Chris, zebedeeboss replied with a fine, honest post, which is summarized in the statement above.

Unlike Windows 7, Linux does not have "ActiveX" controls which can fire off executables without your permission. UAC doesn't increase security as much as it transfers responsibility/blame -- most users don't know if a UAC request should be honored or not because most requests do not identify the purpose for an executable, or the reason given may be false. That's why many Windows users turn off the UAC ... it annoys them. Microsoft has gone a long way toward security by offering "Microsoft Security Essentials" (which, IMO, is the best AV available for Windows) with automatic updates free of charge to Windows users but that approach still suffers from the fact that MSE cannot detect malware which is not in its signature database. To get into that database a malware must infect tens to thousands of Windows boxes and be noticed, somehow, so that Microsoft and/or security houses can isolate it, create a recognition signature, and add that signature to the next vaccine database update. Your box could be one of those "tens to thousands", and it could cost you plenty. Months can pass between release of a virus and the inclusion of its signature in a vaccine database that gets downloaded and installed on the user's machine, unless it is so serious Microsoft puts it on the "Zero Day" fast track and makes it the topic of a widely disseminated PR campaign.

In Linux the steps necessary to get an infection from an email payload are:
1) Save the attachment as a file on the HD (Linux can only execute files saved on the HD)
2) Add the execute permission to that file.
3) Open a Konsole and execute that file.

About the only way those three steps can be taken is if the user has been conned (social engineering) into doing so. (Promises to see porn or get rich prompt lots of folks to do stupid things).

Also, like Windows, you can infect your Linux box if you run as root, especially if you browse the Internet and visit dodgy sites. NEVER run as root!

Also, like Windows, your Linux box can get owned if you use to weak a password, or if you run without a firewall to protect against hacking on your back ports. Kubuntu comes with a firewall installed which blocks all ports, so that shouldn't be a problem.

Also, like Windows, your Linux box can get infected if you download programs/applications from dodgy sites. That's why it is recommended when first using Kubuntu that you only install application from the repositories, or from sites like Oracle, Adobe, Nokia, Launchpad, etc...

AND, no matter what that "scanner" tells you when you open a website, there are NO viruses on your computer that need their nifty removal tool to clear up.


No one carries their nads in a wheel barrel around here for all to admire.

And we don't penalize you for preferring or running Windows. One uses what they have to use.

I prefer "what they desire, or are comfortable".

That said, why ufw is not enabled out of the box? I've read in Ubuntu documentation claims to the effect that because new installment of Ubuntu is not running any servers, firewall is not needed And pinging is allowed too.

Almost all home users are already behind a firewall, their router. Having another one is most of the time useless.

Yes, almost, and who knows how it is configured.

My wireless router ( TP-Link, TL-WR1043ND) )came with a manual, and also has extensive built in help. Doesn't yours? Every setting has extensive documentation in the right panel, displayed when the mouse hoovers over the setting control. That's why many wireless routers run Linux as their OS.

I was referring to people who haven't a clue what a firewall is or that they might be needing one. Your average six-pack-turn-key John who is unsuspected prey for Internet vultures. Unless, Linux really is an elitist OS for the initiated only.

PAH! Speak for yourself, I am a COMPLETE exile! No Microslop code allowed on this machine EVER, lol. ;-D

@Chris...extremely new and exotic hardware can be a little tricky but the Linux kernel will run pretty much on anything, since you have an nVidia based graphics card, that should not be a problem, nVidia is an ACTUAL driver supporter of Linux. I am envious of your new system, sounds like something I want to build only in my case, I would have a SIX SSD Raid 0, yes, I am that nuts, lol. Like the others said, keep Win-DOHs for games, but for secure and PRIVATE internet activities and way more functional multimedia, Linux is the way to go. Did I mention you don't have to mortgage your house to use Libre Office? :-D

Firewalls are important when:

* A computer is listening on a socket for inbound connections
* You want to perform some kind of inspection of the inbound traffic before handing it to an application

A typical *buntu desktop has few, if any, listening sockets. For example, here's mine:
(Check man netstat to understand the parameters.)

If I weren't running DropBox or VMware, the only items in the list would be the two rows for dhclient, which is normal for any system configured to receive IP address assignment via DHCP.

Where something like UFW comes in handy is if you want to allow applications to listen for incoming traffic but restrict the source of that. You might, for example, run a web server, but want to permit only computers on the local LAN to access the server. You can also configure UFW to control outbound traffic, but I'm generally critical of such mechanisms because these are usually attempts to stop the malware on an already-infected computer from doing anything. Well, guess what: most malware knows how to get around these restrictions. If your computer has been attacked, it's no longer under your control.

I wonder what servers where exploited in Windows XP? Turning firewall on was one of the features brought by SP2. Just recalled Sasser.

I keep an XP SP3 VM around for managing content on my PlayStation Vita. Here is its set of listening ports:



The Windows firewall will block unsoliticited inbound traffic for all those listening ports; the potentially dangerous ones are all NetBIOS and RPC related. Not because these are necessarily bad protocols, but because they're unsuited for use on untrusted networks.

Indeed, Sasser slammed computers by exploiting a vulnerability in LSASS, exposed via SMB-over-TCP, which listens on port 445/tcp -- that's the one labeled "microsoft-ds" above. This port does need to be accessible by the LAN when a Windows computer is located in a Windows-based network, but not accessible to the larger Internet. This, among many others, became the impetus for our Service Pack 2 change that enabled the firewall by default.

You can also go to https://www.grc.com/x/ne.dll?bh0bkyd2 (GRC's ShieldsUp!). It will try and scan what ports are open on your router and a bunch of other things, too. If the router is secured, then you don't need a local firewall. If it has open ports, say for an xbox or ps3, then a local firewall can be set up to block those open ports, etc. GRC is really setup for windows installations, but the information is valid for any installation.

Wow, did you guys get off topic or what?! Lol. ;-D

Here is what I get there with or without enabled firewall(kernel 3.0.0.19)


@tek_heretik
lol Look at it as part of the answer to OP's question.

Thanks, Steve

That would indicate that you do not have any exposed ports because either your router or your ISP is blocking them.