Hi All,
I recently installed Trusty on my laptop and my workstation. When I was going through the Firewall options I noticed that Firestarter disappeard from the repos, and so did Bastille, but we now have a new firewall configuration item in System Settings.
My setup is such that I am running an SSH server on my workstation, because I need to log in from my laptop, and I am running ktorrent on my laptop. Both machines are in a large university network, but may be in different subnets. We had several major breaches in the past and other machines in my department have been hacked, so I want to be on the safe side and don't any chances.
For the SSH server I disabled password login (public key only) and put it on a non-standard port. I also disabled the ping response on both systems. I also activated the firewall in Systems Settings and set it do "deny" all incoming connections except on my non-standard SSH port (outbound connections are allowed). My goal is to basically "stealth" my system, as a first line of defense (since you can't rely on cryptographic software to be free of vulnerabilities or bugs...).
But unfortunately things are not working as I expected, and I have a few questions:
1. Eventhough I added a line /etc/sysctl.conf,
, the ping suppression is not permanent, and after every reboot, I have to do
again (as root) to disable the ping response. On that note, what does echo
do?
If this is the corect method, is it possible that the KDE firewall utility is interfering? I also have to reset this each time I make changes to the firewall rules.
2. When I do
from the host itself, it reports that either all standard ports are 'closed' or sometimes that some random ports (eg. for ipp) are open, but when I scan from another machine in the network (on which I have a user account), it reports that all standard ports are 'filtered'. Should I be concerned about the self-test result?
3. Is there a way to "stealth" my non-standard SSH port, so that any connection attempt without the appropriate credentials gets dropped, so that the port would appear 'closed' or 'filtered', so that the port would not be recognized as my SSH port by an attacker (who does not have the right credentials). If that's not possible, is it possible to drop all non-SSH connection attempts?
4. Is there a reason why Bastille was removed from the repos? Is it outdated now? Would it be advisable to install it from launchpad? (the 12.04 version for example - there is no 14.04 deb)
Finally, do you have any other recommendations for hardening my system without restricting common email and browsing activities too much?
Thanks,
Chopstick
I recently installed Trusty on my laptop and my workstation. When I was going through the Firewall options I noticed that Firestarter disappeard from the repos, and so did Bastille, but we now have a new firewall configuration item in System Settings.
My setup is such that I am running an SSH server on my workstation, because I need to log in from my laptop, and I am running ktorrent on my laptop. Both machines are in a large university network, but may be in different subnets. We had several major breaches in the past and other machines in my department have been hacked, so I want to be on the safe side and don't any chances.
For the SSH server I disabled password login (public key only) and put it on a non-standard port. I also disabled the ping response on both systems. I also activated the firewall in Systems Settings and set it do "deny" all incoming connections except on my non-standard SSH port (outbound connections are allowed). My goal is to basically "stealth" my system, as a first line of defense (since you can't rely on cryptographic software to be free of vulnerabilities or bugs...).
But unfortunately things are not working as I expected, and I have a few questions:
1. Eventhough I added a line /etc/sysctl.conf,
Code:
net.ipv4.conf.icmp_echo_ignore_all = 1
Code:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Code:
1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
If this is the corect method, is it possible that the KDE firewall utility is interfering? I also have to reset this each time I make changes to the firewall rules.
2. When I do
Code:
nmap -PN my.host.name
3. Is there a way to "stealth" my non-standard SSH port, so that any connection attempt without the appropriate credentials gets dropped, so that the port would appear 'closed' or 'filtered', so that the port would not be recognized as my SSH port by an attacker (who does not have the right credentials). If that's not possible, is it possible to drop all non-SSH connection attempts?
4. Is there a reason why Bastille was removed from the repos? Is it outdated now? Would it be advisable to install it from launchpad? (the 12.04 version for example - there is no 14.04 deb)
Finally, do you have any other recommendations for hardening my system without restricting common email and browsing activities too much?
Thanks,
Chopstick
Comment