Search code examples
securitysshubuntu-20.04ufw

Ubuntu 20.04: what are the security risks without firewall?


Ubuntu 20.04: what are the security risks without firewall?

Installed Ubuntu 20.04, but forget to enable firewall using ufw.

SSH 22 port: use keys(2048 bit) for login, no password. Setting UsePAM=true, any risk?

Any other services that may have security holes without firewall, and hackers can break into the server?


Solution

  • Case for firewall

    Yes you should enable the firewall. It's an important security layer.

    Software has bugs. The firewall layer prevents some bugs or mistakes from causing harm.

    Security is layered for the same reason airplanes have redundant systems. Even single engine airplanes are designed to glide when they lose thrust.

    SSH and Services You Know About

    While proper SSH configuration is another topic, it illustrates a reason firewalls are needed. You're config is on the right track but without reading the entire man-page you're still unsure if it's secure.

    If you're unsure about SSH, a firewall can limit access from source IPs that you define adding another layer.

    SSH is but one of a handful of services you're running that might be accessible over the public internet. Sometimes services become open to the public unintentionally.

    Third Party Software

    One type of bug is a software update or install that inadvertently opens a service and exposes that service to the public internet.

    I frequently see application installs that open a private service bound to 0.0.0.0 when it should be bound to 127.0.0.1. If you don't know the difference, you aren't alone. Binding to 0.0.0.0 (or *) means open to the public internet.

    This isn't just a user-workstation problem. Package managers are susceptible to this too. NPM, Python PIP, and Apt all can run executables on your system.

    Checking for Open Services

    Run sudo netstat -n to show active internet connections.

    For example, here's output:

    Active Internet connections
    Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
    tcp4      31      0  192.168.1.17.53624     3.xxx.96.61.443        CLOSE_WAIT
    tcp4       0      0  192.168.1.17.53622     162.xxx.35.136.443     ESTABLISHED
    udp4       0      0  *.3722                 *.*
    [...]
    

    I do not know what udp port 3722 is but my system will accept traffic from ANYWHERE to that port.

    Closing

    The firewall is a layer that lives lower in the network stack than applications and thus provides a layer to guard against configuration and application problems.