What Linux tools and security??

tweeter

Thanks for the info fwor. As I said earlier I've one foot in the grave but I'm not doing to bad for an old girl really, in trying to understand all this.

weegie.geek

tronator wrote: »

If you install a service like ssh, then you want to access it. So what's the point of having a firewall enabled if you need to open this port anyway for.

Because you might want to lock down access to things you are running to certain IP addresses or ranges? I know there are other ways of doing this, but iptables is about as easy as any other way.

JustPassingBy

fwor wrote: »

Brian - here's a test for you: take a fresh Ubuntu installation and add gufw directly from the standard repositories. Start gufw and what does it tell you? That the firewall is not enabled.

I don't need gufw,

brian@desktop:~/$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

No rules. No packet filtering. In your terms - no firewall. Which is what I said in posts #38 and #40. (Are we now down to four "incorrect" posts?)

That's right. The kernel comes with the iptables/netfilter modules built-in, and it has an almost trivial default rule set in place (allow all outgoing, deny all incoming), but by default the firewall function is turned off.

The empty ruleset means all packets (both incoming and outgoing) are passed. Nothing is denied by netfilter. What the kernel does with the packets is a different matter.

JustPassingBy

Mr_Oink wrote: »

It would appear that in his drive-by multi-post trolling, JustPassingBy has missed that simple - but important - fact

CUPS does listen on port 631 - but only for connections from the local machine. By default connections from the internet and the LAN are rejected. You definitely didn't look at /etc/cupsd.conf or go to http://localhost:631.

The udp ports are of less concern. You don't say what is listening on them (one service might be avahi) but I expect they don't listen for remote connections.

So there we have it. Nothing at all listening for requests from remote machines. Packets from such machines are rejected by the kernel. Complete security in that regard.

So can you explain - without hand-waving or references to trousers - why it is so important for tweeter to configure a firewall when it is evident none is required for the basic use she will make of the machine.

Mr_Oink

JustPassingBy wrote: »

CUPS does listen on port 631 - but only for connections from the local machine. By default connections from the internet and the LAN are rejected. You definitely didn't look at /etc/cupsd.conf or go to http://localhost:631.
.

And you are familiar with the recent wide hole in CUPS allowing remote exploitation? No?

It was discovered that CUPS did not properly handle memory allocations in
the texttops filter. If a user or automated system were tricked into
printing a crafted text file, a remote attacker could cause a denial of
service or possibly execute arbitrary code with privileges of the CUPS user
(lp). (CVE-2010-0542)

Whilst this has *no* bearing on the port being wide open (the exploit makes no use of this) by default everything is open and there are services listening.
Additionally, the current downloadable iso of 10.4 still contains the broken CUPS and this is resolved on the initial update.

So we have established that by default 10.4 has nothing blocked by iptables, and that there are TCP and some UDP ports 'listening'. Yes?
Would you agree with that fact - yes or no?

JustPassingBy wrote: »

So can you explain why it is so important for tweeter to configure a firewall when it is evident none is required for the basic use she will make of the machine.

Do you think they have now discovered and patched *all* weaknesses in CUPS (or other potentially exploitable issues)? Do you think it would be best security practice to update the rule set (in this case by way of an easy gui) to *block* by default unnecessarily open ports? Or do you think your view of just leaving it open and assuming it to be 'secure enough' represents best practice?

JustPassingBy

fwor wrote: »

tronator - while I agree with the spirit of what you say, as Mr_Oink says, by default there is at least one service listening (CUPS on port 631), . . . . .

Mr_Oink has it wrong. No doubt he will be along later to say as much.

. . . . . . . and you don't have to do much in terms of installing software to add others, which an average user probably won't even be aware of.

A fair point. But suppose a user does install a server unknowingly or without fully realising the implications. A mail server, for example. What is the problem?

I'll help a little: all servers on Ubuntu are considered (like CUPS) to come with safe default settings.

fwor

Perhaps we could debate the "when is a firewall not a firewall" issue to death, but, in my opinion, when a firewall is not performing any firewalling function, it's not acting as a firewall. You can view it differently and I really don't mind at all.

JustPassingBy wrote: »

I'll help a little: all servers on Ubuntu are considered (like CUPS) to come with safe default settings.

This is where you are (probably) most wrong - because it means that you have assumed that whoever wrote the code that underlies that service has not made any mistakes. This includes mistakes that have already been discovered, and mistakes that might be discovered at some point in the future.

History has shown that this is not a good assumption to make. If you do so you expose yourself to a greater level of risk, though, as I've already said, I currently consider it to be too low a level of risk for me to worry about - hence I do not use s/w firewalls. Or, in your terminology, I use a s/w firewall that does nothing.

JustPassingBy

Mr_Oink wrote: »

Do you think they have now discovered and patched *all* weaknesses in CUPS (or other potentially exploitable issues)?

For today, yes.

Do you think it would be best security practice to update the rule set (in this case by way of an easy gui) to *block* by default unnecessarily open ports? Or do you think your view of just leaving it open and assuming it to be 'secure enough' represents best practice?

I've explained the situation with CUPS. There is no remote access to it. There are no security risks unless the user of the machine is malicious. In which case we are into "all bets are off if there is physical access" territory.

Filtering packets to CUPS would disable printing on the local machine. Purging the software from the machine produces the same effect if that is what you want.

I think you regard open ports as bad, whereas they are good. They enable you to do things. Also, I suspect you use the term "wide open" to mean no firewall is in place. Firewalls don't open or close ports. Starting or stoppng services does.

Mr_Oink

JustPassingBy wrote: »

For today, yes.

Any you can guarantee that there never will be? Yes?

JustPassingBy wrote: »

I think you regard open ports as bad, whereas they are good. They enable you to do things. Also, I suspect you use the term "wide open" to mean no firewall is in place. Firewalls don't open or close ports. Starting or stoppng services does.

No, wide open means just that - wide open. I could have a door that would keep out burglars, yet leave it wide open to allow them to start looking around.

You appear to have missed my question. Do you consider closing unnecessarily open ports as best security practice - yes or no will do.

JustPassingBy

Mr_Oink wrote: »

Any you can guarantee that there never will be? Yes?

Of course not. We can only fix known potential exploits.

You appear to have missed my question. Do you consider closing unnecessarily open ports as best security practice - yes or no will do.

Stopping an unnecessary or unwanted service is good practice. Doing so closes the port. Firewalls don't come into it.