A Netbook is a handy piece of tech when travelling. Of course these days with iPad and friends, Netbooks are collecting dust. However, I still have an Ubuntu Netbook I take on road trips now and again. Enjoying public Wi-Fi, or my kids favourite activity; watching movies is the perfect use for these tiny portable computers and you can’t beat the battery life. With Ubuntu on board, connecting to public Wi-Fi couldn’t be safer (relatively speaking) and with ufw built-in I can easily turn ‘ON‘ the firewall and disappear on the network. When active, ‘ufw‘ default behaviour will block all inbound traffic on the external interface minus ICMP, but more on that later. Let’s look at a few simple scenarios;
Protecting yourself while using Public Wi-Fi: $ sudo ufw enable
Sharing Windows files or printers among friends or other hosts on the same Public network. According to Microsoft the following ports should be open for proper SMB, Netbios communication:
$ sudo ufw allow 135/tcp
$ sudo ufw allow 136/tcp
$ sudo ufw allow 137/tcp
$ sudo ufw allow 138/tcp
$ sudo ufw allow 139/tcp
$ sudo ufw allow 135/udp
$ sudo ufw allow 136/udp
$ sudo ufw allow 137/udp
$ sudo ufw allow 138/udp
$ sudo ufw allow 139/udp
$ sudo ufw allow 445/tcp
However I would not recommend opening these ports when connected to Public networks, especially TCP 445 (Admin$ Share). Instead if you and your buddy are connected to the same Public network create a more specific rule, granting your friend full access by specifying their IP address.
Create ufw exception by IP address: $ sudo ufw allow from 192.168.1.1
However at times you may not fully trust your friend, and only want them accessing one specific port: $ sudo ufw allow from 192.168.1.1 to any port 139
The uncomplicated firewall is easy to manipulate. However you must remember, apply restrictive/specific rules before more generic. Don’t forget all rules are applied in a top down fashion. Let me give you an example;
You’ve got a great hack and wish to test it at the local Public Wi-Fi hotspot, however you don’t want your friend falling victim. Given what I said above this can be accomplished with two rules; the first a restrictive followed by a more generic rule. First (deny) your friends IP address blocking them from your hack, and second a more general allow rule granting access from any other host IP.
$ sudo ufw deny from 192.168.1.100 to any port 666
$ sudo ufw allow from 192.168.1.0/24 to any port 666
ok, but what if his IP changes? More on that next week.
UFW – Uncomplicated Firewall Primer
A host firewall can improve the security of any operating system, however configuration can sometimes be tricky or cumbersome. The uncomplicated firewall (UFW) was designed with simplicity in mind. While it uses the command line and has a limited set of simple commands it is a powerful and formidable security mechanism able to reduce the attack surface. UFW utilizes the tried and true ‘iptables‘ for configuration which of course uses the Linux Kernel Firewall.
I’ve already talked about UFW in passing, when I introduced you to Gufw, a graphical user interface to the uncomplicated firewall. You can read it here However today I’d like to talk more about the command line. Unfortunately as is the case in the Linux Server world, you may not have the luxury of GUI, especially if the server is in a remote location. At that point it’s command line all the way baby! In which case being comfortable with UFW’s commands come in handy.
First and foremost typing ‘ufw –help‘ lists all available commands.
Cool, but how do I enable the firewall? Issuing ‘ufw enable‘ will turn it on.
Once enabled, you may review existing rules through ‘ufw show raw‘, and by the way if you’re not sure of command options, pressing TAB displays available arguments. (nice shortcut).
Ok, so how do I configure some useful settings? Before enabling the firewall I would suggest we set the firewall to default DENY all inbound traffic. This should be done before enabling the firewall. If you’ve already gone ahead and enabled it, simply disable, change to default deny and re-enable the firewall. If you ever find yourself at the airport or using questionable public WiFi, and want to disappear with little fuss, enable ufw and you’re inaccessible on the network. (Don’t forget default DENY, applies to inbound traffic only. Outbound traffic is unaffected, all ports are allowed through the firewall.) If you’re adventurous and would like to view ufw rules in all their glory, find them in ‘/etc/ufw/‘, have a look at ‘before.rules‘, or issue command ‘ufw show before-rules‘.
What about logging? UFW default settings, set logging to ‘low‘. However an option to increase logging to ‘medium‘, ‘high‘ or ‘full‘ is available. For most environments ‘low‘ is sufficient, it logs all denied packets. However, if you get a kick from reviewing logs, set logging to full and you’ll see everything. By the way, logs are stored in ‘/var/log/ufw.log‘
Next week I’ll take you through some common scenarios.
An old vulnerability has reappeared (again) affecting the Xorg Server. This specific vulnerability affects Fedora 16, Arch, Ubuntu and others using Xorg Server 1.11+
How it works?
Imagine a typical system configured with a password protected screensaver. After a specified period of inactivity the screensaver activates and requires a password to unlock. At least that is the typical expected behavior, however with this Xorg Server vulnerability it is possible to bypass screensaver password protection without entering a valid user password. By pressing a specific key combination, Xorg Server will happily interrupt the screensaver and give you access to the desktop, no password required.
The magical key combination is ” CTRL ALT * (numpad multiply character NOT the 8 key) “.
Some distributions like Arch Linux, Fedora and Ubuntu Unstable have already fixed this problem in their respective distributions, others are likely to follow shortly.
This is the great thing about the Internet. Security news travels fast and fixes travel even faster.