    Last edited by SparTacux; November 4th, 2011 at 09:50 PM.
    You can take my trousers but you won't take my Freedom !

  7. #17
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Do I need a Firewall for Ubuntu?

    Not able to insert a rule for msn messaging (pidgin)
    and jabber.So that is blocked....
    Great howto by the way!

    edit: is it 5190 for AIM?
    Last edited by Soul-Sing; November 6th, 2011 at 10:47 AM.

  8. #18
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by leoquant View Post
    Not able to insert a rule for msn messaging (pidgin)
    and jabber.So that is blocked....
    Great howto by the way!

    edit: is it 5190 for AIM?
    Looks like the server side port for Jabber is 5222, and for Windows Live Messenger is 1863?

  9. #19
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Do I need a Firewall for Ubuntu?

    Quote Originally Posted by OpSecShellshock View Post
    Looks like the server side port for Jabber is 5222, and for Windows Live Messenger is 1863?
    Thanks, but I don't get the new rules: 43, 5222, and 1863 in the existing "line" of rules, which is:
    25,53,80,110,139,143,443,465,843,995,1023,7000,707 0/tcp
    sudo ufw insert 58 allow out 43 (which is the whois server)
    sudo ufw insert 58 allow out 5222
    sudo ufw insert 58 allow out 1863
    It creates new lines of rules. (Yes i got over 58 lines of rules)

    source: http://blog.bodhizazen.net/linux/fir...untu-desktops/
    Then block all other outbound traffic with:

    Code:
    sudo ufw deny out to any
    Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.

    List your rules by number with:

    Code:
    sudo ufw status numbered
    Last edited by Soul-Sing; November 6th, 2011 at 04:26 PM.

  10. #20
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Do I need a Firewall for Ubuntu?

    That was a great discussion, explained the basic concepts & made it far less mysterious. Thanks DT.

Page 2 of 6 FirstFirst 1234 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •