| edve | Quel est le meilleur firewall pour linux ? J'ai lu de iptable .. mais je trouve cette idée un peu archaïque ... | 18:04 |
|---|---|---|
| cyphermox | edve: dsl, j'avais pas vu ton message | 18:17 |
| cyphermox | sur Ubuntu on a ufw qui est une interface simple pour iptables | 18:17 |
| cyphermox | iptables reste tjrs la méthode au niveau kernel utilisée | 18:17 |
| Ankman | on ne besoin pas un firewall a linux. autre que on a des servers pour protecter | 19:06 |
| edve | justement il s'agit d'un serveur pour faire du VoIP | 19:11 |
| Ankman | quelle serveur? | 19:14 |
| edve | Ubuntu server 12.04.1 LTS ayant Asterisk comme PBX | 19:16 |
| edve | mais je veucx le sécuriser | 19:16 |
| edve | Alors iptables est la meilleure solution ? | 19:17 |
| cyphermox | Ankman: that's so wrong. why would Linux not need security? | 19:20 |
| cyphermox | if you have a machine that has port 22 open for whatever reason, you'll quickly see how fast people try to go access it and try to guess passwords | 19:21 |
| cyphermox | edve: oui. iptables est pas mal "LA" solution ;) | 19:21 |
| Ankman | cyphermox: what would you want to protect? | 19:23 |
| Ankman | windows is f****ed up by design with tons of open ports by default. because MS has no idea how to make a good basic setup they introducted the firewall. after the code red disaster | 19:24 |
| Ankman | linux does not have any open ports when you installed it. there is nothing you would need to protect | 19:24 |
| cyphermox | doesn't mean it's not a good idea to have a firewall and a virus scanner | 19:25 |
| cyphermox | or you should just give me your IP address :) | 19:25 |
| Ankman | 70.24.188.182 | 19:26 |
| Ankman | no firewall. all what is open there is because i run servers | 19:26 |
| Ankman | computer there is online 24/7 and that since years. not being hacked so far. although probes run from china and elsewhere on every open port all the time | 19:30 |
| Ankman | while a "normal" linux user does not have servers, has different IPs every day. there's really nothing to protect | 19:30 |
| edve | iptable est assez fort , tellement qu'il m'a tout bloquer hahaha | 20:14 |
| cyphermox | edve: c'est pourquoi utiliser ufw, il te permet de faire les règles facilement et a un baseline correctement monté pour permettre ce que tu risque d'avoir besoin, comme le dhcp | 20:22 |
| YoBoY | +1 pour ufw il est très simple à prendre en main | 20:25 |
| Ankman | http://ubuntuforums.org/showthread.php?t=1871177 to understand why you don't really need a firewall in linux (in windows you need though!). or why it's even worse if you have one than not having one | 20:30 |
| Ankman | the missconception is that people think you need a a firewall on linux because you need one on windows. that's just not true as there are no open ports. worse: a firewall brings an additional code base. which can have bugs and then be exploited | 20:46 |
| Ankman | and a "stealth" user is telling a potential attacker that he is there! because the computer will not respond to probes, no return. but that "natural" behaviour is the send a reply that the port is closed. for exmaple if you go offline and some one probes your IP the gateway of your ISP will return "no open port". so it sends an answer | 20:48 |
| Ankman | then there are proof of concepts. a C program with source code that you can read and then compile yourself. all it will do when started is bypass any firewall. that includes iptables and the windows firewall. the program is harmless, just goes online without being stopped by a firewall and proofs it to you | 20:59 |
| cyphermox | Ankman: we'll just have to agree to disagree, no matter what ports you may think are closed, it's still good practice to keep a firewall up, no matter if it's linux or windows. | 21:58 |
| cyphermox | quoting ubuntuforums isn't exactly making a compelling case either | 21:59 |
| Ankman | cyphermox: sorry was offline. yes, ubuntuforums might not have been a good idea to quote | 22:57 |
| Ankman | still, no open ports -> nothing to protect. if you have a linux or unix admin at work or somewhere, ask him. he should confirm this | 22:58 |
| cyphermox | no | 23:02 |
| cyphermox | I'm a linux admin | 23:02 |
| cyphermox | I worked with Solaris for 3 years before that | 23:02 |
| cyphermox | I was a network admin | 23:02 |
| cyphermox | and the forum post proves you *should* keep a firewall nonetheless | 23:02 |
| cyphermox | the fact is, it doesn't give you a magic bullet to protect you from everything | 23:03 |
| cyphermox | but it helps a lot | 23:03 |
| cyphermox | you can never know what might come in | 23:03 |
| cyphermox | with a firewall, for example, you could block redifinitions of IPs via ARP | 23:03 |
| cyphermox | which is a great thing for laptops if you're moving around a lot and going to cafes, whatever, where the network is untrusted | 23:04 |
| cyphermox | furthermore, stateful engines in firewalls help protecting you from return traffic, etc. | 23:05 |
| cyphermox | conntrack is one of the kernel interfaces that does this kind of thing, provided a properly configured firewall | 23:05 |
| Ankman | yes, you can selectrivly block "bad ips". that i do when i notice they probe for php exploits on my web server. but just having a firewall doesn't help if you don't know what you do | 23:10 |
| cyphermox | right | 23:10 |
| cyphermox | we *do* have reasonable defaults in ubuntu with ufw which make things work pretty nicely | 23:11 |
| cyphermox | see /etc/ufw/before.rules | 23:11 |
