You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2015-05-12 08:15:11
- Hectrin2
- Member
- Registered: 2015-01-26
- Posts: 9
Is Arch network safe on default install?
So I was wondering if Arch had a firewall installed by default and if so is it set to deny all incoming traffic?
I've been using my arch install for about 2 weeks and only now just realised that I didn't have a firewall setup so I installed UFW configured that.
Since I've been using my Arch install without a firewall (if there isn't one installed by default) am I still safe? I had a few ports forwarded to my PC as well but I thought I had a firewall installed blocking them. (as my router would take care of the non-port forwarded ports)
Any help would be very appreciated!
Last edited by Hectrin2 (2015-05-12 08:17:46)
Offline
#2 2015-05-12 08:28:15
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: Is Arch network safe on default install?
Arch doesn't really have anything running by default, neither iptables nor sshd...
Offline
#3 2015-05-12 08:30:10
- Hectrin2
- Member
- Registered: 2015-01-26
- Posts: 9
Re: Is Arch network safe on default install?
Arch doesn't really have anything running by default, neither iptables nor sshd...
Hm. Does that mean I'm not safe then? Do I have to reinstall? :/
Last edited by Hectrin2 (2015-05-12 08:33:20)
Offline
#4 2015-05-12 09:00:42
- bleach
- Member
- Registered: 2013-07-26
- Posts: 264
Re: Is Arch network safe on default install?
I would say if your network is ok and considered safe your ok but if worried dont connect to the interenet untill downloading base and only use that no interenet searching and such. you could always setup iptables before you connect it will work on the live install. are you worried about the mirrors? or your network?
Offline
#5 2015-05-12 09:09:05
- Hectrin2
- Member
- Registered: 2015-01-26
- Posts: 9
Re: Is Arch network safe on default install?
I would say if your network is ok and considered safe your ok but if worried dont connect to the interenet untill downloading base and only use that no interenet searching and such. you could always setup iptables before you connect it will work on the live install. are you worried about the mirrors? or your network?
I'm not worried about a firewall while installing Arch, as my router would block incoming connections anyway if you had no ports forwarded. I'm worried about how I was running Arch for 2 weeks without a firewall while having ports forwarded to my PC.
Sorry for the confusion!
Offline
#6 2015-05-12 09:33:21
- bleach
- Member
- Registered: 2013-07-26
- Posts: 264
Re: Is Arch network safe on default install?
ah ok sorry about that. linux is pretty safe have you checked for issues with something like rkhunter it checks known rootkits and other things. is there a reason to believe that you have been compromised? not that one would notice easily depending on the intent of a compromise. If you feel too worried about it over write your drive and reinstall even if nothing is wrong you can feel better about it.
Offline
#7 2015-05-12 09:45:03
- Hectrin2
- Member
- Registered: 2015-01-26
- Posts: 9
Re: Is Arch network safe on default install?
ah ok sorry about that. linux is pretty safe have you checked for issues with something like rkhunter it checks known rootkits and other things. is there a reason to believe that you have been compromised? not that one would notice easily depending on the intent of a compromise. If you feel too worried about it over write your drive and reinstall even if nothing is wrong you can feel better about it.
No, there's no reason for me to think I'm compromised other than having no firewall for 2 weeks haha. It looks like I'm going to reinstall anyway for some peace of mind. :/
Thanks for the help!
Last edited by Hectrin2 (2015-05-12 09:50:45)
Offline
#8 2015-05-12 10:29:35
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,294
Re: Is Arch network safe on default install?
Oh my! You have fallen victim to all the FUD on the net about network security. A forwarded port is just a forwarded port. The Linux kernel has its own firewall, called netfilter. The interface to netfilter is called iptables. I don't know what exactly you expect a firewall to do. You probably used to run Windows and still can't get over the lack of trust you had in your OS. Windows Firewall vendors actively prevent their users from gaining real knowledge about the subject, hiding strange mechanics behind popups, always telling the users, how little or how much secure they are. The classical "Fear, Uncertainty and Doubt" (FUD) scenario. All you know, is that they are out there and they want to get YOU! They are after YOUR computer and having an open port is like leaving the house with your door unlocked in a bad neighborhood! They made a lot of money by watching you crap your pants, high fiving their buddies from the antivirus teams on their weekly meetups to come up with new ways of obfuscating the threats that linger in all those unprotected networks, so more people will believe in the boogieman and spend even more money on software they don't understand.
