“Security is an important issue in computing. Unfortunately, many computers allow a cracker to gain access to them and retrieve sensitive information, or just make life hard. This article will review the basics in general security and explain how to apply it to two Linux distributions – Ubuntu and Kubuntu.”
“…the basics in general security and explain how to apply it to two Linux distributions – Ubuntu and Kubuntu.”
Clever marketing doesn’t make them two distros.
It’s all *Buntu.
The desktop environment is irrelevant to security – I hope.
That depends entirely on how paranoid the security is. I know companies who severely limit their Windows installs, if you want to achieve the same with Linux, you would need to use something like the kiosk framework in KDE and the equivalent (if there is one) in Gnome. So there the DE would make a difference.
The author mentioned it:
In Ubuntu all ports are closed by default.
So, for what reason do Ubuntu users need a firewall?
In my opinion, they do not need one in the default configuration.
Ubuntu is secure. But we are told that if the Linux kernel firewall is “activated”, Ubuntu is more secure than secure. Does this make any sense?
And what about possible mistakes in the firewall configuration (i.e. the configuration of netfilter/iptables through different KDE and Gnome front-ends)? There are a lot of Linux newbies using Ubuntu, so such mistakes might occur and then, their Ubuntu boxes could be less secure.
Edited 2006-12-05 01:22
Ubuntu is secure. But we are told that if the Linux kernel firewall is “activated”, Ubuntu is more secure than secure. Does this make any sense?
Theoretically, yes. You have to remember that paranoia is a good way of thinking when you’re talking about security. So, while the default Ubuntu is pretty secure by default, there’s always room for improvement. What’s more, another very good security policy is trying to prevent any possible attack vector proactively.
Long story short: there’s no such thing as “too secure”.
So if you consider these points, a firewall is a good idea. Probably redundant 99 times out of a hundred, but it’s the 100th that hurts. There could be cases when it would help. Perhaps someone or something finds its way on your box and attempts to set up some kind of server on it. The firewall would prevent it from working, even if it’s there. And there are more marginal scenarios like this, that can potentially make a difference.
Sure, you’re still screwed in such a case. The best way to deal with it is to just wipe it all out and restore from backup or reinstall. But perhaps it will save you from being kicked out or chastized by your ISP or something.
Long story short: there’s no such thing as “too secure”.
Of course there is, when you get to the point where the security features gets in the users way.
Of course there is also the distinction between “data security” and “making sure your employees only do work security”, it is usually the latter that will be annoying. (and make sure that company wont have the best employees as they wont work there)
I really didn’t find this article helpful. It basically told me that installing a firewall will improve security. Wow.
Anyway, not to gripe, I love Ubuntu, but it doesn’t have all ports closed by default, because it automatically <strong>has</strong> to listen for DHCP (which can be exploited) if it wants to be able to use those ports it closes.
Um. It initiates a connection with a DHCP server by sending a broadcast. It doesn’t have anything listening on a port though
Pretty weak article. I think it’s important for people to have at least some basic understanding of the fact that packet filtering happens at the kernel level and that the GUI program is only a “front end” for manipulating packet filtering rules.
Firestarter is not a “firewall”, it’s just a graphical front end that allows a user to add and remove packet filtering rules. This article gives the false impression that the graphical program *is* a firewall that you install.
Firestarter is not a “firewall”, it’s just a graphical front end that allows a user to add and remove packet filtering rules. This article gives the false impression that the graphical program *is* a firewall that you install.
Firestarter is an easy-to-use graphical front end for iptables. So technically I guess you wouldn’t call it a “firewall,” but for practical purposes that’s what it is. You certainly wouldn’t want your average Linux user (even experienced ones) to sit down and write all their packet filtering rules with a text editor.
I’m very grateful for Firestarter – saves a lot of gray hairs. And yes, you do have to install it (doesn’t come with the basic Ubuntu install – a mistake in my opinion). Guarddog (also mentioned in the article) allows more fine-grained control and is a little more complicated than Firestarter, but it’s excellent.
The article is (as you say) rather “weak” – of you want to be a system administrator, you’ll need to learn a whole lot more. However, for a newbie it’s a useful primer on how to lock down a desktop system.
On the other hand, the advice about using “chmod 700” on /home/your-user-name is misguided. Instead, users should put a line in .bashrc and .bash_profile saying this:
umask 077
And then you should run these commands on your existing files in your /home directory:
find ./ -type d -exec chmod 700 {} \;
find ./ -type f -exec chmod 600 {} \;
find ./ -type l -exec chmod 777 {} \;
That will set all directories and subdirectories to 700, all files to 600, and all symbolic links to 777. Note that if you’re creating web pages to be uploaded to a web site, you’ll have to set directories to 755 and files to 644, or else visitors to your site will not be able to read anything.
Edited 2006-12-05 05:53
The article is bit short but helps those with no hardware firewall to not expose their machine directly.
When you want to further lockdown have a look at this great resource:
http://www.gentoo.org/doc/en/security/security-handbook.xml
In addition to the firewall discussed in the article i would like to suggest shorewall firewall:
http://www.shorewall.net/
Shorewall HOWTO
setting up the shorewall iptables script is pretty straight forward.I assume the distro being used is Ubuntu although the configure process is the same on any distro.Your network should be setup and working.
On Debian,Ubuntu or any other debian derivate the shorewall configuration files are not installed in the /etc/shorewall directory as default.So we have to copy them to the right directory:
# cp -R /usr/share/doc/shorewall/default-config/* /etc/shorewall
Now we have the config files in place the actuall configuration can begin
# sudo gedit /etc/default/shorewall
Change the line that says STARTUP_ENABLED=No in STARTUP_ENABLED=Yes
save the file
# sudo ifconfig
You get a similar out to this one however the values might be different:
eth0 Link encap:Ethernet HWaddr 00:E0:18:99:88:77
inet addr:192.168.1.37 Bcast:192.168.1.255 Mask:255.255.255.0
# sudo gedit /etc/shorewall/interfaces
Based on the output of ifconfig add a line:
net <inet addr> <Bcast> <Mask> <options,>
In this example the line is:
net eth0 192.168.1.255 tcpflags,nosmurfs
save the file
# sudo gedit /etc/shorewall/policy
Uncomment (remove the #) the lines that begin with: fw,net,all and save the file
# sudo gedit /etc/shorewall/zones
Uncomment (remove the #) at the beinning of the line that says: #net ipv4
save the file
Now to activate the firewall
# sudo shorewall start
To stop or restart the file after having customised the rules in /etc/shorewall/rules
# sudo shorewall stop/restart
–Optional
For a really restrictive firewall configuration edit /etc/shorewall/policy as shown above and set everything to DROP info
So it the following lines are shown
fw net DROP info
net all DROP info
all all DROP info
Than edit /etc/shorewall/rules to be like this example of a workstation that only allows http,https (ssl),ftp trafic outbound and blocks everything else both outbound and inbound:
The values can differ depending on your network configuration.
#sudo gedit /etc/shorewall/rules
ACCEPT fw net:192.168.1.1 udp 53
ACCEPT fw net tcp 21
ACCEPT fw net tcp 80
ACCEPT fw net tcp 443
save file
# sudo shorewall restart
From now on if you need and application to connect to the network but don’t know what port to allow you only have to run
#dmesg
and it shows which traffic and port was blocked.
So you can edit the rules file and restart the firewall as described earlier on.
Edited 2006-12-05 08:02
How much faith can you put in an article that represents leaving ordinary FTP with its plain text passwords open?
for many reasons already expressed above.