Is there an improvement of security when using two firewalls? I have the option to configure a firewall from the hoster for my Debian 9 server
What happens if I enable ufw on my server? Does it improve the security or is there a possibility it might end in a conflict between these two?
ufw is a front end for netfilter, there is a good chance the hoster's firewall is iptables.
There is no security improvement for having two firewalls on a linux system, you should rather use the one you prefer.
Related
Ubuntu 20.04: what are the security risks without firewall?
Installed Ubuntu 20.04, but forget to enable firewall using ufw.
SSH 22 port: use keys(2048 bit) for login, no password.
Setting UsePAM=true, any risk?
Any other services that may have security holes without firewall, and hackers can break into the server?
Case for firewall
Yes you should enable the firewall. It's an important security layer.
Software has bugs. The firewall layer prevents some bugs or mistakes from causing harm.
Security is layered for the same reason airplanes have redundant systems. Even single engine airplanes are designed to glide when they lose thrust.
SSH and Services You Know About
While proper SSH configuration is another topic, it illustrates a reason firewalls are needed. You're config is on the right track but without reading the entire man-page you're still unsure if it's secure.
If you're unsure about SSH, a firewall can limit access from source IPs that you define adding another layer.
SSH is but one of a handful of services you're running that might be accessible over the public internet. Sometimes services become open to the public unintentionally.
Third Party Software
One type of bug is a software update or install that inadvertently opens a service and exposes that service to the public internet.
I frequently see application installs that open a private service bound to 0.0.0.0 when it should be bound to 127.0.0.1. If you don't know the difference, you aren't alone. Binding to 0.0.0.0 (or *) means open to the public internet.
This isn't just a user-workstation problem. Package managers are susceptible to this too. NPM, Python PIP, and Apt all can run executables on your system.
Checking for Open Services
Run sudo netstat -n to show active internet connections.
For example, here's output:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 31 0 192.168.1.17.53624 3.xxx.96.61.443 CLOSE_WAIT
tcp4 0 0 192.168.1.17.53622 162.xxx.35.136.443 ESTABLISHED
udp4 0 0 *.3722 *.*
[...]
I do not know what udp port 3722 is but my system will accept traffic from ANYWHERE to that port.
Closing
The firewall is a layer that lives lower in the network stack than applications and thus provides a layer to guard against configuration and application problems.
Enabling the firewall will prevent you accidentally exposing something you didn’t know was open - telnet, ftp, databases, Jupyter to name a few.
Regarding ssh with disabled password and ssh keys, it’s a good way to enable shell access but be aware that if there is no password on the ssh key, and the private key is stolen, then the thief will have access.
Also, remember ssh only encrypts transport. If you trust everyone who has or can obtain root access, that’s not a big deal, but if someone dishonest connects as root on the same host, then they can still spy on connections. Just something to be aware of.
I do not trust anything, so I want to write my own firewall. I'm not satisfied with the application firewalls in Linux and Windows and the distro firewalls are not adequate for my purposes. I'm frustrated with distro firewalls, most of them like pfSense, OPN Sense, ipfire just seem to give illusion of firewall but all they do is packet filtering. I'm unable to block everything and only allow few websites with it, I have created a rule to block DNS requests, applied that rule and rebooted the firewall distro but it doesn't seem to have any effect. I either have to block everything or allow everything, both of which are undesirable. The sc*mbags seemed to have deliberately made the interface unintuitive to sell service, they claim their firewalls are free but made the interface obtuse, so that they can steal money by selling service.
I'm thinking of writing my own firewall, one of this will be an application which will run on the client system and the other would be standalone distro, both will run together to allow better management. The application on the client will create a special packet signed with the hash of the application, OS, etc and the intermediary firewall distro will check this hash and allow rules and policies to be created based on this hash. Does the TCP/IP protocol allow this?
I have searched the net for resources about network API on Linux, and there are three resources about writing my own firewall, two are questions here and one is netfilter. I don't know anything about TCP/IP protocol, so I don't know if I can use the packets made TCP/IP to achieve this or I have to creatively find a way to create a special packet.
Good day Team,
Trust you are doing well,
I have Loaded new Proxmox 5.2 on bare Metel. Its quite different than earlier version. However, having difficulty in configuring the SSH sessions for the VMs running inside proxmox.
