UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The subject line says it all. I've been running Ubuntu 12.04 as it was downloaded. There was never any mention of a Firewall.
How is security affected by this?
The default Ubuntu installation has no ports open, so there is nothing a firewall would actually protect.
Anyway, a firewall (iptables) is a part of the kernel itself and such it is a part of every linux installation. What you probably have in mind is some iptables frontend. Ubuntu seems to use ufw: https://help.ubuntu.com/community/UFW.
Last edited by Captain Pinkeye; 12-12-2014 at 03:43 PM.
Yes, Ubuntu is not delivered in the most secure manner. At one time not long ago almost every linux distro came open by design. They have been getting more and more secure but at a cost to simple use.
One can get a security minded distro. The main issue is that Linux is a combination of thousands of parts. Each part may have holes. The more parts (apps) you put in the more holes you expose. Hackers get into most stock OS's in short order in annual games.
Every week or day we see security patches. There is a reason the patch exists.
Security is a set of active and passive tools. All together they are termed best practices. The more you know and the more you use the more likely your data will remain secure.
Assume that any data connected to internet will be subject to attack.
After enabling ufw, it's good to check it via Gibson's Shields Up port scan. If it's all stealth, then you've got a firewall up.
Since the previous millennium "stealth" isn't a must have any more: it only means you won't participate in networking as it was devised. And apart from the amusing (but rather sensationalist) messages there's another reason not to rely on "Shields Up": if you're behind a proxy or a router you'll be testing that instead of the target machine itself. One way to combat that would be to test from another machine inside the LAN or temporarily place the target machine in the DMZ (if your router has the functionality) if you don't mind exposing it temporarily.
*And indeed, "security" is more than running a firewall...
After enabling ufw, it's good to check it via Gibson's Shields Up port scan. If it's all stealth, then you've got a firewall up.
While I still run my systems in "stealth" mode simply because I'm too lazy to make all the changes I would need, the only actual difference between "DROP" and "REJECT" (DROP being stealth while REJECT replies "go away") is that a DROP response means the bad guy can keep trying after a timeout delay, while REJECT tells him to shut up and bother someone else.
And because I'm too lazy to switch things, I sometimes find my system appearing to freeze while it's tied up in continuing dialog with would-be invaders. It's almost a self-induced DDOS situation, in fact.
Now that I think about it, perhaps it's time for me to make the switch...
And of course it's not true that Ubuntu has no firewall -- all current Linux kernels have the "iptables" firewall built in. It's just that no app to configure it is presented by default! Using "gufw" can cure that if you're bothered by its absence.
While I still run my systems in "stealth" mode simply because I'm too lazy to make all the changes I would need, the only actual difference between "DROP" and "REJECT" (DROP being stealth while REJECT replies "go away") is that a DROP response means the bad guy can keep trying after a timeout delay, while REJECT tells him to shut up and bother someone else.
More like DROP gives him no useful information, while REJECT tells him "yes, I'm here, but the service you tried to access doesn't exist (but others may)." In practice, it makes very little difference which one you use. Port scanners stopped relying on "unreachable" errors or ping responses a long time ago.
DROP still ensures you're not fooled into participating in a reflection/amplification attack against a third party, though.
DROP still ensures you're not fooled into participating in a reflection/amplification attack against a third party, though.
Which is, to me, a fully adequate reason to leave my setup as-is with DROP. I can accept the occasional pseudo-DOS it sometimes creates as the price for protecting against becoming a participant in an attack upon someone else!
You're quite correct, of course, about the small difference in information provided to a scanner. Since I must leave Port 21 open, for business reasons, in my case DROP provides no change in the amount of information revealed so it never occurs to me to mention that fact. Still, I like the point you make!
Last edited by JimKyle; 12-21-2014 at 02:20 PM.
Reason: To amplify my response.
Since the previous millennium "stealth" isn't a must have any more: it only means you won't participate in networking as it was devised. And apart from the amusing (but rather sensationalist) messages there's another reason not to rely on "Shields Up": if you're behind a proxy or a router you'll be testing that instead of the target machine itself. One way to combat that would be to test from another machine inside the LAN or temporarily place the target machine in the DMZ (if your router has the functionality) if you don't mind exposing it temporarily.
*And indeed, "security" is more than running a firewall...
Hi guys let me just give my opinion on this,i don't think there are anybody interested on infecting Linux, because is a free OPS and who ever writes virus and malware are more interested on Bill Gates the money angry.
Hi guys let me just give my opinion on this,i don't think there are anybody interested on infecting Linux, because
While you're entitled to it that's just what it is: your uninformed opinion. Plus it doesn't contribute anything valuable to this particular thread or topic. Me, I'm way more interested in troubleshooting and diagnosing tangible problems and where possible preventing them. Fortunately that nicely coincides with what we have been doing here for the past decade and a half on LQ.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.