How about we start with something basic. In order to help you and tell you something usable, instead of esoteric mambo jumbo, we need the following:
0. A list of ports forwarded to your device and the name and platform of the program you originally forwarded the ports for.
2. The outpout of "netstat -tulpn" (run as root, with sudo for example). Make sure you have all those programs running you usually use on a normal day.
3. For educational reasons the output of "netstat -lptu" (also root)
4. A list of programs you run you think are in the habit of randomly generating traffic on different ports (Skype for example or a torrent client with a port randomizer).
We will then have a look at the potential risks and discuss their severity. SPOILER: You will be surprised, how little an impact a firewall on a desktop system makes.
Offline
#9 2015-05-12 10:55:44
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,534
- Website
Re: Is Arch network safe on default install?
Well said on all counts Awebb.
My first thoughts on reading the earlier posts was 'what on earth would reinstalling do?' You'd still be in the same position. If I drove for two weeks in my car before finding out the brakes were faulty, I would certainly quickly get the brakes repaired. I would not think I needed to replace the entire car simply because I had been lucky enough to not suffer from the existing safety issue.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#10 2015-05-12 14:28:28
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 19,797
Re: Is Arch network safe on default install?
I will add a couple minor comments. Most Arch users have the ssh service running. If the service is exposed to the public internet, it will attract vermin. At the minimum, ensure your passwords are strong and don't allow root to login over ssh. Seriously consider not allowing passwords on the service and requiring the use of keys. Also, the use of tools such as sshguard which monitor for brute force attacks and blacklist the parasites is very effective. As for the past, just check your journal for signs of attempted intrusion.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#11 2015-05-12 15:01:52
- lucke
- Member
- From: Poland
- Registered: 2004-11-30
- Posts: 4,018
Re: Is Arch network safe on default install?
When you install Arch, you don't really have any network daemons running (I would presume), so people from the outside hit just closed ports. Firewall is quite useless.
If you have e.g. sshd running, then you could perhaps use firewall to block brute force attempts.
Offline
#12 2015-05-12 15:04:19
- Hectrin2
- Member
- Registered: 2015-01-26
- Posts: 9
Re: Is Arch network safe on default install?
having an open port is like leaving the house with your door unlocked in a bad neighborhood!
Isn't that exactly how it is though? I mean, I know i'm pretty ignorant on the subject but am I really that ignorant?
0. A list of ports forwarded to your device and the name and platform of the program you originally forwarded the ports for.
27015 UDP and 27005 TCP and UDP. These are forwarded for SRCDS as in, a game server for Source games. (Counter Strike, Team Fortress 2, etc.)