| Ankman | hmm | 23:11 |
| cyphermox | which is the precise reason why I won't recommend to just use iptables, and instead recommend ufw, because it makes it easier to not block yourself out of everything, etc. | 23:12 |
| Ankman | well my server runs 24/7 since years, no firewall. i just block a few asian IP ranges notorious for probes. that's all | 23:12 |
| Ankman | never had problems | 23:12 |
| cyphermox | if that suits your need for security, that's fine | 23:12 |
| cyphermox | but what this means is that you're still vulnerable to more targetted attacks from people who know what they are doing | 23:12 |
| cyphermox | and it's a server, not a laptop, the environment is very different | 23:13 |
| cyphermox | fwiw, I seriously recommend putting a firewall on your laptop before going to UDS (or any other conference for that matter) ;) | 23:13 |
| Ankman | i'm often in open wlans with my netbook (debian testing) and there are no firewall rules at all | 23:14 |
| cyphermox | as with all things in computer security, it's a matter of managing risk | 23:14 |
| cyphermox | risk in a cafe is pretty low, it's a small network, few people usually, and you can see what they do ;) | 23:14 |
| cyphermox | at a conference, it's a whole other story, and there has been cases of targetted attacks in the past | 23:15 |
| cyphermox | it's pretty much the same idea as password complexity | 23:15 |
| cyphermox | if having a short, relatively simple password gives you the sufficient assurance that your data is safe, then it's all good | 23:15 |
| cyphermox | if however you carry more important things, trade secrets, whatnot, then you might want to invest the brain cycles in remembering more complex passwords, multiple different passwords, using full disk encryption, etc. | 23:16 |
| cyphermox | and even that is not a magic bullet, but I'm not too concerned with cold-boot attacks for the kind of stuff that I do | 23:16 |
| cyphermox | especially given that it's all totally public stuff in Ubuntu, I very rarely deal with secret things (and actively avoid doing so) | 23:17 |
| Ankman | if you are an intersting target (industry), then yes, you might want some extra security especially when having server running | 23:18 |
| cyphermox | there is that too | 23:19 |
| cyphermox | but that's still managing risk | 23:19 |
| cyphermox | low risk = low need for security | 23:19 |
| Ankman | but a normal user... i say you can install ubuntu or any other linux on a computer and expose it -as is - to the internet for years. nothing will happen to it | 23:19 |
| cyphermox | no | 23:19 |
| cyphermox | but then again, something could happen | 23:19 |
| cyphermox | you can't know | 23:19 |
| Ankman | as long as the tcp/ip stack is "healthy" linux itself should not be exploitable | 23:20 |
| cyphermox | there will always be bugs | 23:20 |
| Ankman | applications are. that's a different thing | 23:20 |
| cyphermox | but even simpler than that | 23:20 |
| cyphermox | people tend to enable things without thinking of the consequences | 23:21 |
| cyphermox | e.g. if I enable remote desktop | 23:21 |
| Ankman | no open ports: there is only the stack between linux and the internet. if this is okay, it shold be fine | 23:21 |
| Ankman | yes, that's a different thing | 23:21 |
| cyphermox | then I suddently have port 9100 open ;) | 23:21 |
| cyphermox | on a desktop/laptop, it's bound to happen | 23:21 |
| cyphermox | on a server, much less, but if it's not a company system there is also a high probability that people will install something to try it out and forget about it, leaving a hole | 23:22 |
| cyphermox | you can't just think of open ports when thinking about network security | 23:23 |
| cyphermox | there's also how the kernel handles icmp packets, any specially crafted protocol packets that it might want to listen to, multicast, etc. | 23:24 |
| cyphermox | it's very very true that those are much less often used as attack vectors because let's face it -- people on the internet don't usually look for something to attack knowing what they're doing -- they're trying to find easily exploitable systems, mostly windows boxes with udp 139 or whatever open | 23:25 |
| Ankman | if a "naked" linux is vulnerable to a "bad" packet then linux is broken | 23:25 |
| cyphermox | but they are still there and explotable | 23:25 |
| cyphermox | are you surprised? | 23:25 |
| cyphermox | there will always be bugs | 23:25 |
| Ankman | and they need to get fixed | 23:25 |
| cyphermox | yes | 23:26 |
| cyphermox | they will get fixed | 23:27 |
| cyphermox | for instance; this is an old one: https://isc.sans.edu/diary.html?storyid=6820 | 23:27 |
| cyphermox | or, way more recent: http://www.ubuntu.com/usn/usn-1529-1/ | 23:27 |
| Ankman | latter seems to be a local user exploit | 23:30 |
| cyphermox | it serves to indicate that exploits in the network stack exist | 23:32 |
| Ankman | ok | 23:32 |
| cyphermox | of course at that point you might ask the usefulness of the firewall to protect against an exploit on the kernel it's being run on | 23:33 |
| cyphermox | then I'd answer, it depends, I don't know exactly in what order things are being done to process packets in the firewall, I suspect the answer is "it depends on the type of packet/exploit" | 23:33 |
| Ankman | probably | 23:34 |
| * cyphermox is not a kernel dev | 23:35 | |
| Ankman | am no dev at all | 23:36 |
| Ankman | booting haiku on VM :-) | 23:40 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!