What precautions should I take when exposing my desktop directly to the internet?

security networking configuration

Solution 1:

A standard ubuntu install should not activate network services that are accessible via the internet.

You can check via (for tcp):

netstat -lntp

Similar for udp, but udp does not distinguish between ports opened for listening or sending.

Thus, an iptables configuration is not necessary.

A bit off-topic perhaps, since following concerns you in any case (it does not matter if you are behind a router):

  • consider disabling flash (since the flash plugin has a big history of hilarious security problems)
  • consider disabling the Java-Plugin (if enabled) and enabling it only for certain sites (not as much security related problems in the past as flash, but a few)

And, sure, you probably know that, but anyways: Always work as normal-user as possible. Don't use firefox etc. as root ...

An example netstat -lntp output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      935/sshd        
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1811/cupsd      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1755/exim4      
tcp6       0      0 :::22                   :::*                    LISTEN      935/sshd        
tcp6       0      0 ::1:631                 :::*                    LISTEN      1811/cupsd

The 127.0.0.1 entries are harmless, because those programs only listen on the local network interface.

sshd is an example of a service that listens on all available interfaces (0.0.0.0, i.e. including the one the cable internet modem is connected to) - but usually you have good passwords or disable password authentication and only use public-key.

Anyways, IIRC sshd is not installed by default.

The last two interfaces regard IPv6. ::1 is the address of the loopback device (like 127.0.0.1 in IPv4), thus safe. ::: is the IPv6 all network interface wildcard analog to 0.0.0.0 (IPv4).

Solution 2:

Firewall. Enable ufw (sudo ufw enable) and then deny all, allow just the thigs you want to exposed. ufw uses iptables. It isn't worse.

ufw can log IIRC.

Bind things to localhost and not *.

Solution 3:

Both Oli and maxschlepzig have really good answers.

A firewall shouldn't be necessary for most people, because you shouldn't be running things that listen on a workstation anyway. However, it's never a bad thing to run a simple iptables setup with a default deny all policy. You just have to remember to allow connections if you ever start doing anything more creative (SSH is the first good example of this).

However, maxschlepzig also brings up another important point. It's not just what people try to do to you, but also what you do to yourself. Unsafe web browsing is probably the greatest risk to the average desktop user, with unsafe email and "thumbdrive" use being close behind.

If Firefox is your default browser, I recommend plugins such as Adblock Plus, FlashBlock, NoScript, and BetterPrivacy. Similar tools exist for Chrome as well. I include adblocking as a protection because I've seen ads on legitimate sites that were really malware loaders, so I recommend using an ad blocker unless you have a reason not to for a specific site. NoScript also helps a lot, by preventing JavaScript from running unless you allow it.

For email, the obvious recommendations to not open unknown or unexpected attached files without inspection is still a good recommendation. I'd also see what you can turn off. Some clients let you disable JavaScript in inbound HTML email, or disable the HTML part of a message entirely. Plain text may not be as pretty, but it's a lot harder to sneak in a bit of malware, too.

Solution 4:

You're safe! Ubuntu clean install comes with no network services available to other system. So there is no risk.

Nevertheless, while using Ubuntu, you might install application that will offer services to other system on a network: e.g. files or printers sharing.

As long as you stay inside your home or work environment (which are usually both behind a router or firewall), you can consider your computer safe, especially if you keep it up-to-date with the latest security fix: See in System->Administration->Update Manager.

Only if you are directly connected to the internet or on a public WiFi (like in a coffee bar or hotel room) and if you use network services like sharing files/folders then you could be exposed. Though again, the package responsible for Windows File Sharing (named samba) is often kept up to date with security fix. So you should not worry too much.

Gufw - Uncomplicated firewall

So if you feel it's risky or if you're in a risky environment, try installing a firewall. ufw has been suggested, but it is command line, and there is a nice graphical interface to configure it directly. Look for the package named Firewall Configuration or gufw in the Ubuntu Software Centre.

Gufw in Software Centre

The application is located (once installed) in System->Administration->Firewall Configuration.

You can activate it when you're on a public WiFi or other kind of direct/untrusted connections. To activate the firewall, select "Enable" on the main window. Deselect it to deactivate the firewall. It's that easy.

PS: I don't know how to find the 'apt' link, so that's why I don't put them...

Related

Color picker for entire screen
Where are Upstart log messages on Ubuntu 13.X?
How to run a program with only one CPU core?
Why is this password not good enough?
How do I measure dimensions on screen?
Cannot switch between windows of the same application
Open windows in center of screen
Tor installation error - SIGNATURE VERIFICATION FAILED
Ubuntu Apache2 DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
How do I remove trash icon from GNOME desktop?
Samba does not accept my password
Getting character key code mappings in Ubuntu