2. The outpout of "netstat -tulpn" (run as root, with sudo for example). Make sure you have all those programs running you usually use on a normal day.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:27036 0.0.0.0:* LISTEN 739/steam
tcp 0 0 127.0.0.1:57343 0.0.0.0:* LISTEN 739/steam
tcp 0 0 127.0.0.1:27015 0.0.0.0:* LISTEN 1465/./srcds_linux
tcp 0 0 0.0.0.0:4433 0.0.0.0:* LISTEN 783/python2
tcp 0 0 0.0.0.0:61589 0.0.0.0:* LISTEN 783/python2
tcp 0 0 0.0.0.0:55413 0.0.0.0:* LISTEN 616/skype
tcp6 0 0 :::4434 :::* LISTEN 783/python2
tcp6 0 0 :::61589 :::* LISTEN 783/python2
udp 0 0 0.0.0.0:26901 0.0.0.0:* 1465/./srcds_linux
udp 0 0 0.0.0.0:27005 0.0.0.0:* 1465/./srcds_linux
udp 0 0 0.0.0.0:27015 0.0.0.0:* 1465/./srcds_linux
udp 0 0 0.0.0.0:27020 0.0.0.0:* 1465/./srcds_linux
udp 0 0 0.0.0.0:27036 0.0.0.0:* 739/steam
udp 0 0 0.0.0.0:59862 0.0.0.0:* 739/steam
udp 0 0 192.168.100.105:6771 0.0.0.0:* 783/python2
udp 0 0 127.0.0.1:6771 0.0.0.0:* 783/python2
udp 0 0 0.0.0.0:6771 0.0.0.0:* 783/python2
udp 0 0 0.0.0.0:44051 0.0.0.0:* 783/python2
udp 0 0 192.168.100.105:60616 0.0.0.0:* 783/python2
udp 0 0 127.0.0.1:40588 0.0.0.0:* 616/skype
udp 0 0 0.0.0.0:48782 0.0.0.0:* 739/steam
udp 0 0 0.0.0.0:68 0.0.0.0:* 416/dhcpcd
udp 0 0 0.0.0.0:61589 0.0.0.0:* 783/python2
udp 0 0 127.0.0.1:33324 0.0.0.0:* 783/python2
udp 0 0 0.0.0.0:55413 0.0.0.0:* 616/skype
udp6 0 0 :::61589 :::* 783/python2 3. For educational reasons the output of "netstat -lptu" (also root)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:27036 *:* LISTEN 739/steam
tcp 0 0 localhost.localdo:57343 *:* LISTEN 739/steam
tcp 0 0 localhost.localdo:27015 *:* LISTEN 1465/./srcds_linux
tcp 0 0 *:vop *:* LISTEN 783/python2
tcp 0 0 *:61589 *:* LISTEN 783/python2
tcp 0 0 *:55413 *:* LISTEN 616/skype
tcp6 0 0 [::]:4434 [::]:* LISTEN 783/python2
tcp6 0 0 [::]:61589 [::]:* LISTEN 783/python2
udp 0 0 *:26901 *:* 1465/./srcds_linux
udp 0 0 *:27005 *:* 1465/./srcds_linux
udp 0 0 *:27015 *:* 1465/./srcds_linux
udp 0 0 *:27020 *:* 1465/./srcds_linux
udp 0 0 *:27036 *:* 739/steam
udp 0 0 *:59862 *:* 739/steam
udp 0 0 KJHGF:plysrv-https *:* 783/python2
udp 0 0 localhost.:plysrv-https *:* 783/python2
udp 0 0 *:plysrv-https *:* 783/python2
udp 0 0 *:44051 *:* 783/python2
udp 0 0 KJHGF:60616 *:* 783/python2
udp 0 0 localhost.localdo:40588 *:* 616/skype
udp 0 0 *:48782 *:* 739/steam
udp 0 0 *:bootpc *:* 416/dhcpcd
udp 0 0 *:61589 *:* 783/python2
udp 0 0 localhost.localdo:33324 *:* 783/python2
udp 0 0 *:34683 *:* 1465/./srcds_linux
udp 0 0 *:55413 *:* 616/skype
udp6 0 0 [::]:61589 [::]:* 783/python2 4. A list of programs you run you think are in the habit of randomly generating traffic on different ports (Skype for example or a torrent client with a port randomizer)
Skype, a torrent client and maybe Steam? Not much.
Last edited by Hectrin2 (2015-05-12 15:05:59)
Offline
#13 2015-05-12 16:00:08
- Grinch
- Member
- Registered: 2010-11-07
- Posts: 265
Re: Is Arch network safe on default install?
Isn't that exactly how it is though? I mean, I know i'm pretty ignorant on the subject but am I really that ignorant?
Seems you are a bit confused as to how ports work, for a port to be 'open' (and thus connectable/exploitable), some program (application, daemon) needs to be a running AND say to the system 'hey, I want to open this port for listening, please send all incoming connection attempts on this port to me'.
Now by default Arch does not launch any programs which listens to any ports for incoming connections, and that is why it is 'safe' by default.
