What precautions should I take when exposing my desktop directly to the internet?
Solution 1:
A standard ubuntu install should not activate network services that are accessible via the internet.
You can check via (for tcp):
netstat -lntp
Similar for udp, but udp does not distinguish between ports opened for listening or sending.
Thus, an iptables configuration is not necessary.
A bit off-topic perhaps, since following concerns you in any case (it does not matter if you are behind a router):
- consider disabling flash (since the flash plugin has a big history of hilarious security problems)
- consider disabling the Java-Plugin (if enabled) and enabling it only for certain sites (not as much security related problems in the past as flash, but a few)
And, sure, you probably know that, but anyways: Always work as normal-user as possible. Don't use firefox etc. as root ...
An example netstat -lntp output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 935/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1811/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1755/exim4
tcp6 0 0 :::22 :::* LISTEN 935/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1811/cupsd
The 127.0.0.1 entries are harmless, because those programs only listen on the local network interface.
sshd is an example of a service that listens on all available interfaces (0.0.0.0, i.e. including the one the cable internet modem is connected to) - but usually you have good passwords or disable password authentication and only use public-key.
Anyways, IIRC sshd is not installed by default.
The last two interfaces regard IPv6. ::1 is the address of the loopback device (like 127.0.0.1 in IPv4), thus safe. ::: is the IPv6 all network interface wildcard analog to 0.0.0.0 (IPv4).
Solution 2:
Firewall. Enable ufw
(sudo ufw enable
) and then deny all, allow just the thigs you want to exposed. ufw
uses iptables. It isn't worse.
ufw
can log IIRC.
Bind things to localhost and not *.
Solution 3:
Both Oli and maxschlepzig have really good answers.
A firewall shouldn't be necessary for most people, because you shouldn't be running things that listen on a workstation anyway. However, it's never a bad thing to run a simple iptables setup with a default deny all policy. You just have to remember to allow connections if you ever start doing anything more creative (SSH is the first good example of this).
However, maxschlepzig also brings up another important point. It's not just what people try to do to you, but also what you do to yourself. Unsafe web browsing is probably the greatest risk to the average desktop user, with unsafe email and "thumbdrive" use being close behind.
If Firefox is your default browser, I recommend plugins such as Adblock Plus, FlashBlock, NoScript, and BetterPrivacy. Similar tools exist for Chrome as well. I include adblocking as a protection because I've seen ads on legitimate sites that were really malware loaders, so I recommend using an ad blocker unless you have a reason not to for a specific site. NoScript also helps a lot, by preventing JavaScript from running unless you allow it.
For email, the obvious recommendations to not open unknown or unexpected attached files without inspection is still a good recommendation. I'd also see what you can turn off. Some clients let you disable JavaScript in inbound HTML email, or disable the HTML part of a message entirely. Plain text may not be as pretty, but it's a lot harder to sneak in a bit of malware, too.
Solution 4:
You're safe! Ubuntu clean install comes with no network services available to other system. So there is no risk.
Nevertheless, while using Ubuntu, you might install application that will offer services to other system on a network: e.g. files or printers sharing.
As long as you stay inside your home or work environment (which are usually both behind a router or firewall), you can consider your computer safe, especially if you keep it up-to-date with the latest security fix: See in System
->Administration
->Update Manager
.
Only if you are directly connected to the internet or on a public WiFi (like in a coffee bar or hotel room) and if you use network services like sharing files/folders then you could be exposed. Though again, the package responsible for Windows File Sharing (named samba
) is often kept up to date with security fix. So you should not worry too much.
Gufw - Uncomplicated firewall
So if you feel it's risky or if you're in a risky environment, try installing a firewall. ufw
has been suggested, but it is command line, and there is a nice graphical interface to configure it directly. Look for the package named Firewall Configuration
or gufw
in the Ubuntu Software Centre.
The application is located (once installed) in System
->Administration
->Firewall Configuration
.
You can activate it when you're on a public WiFi or other kind of direct/untrusted connections. To activate the firewall, select "Enable" on the main window. Deselect it to deactivate the firewall. It's that easy.
PS: I don't know how to find the 'apt' link, so that's why I don't put them...