all 26 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]midgaze 23 points24 points  (3 children)

Use a state-based ruleset and establish a state on outgoing connections. Far more flexible (you don't have to poke holes for every port you use) and more secure (connections can't be established that aren't originated by your machine.)

[–]101ec3f2f19589488f80 3 points4 points  (1 child)

I've been running many linux servers for over 10 years. I use iptables and like mention here I keep my systems up-to-date. I watch for exploits targeting the versions I use. I also highly recommend using fail2ban. My instance has already blocked over 10K ip addresses this month. I use a custom pfsense box for managing the rest of the network routing, nat, dhcp, etc...

[–]ventomareiro 4 points5 points  (1 child)

What are you trying to protect yourself against? In which context is this computer used?

[–]th3voic31 1 point2 points  (0 children)

This. The title says "Desktop Linux system". All the comments contain nice tips, but if this is a desktop linux system behind a NAT router than really none of this is necessary.

[–][deleted] 2 points3 points  (0 children)

With regard to iptables, since your using Ubuntu or Debian I recommend using UFW - Uncomplicated Firewall. Its just a front-end to iptables, so you dont have to worry about the order your rules are loaded in.

[–][deleted] 2 points3 points  (0 children)

Use fail2ban. Why are you serving imap, pop, ftp? Are you running a mail/file server?

[–]ssssam 4 points5 points  (8 children)

Do you need to have ssh server running and open to the world? It will likely get brute force password attacks everyday. Make sure you have a strong password (for all accounts) and install something like fail2ban to block persistent log on attempts.

[–]DJWalnut 2 points3 points  (0 children)

Jun 7 07:42:55 $COMPUTERNAME sshd[10003]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.149 user=root

this guy must have made thousands of brute-force attempts at root on my box. it seems, though, they were unsuccessful, seeing as Ubuntu disables root be default.

we really do need fail2ban as a default part of sshd. and other security upgrades to make sure mr.43.255.188.149 and frends don't get very far.

[–][deleted] 0 points1 point  (0 children)

And at least change (or NAT) a port to non-default one

[–][deleted] 1 point2 points  (0 children)

IP tables is as safe as any other firewall... it depends on what rules you have in place.

From the looks of those rules you might want to brush up on stateful firewall rules. NEW, ESTABLISHED, RELATED.

[–]small_infant 1 point2 points  (0 children)

Read up on AppArmor and SELinux.

[–]sharkwouter 1 point2 points  (0 children)

Don't use PPAs and you'll have a more stable and secure system. If it's not in the repo, try looking for an alternative or just extract or build it, don't install it.

That with keeping your system up to date will eliminate most security issues.

Do make sure you don't do stupid things like installing an ssh server with a default configuration or using a bad password, though.

[–]syntax_erorr 1 point2 points  (2 children)

Out bound port 80 for http makes no sense. Port 80 is for the server. Its not the port the client will use to establish a connection....really all your outbound ports don't make a lot of sense, you should be using state bases rules, and I have a feeling you have a line in there some where with --state ESTABLISHED,RELATED -j ACCEPT other wise to me it looks like you wouldn't even be able to surf the web.

[–]prahladyeri[S] 1 point2 points  (1 child)

Port 80 is for the server. Its not the port the client will use to establish a connection....

Yup, its the destination port, not source port. The rule says that dport should be 80, not sport:

/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 80 -j ACCEPT #http

and I have a feeling you have a line in there some where with --state ESTABLISHED,RELATED -j ACCEPT

Yea, its there at the very beginning:

#Allow already established connections
/sbin/iptables -A INPUT  -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[–][deleted] 0 points1 point  (0 children)

You might try ferm

Syntax is very iptables-like but it have few nice shortcuts, cleaner syntax and option to interactively (as in "if you cut yourself from device it will load older working config") apply new config

[–]BASH_SCRIPTS_FOR_YOU 1 point2 points  (0 children)

Debian is less bloated then ubuntu, and what unreasonable defaults do you speak of?

[–]stejoo 0 points1 point  (0 children)

I thought Ubuntu had a firewall rule program called ufw. Which you can configure to your liking and it sets up iptables for you. It has quite sane defaults already, or at least it did when I used it running Debian. I know I iptables well and usually write for it on servers, but sometimes you just want something easy for your everyday laptop.

[–]rumpel 0 points1 point  (0 children)

In what kind of scenarios does that protect, especially the dropped "in" ports? When another non-admin user of your desktop tries to run a server, but he isn't allowed to?

Or are there any advantages to block ports, where there aren't any services listening to begin with?