However you as a user can and likely will install and run applications which do open ports (which means listening for incoming connections), and if you do (and of course allow said applications to listen through any firewall you may have, aka port forwarding) then if those programs have security bugs that are exploitable, your system is at risk.
Just to drive that point home, if you allow a program to listen to incoming connections by opening the port in your firewall, the firewall can't help you in any way should said program have a exploitable bug, since a firewall simple blocks or allows connections.
Offline
#14 2015-05-12 16:18:09
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
Re: Is Arch network safe on default install?
Seriously consider not allowing passwords on the service and requiring the use of keys.
Ooh, ooh, I started doing this a while back! I have an SSH server running, root login disabled, password logins disabled (keys only), and set to a super obscure port.
The only other port I have forwarded is 80 for my personal webserver. As far as I understand, as long as Apache, MariaDB, PHP, and WordPress don't have any bugs 
then my computer is as safe as the next, and a firewall wouldn't make a spit of difference anyway.
Last edited by drcouzelis (2015-05-12 16:18:46)
Offline
#15 2015-05-12 16:28:38
- Hectrin2
- Member
- Registered: 2015-01-26
- Posts: 9
Re: Is Arch network safe on default install?
for a port to be 'open' (and thus connectable/exploitable), some program (application, daemon) needs to be a running AND say to the system 'hey, I want to open this port for listening, please send all incoming connection attempts on this port to me'.
Ah, right. This is all starting to make sense now. Clearly I need to do more research.
Last edited by Hectrin2 (2015-05-12 16:29:00)
Offline
#16 2015-05-12 16:56:09
- nomorewindows
- Member
- Registered: 2010-04-03
- Posts: 3,362
Re: Is Arch network safe on default install?
OpenBSD has claimed that they have only 2 remote exploits in a long time if you're really a paranoid type. But this would be for services that are opened, I presume. But still you only keep open the ports that you absolutely have to keep in operation.
I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.
Offline
#17 2015-05-12 17:58:14
- Grinch
- Member
- Registered: 2010-11-07
- Posts: 265
Re: Is Arch network safe on default install?
The only other port I have forwarded is 80 for my personal webserver. As far as I understand, as long as Apache, MariaDB, PHP, and WordPress don't have any bugs
Correct, since those applications are part of your webserver which is reachable through a firewall, a firewall would make no difference in preventing someone exploiting a bug in your webserver software.
A firewall could potentially protect against DOS attacks, but that is another attack vector entirely.
Offline
#18 2015-05-12 19:15:47
- bleach
- Member
- Registered: 2013-07-26
- Posts: 264
Re: Is Arch network safe on default install?
to check what port and service you can use something like nmap with like
nmap --script=vulscan "your ip"this can show you rogue services that you dont know or other things that may need to be fixed.
Offline
#19 2015-05-13 09:01:30
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,294
Re: Is Arch network safe on default install?
Awebb wrote:having an open port is like leaving the house with your door unlocked in a bad neighborhood!
Isn't that exactly how it is though? I mean, I know i'm pretty ignorant on the subject but am I really that ignorant?
No, it's more like living in the fourth floor, leaving the small bathroom window open. People won't probably notice. Nothing will happen, unless one of your children is stupid enough to hang down a rope ladder the moment a burglar comes along. This is why some closed source operating systems seem to need a clever firewall, you never know when its child at heart kicks in and it runs to every door and window, tearing it open.
You have probably looked at the data you posted and determined, that the only service listening on the forwarded ports is your game server. The server needs to be exposed or nobody can connect. A standard firewall would not make a difference here, unless you want something specific like traffic shaping (but the moment you know you want this, you probably know where to look for information). Now let's assume you turn the server off and it stopps listening on those ports. If you then try to send a package over that port, nothing happens. There is nothing listening, the package is dropped (or rejected? It has been a while since I dealt with that topic more regularly).
The only thing that could happen, would be some other software listening on that exact port. This can happen with wonky software like Torrent clients with port randomizers (a) and malware (b) running on your computer.
(a) Torrent clients are made to communicate within untrusted networks. There would need to be an unfixed security flaw in the network code, which would be fatal anyway upon exposure to a WAN, random port or not. Your server needs those ports, let's assume it's secure. We don't know much about Skype, but we know it needs certain ports, it cannot function without them. We also know, that Skype uses P2P technology, let's try to assume, that Microsoft has not yet broken this part and has only defiled the GUI. It needs those ports to function, so they are either open and exposed or features (like file transfer) might not work. Ther same goes for Steam. It will not work, unless you allow it to use the network. You have to trust the software and a firewall would be set to allow the software all the traffic it wants, equals a firewall would not help you.
(b) If malware listens on a port, you got a whole different set of problems to deal with. In fact, it is possible to write a script, that scans its host for vulnerabilites and invites attacks. It is also safe to assume, that the moment your system runs malware you don't know about, your system is compromised anyway, ergo a desktop firewall would probably be ineffective, because you cannot know, what this malware does to the firewall.
Premature conclusion:
1. The main purpose of a desktop firewall is not as much keeping out intruders, but preventing untrusted software from stealing your data and inviting its malware friends to a house party.
1.1 I am not sure, if there is a trend in Linux desktop environments to use the network by default for stuff it is not supposed to. I use a simple desktop, everything does what I tell it to do and nothing else. I know, that Ubuntu for example once had a default feature, that would send all search strings you entered in your local (!) search field to a server on the WAN and report back with ads from amazon.com.
1.2 A linux system is meant to be somewhat safe and somewhat trustworthy. While it is totally fine to block everything and only allow whitelisted software to go online, it would sure be better to check for untrusted software yourself regularly. This thread has provided you with a set of tools so far and there are more:
nmap
netstat
lsof
1.3 I use an iptables/netfilter frontend on my Android phone (AFWall+). I generally disallow all network traffic and have whitelisted certain applications for network traffic. I only do this, because I simply don't trust most of the applications I install from the google repository. This is the worst case for me, the anti-thesis of a trustworthy system.
2. If you sit behind a router, you would only have to worry about forwarded ports.
2.1 If nothing listens on those ports, then there is no imminent danger.
2.2 I'd say one firewall is enough to care about. You have a router. In an IPv4 environment, there is a WAN IP your router gets from your ISP and you have a private subnet. This is the most simple and robust form of firewall, it is simply impossible for the network to reach a port in the private subnet, unless you explicitly tell the router to pass through packages from WAN to another subnet. 1.2.3.4:88 is not the same as 5.4.3.2:88. This also ensures, that traffic only meant for your local network stays there.
WARNING: The subnet security might not be true in an IPv6 environment. I do not have much experience with that - neither my router supports in the LAN, nor does my ISP give me an IPv6 address - but I do know that in an unsecured default IPv6 network, all your devices are exposed to the entire network. As far as I understand, your device gets an address like [public part]:[private part]. This might not be correct, like I said, my knowledge comes from random reading. Be advised, that your own research is required on IPv6.
2.3 I would worry a bit about forwarded ports you didn't forward yourself. Make sure you read a bit about UPnP (Universal Plug & Play). Among many things, it allows applications to ask the router to forward ports. If you don't want or need this, you might want to turn it off in your router settings. However, I say "worry a bit", because you would still need to have a) a server listening on that port and b) a known but unfixed vulnarability on that service or malware on your machine.
Offline
#20 2015-05-15 18:51:43
- nomorewindows
- Member
- Registered: 2010-04-03
- Posts: 3,362
Re: Is Arch network safe on default install?
IP6 has a stateless address, that autoconfigures like IPX used to do (basically just the MAC address). You can call all of the machines on your internal network with something like ping6 ff02::1%<interface> or something like that. If you want a real IP6 you have to get it from your ISP.
Last edited by nomorewindows (2015-05-15 18:55:35)
I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.
Offline
#21 2015-05-15 20:12:16
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,534
- Website
Re: Is Arch network safe on default install?
... your device gets an address like [public part]:[private part].
And you wouldn't want your private parts exposed to the world, would you?
(sorry for juvenille OT, I just couldn't resist).
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Pages: 1