Results 1 to 6 of 6

Thread: How to secure open port for a particular program?

  1. #1
    Join Date
    Nov 2012
    Beans
    24

    How to secure open port for a particular program?

    Hello everyone. I'm learning my way around network and Linux security, and I would like advice for this situation:

    I'm setting up my iptables firewall, and there is a particular application I run that needs to accept incoming tcp connections as well as udp. I've read that allowing incoming connections for tcp is an insecurity (possibly udp too, but I still don't know much about udp). I know I can restrict incoming requests to certain IPs, but unfortunately in this situation I won't be able to know what they are.

    The only idea I have is: I could open a particular port for this program only, restrict the usage of this port to this program, then secure the program with AppArmor. This way, any incoming connection would only be able to connect to that program, and even if it's insecure AppArmor should limit any damage.

    But I've yet to learn how to do this. Is it possible to restrict the usage of a port to a particular program?

    What are your thoughts? You security gurus no doubt know a lot more than I do. How can I go about securing an open port that accepts incoming connections?

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How to secure open port for a particular program?

    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Jan 2012
    Beans
    18

    Re: How to secure open port for a particular program?

    Well if you need access from the internet to a potentially unsecure application, the usual way is to use a vpn, then allow only from the vpn access to the unsecure application. That way if the vpn is secure there are no open vulnerabilities to the internet.

  4. #4
    Join Date
    Dec 2005
    Location
    Western Australia
    Beans
    11,479
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How to secure open port for a particular program?

    Quote Originally Posted by Kestreln8144 View Post
    I'm setting up my iptables firewall, and there is a particular application I run that needs to accept incoming tcp connections as well as udp. I've read that allowing incoming connections for tcp is an insecurity
    It's not really an "insecurity", it's a risk. An insecurity is an insecurity, a risk can be managed.

    The only idea I have is: I could open a particular port for this program only, restrict the usage of this port to this program, then secure the program with AppArmor. This way, any incoming connection would only be able to connect to that program, and even if it's insecure AppArmor should limit any damage.
    If the program is the only program listening for incoming connections on that port, then it will be the only one receiving the data. If the program is not running, then no incoming connection will ever be answered and you will receive no data. Even if you have programs listening on port 502, 503, 504, 506 and 507; they will still not receive any data destined for port 505. Do you understand what I mean? If you want to restrict incoming connections on that port to one particular program, then simply don't have any other programs listening on that port.

    Securing the service with AppArmour is a great way of limiting risk. You do need to know exactly what that program does, however, otherwise you'll either make the AppArmour profile too loose or so restrictive that the program won't work properly.
    I try to treat the cause, not the symptom. I avoid the terminal in instructions, unless it's easier or necessary. My instructions will work within the Ubuntu system, instead of breaking or subverting it. Those are the three guarantees to the helpee.

  5. #5
    Join Date
    Nov 2012
    Beans
    24

    Re: How to secure open port for a particular program?

    Quote Originally Posted by CharlesA View Post
    What program?
    Retroshare: http://retroshare.sourceforge.net/
    Wiki (needs work): http://retroshare.sourceforge.net/wi....php/Main_Page

    Quote Originally Posted by Empire-Phoenix View Post
    Well if you need access from the internet to a potentially unsecure application, the usual way is to use a vpn, then allow only from the vpn access to the unsecure application. That way if the vpn is secure there are no open vulnerabilities to the internet.
    I am not the one who will be connecting to this program. It will be accepting connects to addresses that I cannot know beforehand. The risk here is that this program may have flaws, and an unknown attacker might utilize vulnerabilities to access my PC or otherwise cause problems. I want to secure the program from the rest of my system (with AA), and restrict the use of the port to that program alone.

    Quote Originally Posted by 3rdalbum View Post
    Do you understand what I mean? If you want to restrict incoming connections on that port to one particular program, then simply don't have any other programs listening on that port.
    Yes, I understand this. But what worries me—and maybe I just don't understand enough about all of this—is that other applications on my system might utilize that port without my knowing (unless I look). I guess a better question is how can I know what programs are using what ports, and make sure this doesn't happen?

    Quote Originally Posted by 3rdalbum View Post
    Securing the service with AppArmour is a great way of limiting risk. You do need to know exactly what that program does, however, otherwise you'll either make the AppArmour profile too loose or so restrictive that the program won't work properly.
    Yeah, I've begun reading AA's documentation, and it looks like quite the learning curve. I'm not expecting to learn this overnight, but hopefully I can work something out that will work well enough.

  6. #6
    Join Date
    Mar 2007
    Beans
    783

    Re: How to secure open port for a particular program?

    open the port on your server but only when the source is your workstations IP.

    something like
    iptables -A INPUT -s YOURIP -p tcp --dport 22 -j ACCEPT
    Last edited by ant2ne; March 10th, 2014 at 05:15 PM.
    Registered Linux User: 450747 Registered Ubuntu User: 16269

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •