Firewall ufw, ports

Hello,

I am using the ubuntu ufw firewall. I ran a firewall test and the results showed this :

GRC Port Authority Report created on UTC: 2017-06-13 at 15:08:14

Results from scan of ports: 0-1055

18 Ports Open
1035 Ports Closed
3 Ports Stealth

1056 Ports Tested

Ports found to be OPEN were: 22, 53, 80, 110, 443, 500, 501,
502, 600, 601, 602, 603, 604, 605,
606, 607, 608, 609

Ports found to be STEALTH were: 137, 139, 445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,

  • NO unsolicited packets were received,
  • A PING REPLY (ICMP Echo) WAS RECEIVED.

should I worry of anything ? close the open ports ? How ?

Thank you,

Arnauld

[quote=“Arnaud_Bordes, post:1, topic:13713”]should I worry of anything ?[/quote]Yes, about the fact your post suggests your PC is hooked up directly to the Internet. So, not behind a router. With a disabled/absent firewall on your modem.

1 Like

my pc is connected to my box...I use the built in firewall ufw. So what should I do ? Close the 18 open ports ? Is it enough ?

[quote=“Arnaud_Bordes, post:3, topic:13713”]my pc is connected to my box[/quote]What box would that be? A router? If so, GRC is not testing your PC, it’s testing your router.

1 Like

it is this box : https://en.wikipedia.org/wiki/Orange_Livebox

[quote=“Arnaud_Bordes, post:6, topic:13713, full:true”]it is this box : https://en.wikipedia.org/wiki/Orange_Livebox[/quote]And in the very first sentence:

Orange Livebox is an ADSL wireless router

A router. As I asked. :wink:

Anyhow, your PC is hooked up to this box. This box is hooked up to the Internet. GRC is testing this box. NOT your PC.

1 Like

You should be able to close the open ports by logging into your Box’s admin panel.

1 Like

Also consider running nmap on your localhost to scan what ports are open. As others have written, close unnecessary ports on your router. If seems you’re serving a website since 80 and 443 are open. Do you need ssh open? Routers unless hardened, can be easily exploited. My 2 cents.

GRC is testing this box. NOT your PC.

so how to check for my PC ?

Also consider running nmap on your localhost to scan what ports are open.

How to do that ?

As others have written, close unnecessary ports on your router. If seems you're serving a website since 80 and 443 are open. Do you need ssh open? Routers unless hardened, can be easily exploited. My 2 cents.

I ssh my raspberry pi's, as > for serving a website since 80 and 443 no, I don't serve a website.

[quote=“Arnaud_Bordes, post:10, topic:13713”]so how to check for my PC ?[/quote]I think you’re not quite understanding it.

The router in this case shields your PC from direct control. The router is, in fact, your firewall. You do not need to check the PC. If you still want to check the PC (which I see no reason to), all you could consider is setting up a DMZ in the router. Completely exposing your PC.

How this is accomplished depends on the exact router and I couldn’t begin to tell you how to do it with an Orange box. Not my ISP, I don’t know the box.

1 Like

From another machine than the one you want to test but with the other machine in the same local network:

sudo apt install nmap
sudo nmap -sS -T5 [IP Of Target Machine]

For example if the target machine is 10.42.0.153 and you run sudo nmap -sS -T5 10.42.0.153 You should get something like that:

Nmap scan report for 10.42.0.153
Host is up (0.0019s latency).
All 1000 scanned ports on 10.42.0.153 are filtered
MAC Address: 5C:E0:C5:XX:XX:XX (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 11.48 seconds
3 Likes

Use routersecurity.org to learn how to harden your router. Also, scan your network with Nessus. Good luck.

ok, thank you all for your advices, I’ll do this this week-end. I’m new to Linux, so I got used to have a firewall on Windows and rely on it…never thought about the router.

Some information and procedures that can complement what has been said and can help:

Links:

How to set up the firewall of your Livebox (Fr) - Orange

How to Enable Your Wireless Router’s Built-in Firewall

Gufw Documentation

10 Steps to Maximize your Home Wireless Network Security

:slight_smile:

2 Likes

To recap what others have said, if your computer is behind a router with a secure firewall of it’s own, then there really is no need to setup a firewall on your computer.

However, if your computer is a laptop and you plan to use the internet from a public WiFi source, then yes in my opinion you do need to have a firewall in place.

Gufw is a GUI front end for UFW (Uncomplicated Firewall), both of which are included with Ubuntu Mate.

As @Swart has pointed out, the documentation for GuFw is located at

https://help.ubuntu.com/community/Gufw

The documentation for UFW is located at

https://wiki.ubuntu.com/UncomplicatedFirewall

If you are a normal user, you will be safe with the default settings in Gufw, which is Incoming=Deny, Outgoing=Allow. Start Gufw from Control Center > Firewall Configuration, and turn the Status On. At this point the firewall is up and running, and you are fairly well protected.

If you use P2P applications a rule will have to be created that allows incoming traffic for them, or they will no longer work. However, this is where you are starting to compromise your firewall. Anytime you create a rule to allow traffic in, you are increasing the chances that someone may exploit it. Only you can decide if it’s worth the chance that a exploit will not happen.

You can also use GuFw to disallow all incoming and outgoing traffic, and to create a set of rules to allow only what is necessary on your system, based on opening ports per each service, and if possible to a specific IP address. This is a advanced approach, and not relevant to the question at hand.

2 Likes

Hello,

sorry for the late reply, I was busy with my work.

Thanks a lot everybody for your advices and web links !

You are welcome! :slight_smile:

The most important points have been mentioned.
Some adjustments and more secure. Don't forget to always update the system, it keeps the level of security.

Tip: If you do not use the Secure Shell (SSH) service - add deny rule using the following command in the terminal:

sudo ufw deny ssh

and then

sudo ufw reload :point_right: (reloads firewall)

Any doubt we're here! :relaxed: