Re: How to secure open port for a particular program?
Originally Posted by
Kestreln8144
I'm setting up my iptables firewall, and there is a particular application I run that needs to accept incoming tcp connections as well as udp. I've read that allowing incoming connections for tcp is an insecurity
It's not really an "insecurity", it's a risk. An insecurity is an insecurity, a risk can be managed.
The only idea I have is: I could open a particular port for this program
only, restrict the usage of this port to this program, then secure the program with AppArmor. This way, any incoming connection would only be able to connect to that program, and even if it's insecure AppArmor should limit any damage.
If the program is the only program listening for incoming connections on that port, then it will be the only one receiving the data. If the program is not running, then no incoming connection will ever be answered and you will receive no data. Even if you have programs listening on port 502, 503, 504, 506 and 507; they will still not receive any data destined for port 505. Do you understand what I mean? If you want to restrict incoming connections on that port to one particular program, then simply don't have any other programs listening on that port.
Securing the service with AppArmour is a great way of limiting risk. You do need to know exactly what that program does, however, otherwise you'll either make the AppArmour profile too loose or so restrictive that the program won't work properly.
I try to treat the cause, not the symptom. I avoid the terminal in instructions, unless it's easier or necessary. My instructions will work within the Ubuntu system, instead of breaking or subverting it. Those are the three guarantees to the helpee.
Bookmarks