Ubuntu 20.04: what are the security risks without firewall?
Installed Ubuntu 20.04, but forget to enable firewall using ufw.
SSH 22 port: use keys(2048 bit) for login, no password.
Setting UsePAM=true, any risk?
Any other services that may have security holes without firewall, and hackers can break into the server?
Case for firewall
Yes you should enable the firewall. It's an important security layer.
Software has bugs. The firewall layer prevents some bugs or mistakes from causing harm.
Security is layered for the same reason airplanes have redundant systems. Even single engine airplanes are designed to glide when they lose thrust.
SSH and Services You Know About
While proper SSH configuration is another topic, it illustrates a reason firewalls are needed. You're config is on the right track but without reading the entire man-page you're still unsure if it's secure.
If you're unsure about SSH, a firewall can limit access from source IPs that you define adding another layer.
SSH is but one of a handful of services you're running that might be accessible over the public internet. Sometimes services become open to the public unintentionally.
Third Party Software
One type of bug is a software update or install that inadvertently opens a service and exposes that service to the public internet.
I frequently see application installs that open a private service bound to 0.0.0.0 when it should be bound to 127.0.0.1. If you don't know the difference, you aren't alone. Binding to 0.0.0.0 (or *) means open to the public internet.
This isn't just a user-workstation problem. Package managers are susceptible to this too. NPM, Python PIP, and Apt all can run executables on your system.
Checking for Open Services
Run sudo netstat -n to show active internet connections.
For example, here's output:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 31 0 192.168.1.17.53624 3.xxx.96.61.443 CLOSE_WAIT
tcp4 0 0 192.168.1.17.53622 162.xxx.35.136.443 ESTABLISHED
udp4 0 0 *.3722 *.*
[...]
I do not know what udp port 3722 is but my system will accept traffic from ANYWHERE to that port.
Closing
The firewall is a layer that lives lower in the network stack than applications and thus provides a layer to guard against configuration and application problems.
Enabling the firewall will prevent you accidentally exposing something you didn’t know was open - telnet, ftp, databases, Jupyter to name a few.
Regarding ssh with disabled password and ssh keys, it’s a good way to enable shell access but be aware that if there is no password on the ssh key, and the private key is stolen, then the thief will have access.
Also, remember ssh only encrypts transport. If you trust everyone who has or can obtain root access, that’s not a big deal, but if someone dishonest connects as root on the same host, then they can still spy on connections. Just something to be aware of.
Related
I want to install Damn Vulnerable Web Application (DVWA) on VirtualBox, so I downloaded the DVWA.iso and I'm following this tutorial for its installation.
At step 9, they say to choose internal network, but I don't really understand why (is it a security problem if I don't choose this option?). Because if I select internal network after I've got an IP like 10.0.something and when I try to connect from my computer (not the VM) to 10.0.something/login.php that doesn't work. But if I select bridge networking, I've got an IP like 192.168.something and it works.
Could you explain me why is it important to choose internal network, and why that doesn't work when I choose this?
Internal network on VirtualBox creates a network between boxes on the same host . I can't see the next steps of the tutorial you linked but my guess is that it will ask you to install Kali (or similar distro) on another box on that same host. This is what most people do.
Setting 'internal network' allows the 2 machines to talk to each other without any contact with the outside.
It is considered a security measure because the DVWA is a vulnerable machine so some people think that you shouldn't be giving access to internet to it, but I guess it's more about 'best practice' than a real security risk because in most cases firewalls, routers and ISP will prevent outside attackers to connect directly to that machine in any case.
Anyways, if you are using another computer on the same network to connect to DVWA you should be ok in using a 'bridged' connection on VirtualBox (this it will give to the DVWA an IP sitting on the same network of the host and of your computer). In NAT mode VirtualBox acts like a router, it may still be a good solution for you but not sure if the box is reachable from other computers as I think VB settings may affect this case.
If you are using instead the Host as a penetration testing machine, 'host only' should be good to allow the host and the VM to talk.
Try to put both of the machines on the NAT so that you can ping onto the dvwa from wherever you're doing the hacking from! so essentially both of the machines should be on NAT setting if the they're both on a virtual machine.
I'm trying to make a portforwarding for different ports for communications, but it seems they are lost on reboot.
I'm using a script to make them, and it uses the following syntax:
upnpc -a 192.168.1.95 22 22 TCP
...
Since my system is made to actually stress the gateway to reboot, I need to have these ports open after a reboot. I could do it in the software (running the script if connection lost), but I don't want to do that unless it is absolutely necessary.
Do you have some idea of how to make a portforwarding with UPnP such that the forwarding is persisted after a reboot?