Firewall is really tricky and not able to put my head around. I really require some assistance.
Proxmox 5.2-1
"Datacenter Firewall Options Enable"
"Datacenter Firewall Option Input Policy ACCEPT"
"Datacenter Firewall Option Output policy ACCEPT"
Further more
"Datacenter Firewall IPSET Admin IP subnets are listed here to allow access to the proxmox server via specific IPs. "
Datacenter Firewall Add Rule Accept "Source Admin" vmbr0
I have kept Destination emplty, no macro, no protocol, no source port, no destination port
I believe that should allow full access inside the server itself via the Listed IPs inside IPset, but that's not the case.
May I ask if someone is available here who knows how to work with this firewall?
Thanks.
I did find the solution: The file /etc/pve/firewall/cluster.fw is the one that's controlling online GUI.
Enabling and Disabling Firewall from backend works via
pve-firewall enable
pve-firewall disable
There's no way to allow all the traffic. Hence, I had to define proper set of the rules that I had to apply based on the Debien Firewall.
My Specific Question is as below:
How would you apply all traffic coming in and going out on this firewall?
How would you debug which rule is making the block of the traffic coming in or leaving server in real time?
FW is disabled by default.
Datacenter -> Firewall -> Options -> Firewall Yes/No
Nodename -> Firewall -> Options -> Firewall Yes/No
each VM -> Hardware -> Network device -> Firewall checked/unchecked
Thats not difficult at all. Better do it in GUI. You can make way more mistakes by editing firewall in shell.
If all FW settings are disabled in PMOX you should check some iptables in OS or just use tcpdump, tshark to investigate.
I want to install Damn Vulnerable Web Application (DVWA) on VirtualBox, so I downloaded the DVWA.iso and I'm following this tutorial for its installation.
At step 9, they say to choose internal network, but I don't really understand why (is it a security problem if I don't choose this option?). Because if I select internal network after I've got an IP like 10.0.something and when I try to connect from my computer (not the VM) to 10.0.something/login.php that doesn't work. But if I select bridge networking, I've got an IP like 192.168.something and it works.
Could you explain me why is it important to choose internal network, and why that doesn't work when I choose this?
Internal network on VirtualBox creates a network between boxes on the same host . I can't see the next steps of the tutorial you linked but my guess is that it will ask you to install Kali (or similar distro) on another box on that same host. This is what most people do.
Setting 'internal network' allows the 2 machines to talk to each other without any contact with the outside.
It is considered a security measure because the DVWA is a vulnerable machine so some people think that you shouldn't be giving access to internet to it, but I guess it's more about 'best practice' than a real security risk because in most cases firewalls, routers and ISP will prevent outside attackers to connect directly to that machine in any case.
Anyways, if you are using another computer on the same network to connect to DVWA you should be ok in using a 'bridged' connection on VirtualBox (this it will give to the DVWA an IP sitting on the same network of the host and of your computer). In NAT mode VirtualBox acts like a router, it may still be a good solution for you but not sure if the box is reachable from other computers as I think VB settings may affect this case.
If you are using instead the Host as a penetration testing machine, 'host only' should be good to allow the host and the VM to talk.
Try to put both of the machines on the NAT so that you can ping onto the dvwa from wherever you're doing the hacking from! so essentially both of the machines should be on NAT setting if the they're both on a virtual machine.
Ok, been hosting a few games servers on my home computer, and am now also setting up a personal ftp server.
I am sharing my ip-adress with some friends and family with intetions of using this server, but when one of my friends threatened "hacking" my computer (I know he doesn't possess any such skills). It got me thinking.
If I do not reveal my ip address to strangers (or even if I do), are there any security threats.
Also at what scale are these threats. Will an every day programmer be able to cause damage while I host this server?
P.S. I am using xlight ftp software to host this server.
Your friends are not the ones you have to concern about.
Your ip , like everyone else, will be scanned in several ports several times per minute.
Internet is full of bots, launching petitions, looking for holes to exploit and systems to
dig in.
Just be sure to be behind a firewall, nat only desired services ports, and try not to use a conventional one. Install an additional software firewall if possible.
I would also recommend you to use a SFTP server. (Based on SSH and encryped). Standard FTP traffic is raw and can be easily sniffed.