Port mappings are specifically not required to be persistent between gateway reboots, clients are supposed to keep an eye on the mappings and re-map when needed. WANIPConnection spec v2 also does not even allow indefinite mappings: another reason to keep the client running as long as you need the mapping to exist.
Ok, been hosting a few games servers on my home computer, and am now also setting up a personal ftp server.
I am sharing my ip-adress with some friends and family with intetions of using this server, but when one of my friends threatened "hacking" my computer (I know he doesn't possess any such skills). It got me thinking.
If I do not reveal my ip address to strangers (or even if I do), are there any security threats.
Also at what scale are these threats. Will an every day programmer be able to cause damage while I host this server?
P.S. I am using xlight ftp software to host this server.
Your friends are not the ones you have to concern about.
Your ip , like everyone else, will be scanned in several ports several times per minute.
Internet is full of bots, launching petitions, looking for holes to exploit and systems to
dig in.
Just be sure to be behind a firewall, nat only desired services ports, and try not to use a conventional one. Install an additional software firewall if possible.
I would also recommend you to use a SFTP server. (Based on SSH and encryped). Standard FTP traffic is raw and can be easily sniffed.
Problem: I am developing a graphical front end for a distributed CPU/GPU simulator. As this simulator utilizes MPI, it requires a hostfile detailing the hostnames for all computers being used on the network so that it knows what machines to distribute across. As the end users for my application are not computer scientists (and may not even be very computer literate), I can't expect them to know/find the hostnames of every computer on their network/cluster. I would like to programmatically perform this hostname discovery so that, upon application start-up, the user can see the available machines, and from those, pick the hosts they want to run on. If possible, I would like this solution to be cross platform but as the simulator currently contains some linux dependencies I can deal with a Linux only solution.
What I have tried so far: I tried utilizing the nmap package to discover hosts on a network with commands like nmap -sP <ip address range> using the ip address range for that local network. However, it only dumps the IP addresses for the hosts (not the host names) and I'm not sure how to translate these IP addresses into ssh hostnames (as MPI uses ssh for host discovery). Additionally, I used a similar approach with ping supplying the broadcast address and it returned nearly identical results.
I apologize for the broad nature of this question and the lack of code shown but I am not very experienced with network probing / programming and I am really not even sure where to start. I tried googling this but I was unable to find a suitable option (possibly because my lack of experience caused me to use improper terminology triggering improper results) My background is primarily in graphics and user interface programming, so this is a little beyond my comfort zone.
SSH doesn't care if it is given hostnames or IP addresses to connect to (not sure if this applies when there are host-specific configurations). Most MPI implementations don't care too, e.g. in Open MPI connection URIs addresses are all numeric, so a hostfile with IPs would be fine. HTTP servers on the other hand care because of the virtual hosting thing where many different sites resolve to the same IP address but the server is supplied the actual hostname via the Host HTTP header.
Unsolicited advice: finding hosts by ping is fine, but it doesn't guarantee that you have found machines, where SSH is running. You would better scan for systems with port 22 open that accept TCP connections:
$ nmap -oX -sT -p22 <ip range>
-oX produces XML output that can be easily parsed. -oG is also a nice format for automated parsing of the scan results. Also having SSH running doesn't necessarily mean that the user would be able to log into the system - for example it could be a network router or another remotely manageable device. One also has to take care of only showing machines where the user can log on without having to supply a password, e.g. with RSA/DSA public keys, otherwise starting an MPI job would be a really tedious task. You can test each host found with something like:
$ ssh -2 -o "PreferredAuthentications=gssapi-with-mic,hostbased,publickey" \
<host> hostname
This command basically excludes all interactive authentication methods. If connection succeeds, it will output the hostname of the remote machine. Otherwise you'd get a permission denied error and a non-zero exit code from the SSH client.
I am trying to setup NFS mounts between two machines on the same local network, however it seems I need to be more specific in my firewall (FIREHOL) setup as the client side cannot mount the exports.
Did look at netstat to determine the ports that open up, but they seems to be non-static/changing.
I know it is firewall related as disabled/stopping my Firehol causes the problem to dissapear.
Any specific areas I should investigate?
Well, first of all, you need to make sure that portmap is also enabled in your Firehol configuration.
I am not super sure about the low level workings of NFS's ports, but it does not use the same ports everytime.
You could do something like the following to enable the NFS ports, as well as portmap. (Check rpcinfo -p)
This would enable the rpc queries (to determine the ports, for the firewall, to know AFTER NFS was started(or restarted))
I also suggest the use of 'src' to restrict the client IP's you are serving to, if you don't already have it :)
Lastly, remember to restart the firewall/firehol AFTER nfs restarts, so rpcqueries are happy with the ports for nfs service.
Example (where 192.168.152.176 is your client machine)
server portmap accept src 192.168.152.176
server nfs accept src 192.168.152.176