This should fall under a "Security" heading.
Discussion on Ubuntu forum regarding situation I faced, and what I did to make a determination, with the assistance of some very knowlegeable people.
Wanted to make the Community aware, in case they might be interested.
Hi @ericmarceau ,
Thank you for sharing. This was, indeed, a very interesting read.
I’m not by any means a network administrator, and did not know a lot of things that were discussed in the thread before reading it, but I think it is a good idea (even for a desktop home system) to keep an eye once in a while and make sure no one can potentially gain access to your system, steal personal information, credit card data, etc.
My security layers I have implemented include:
Any other suggestions or things I can learn in this field are much appreciated.
Jaymo
IF ... and that is a big if ... the application-specific "logic" (Firefox, Thunderbird, Transmission, MariaDB, Apache2) that came with ufw was more comprehensive (not interfering with what I'm trying to do) and "tweakable", I would love to depend on ufw alone.
I have used ufw in the past, and have decided that it doesn't have the flexibility of using iptables directly.
Unfortunately, from my perspective, those are not yet up to snuff to meet the challenge of correctly filtering, which is why I have not yet implemented, even for reserved personal desktop use, either the MariaDB or the Apache2.
fail2ban is a good "extension" to the iptables capability and have it installed.
I have a script setting iptables rules in an extremely restrictive manner, but I hesitate to make it public because it needs a serious re-write.
I have a complementary script for banning (DROPing) all packets originating from a list of country-specific address ranges.
The recent experience that I shared with the Community is pushing me to revisit my "firewall" scripts ASAP, while I improve and expand my various targetted security scan scripts!
The paranoia that has driven my security scripting dates back about a decade when I was threatened with cutoff by my ISP because my Android tablet got infected with a trojan. I have since "banned" that tablet from the Wireless access, but it forced me to research and implement quite a set of detective tasks in the form of scripts that I can use on demand.
I wholeheartedly agree with that, although I have GUFW on my laptop to switch the incoming SSH port on and off (because of the nice GUI) but to be honest, I think the structure of UFW is overly complicated and, indeed, quite rigid .
For dropping IP address ranges, using PREROUTING (raw) is the best/fastest way but strangely enough this is often overlooked.
block an arbitrary range:
iptables -t raw -A PREROUTING -m iprange --src-range 192.168.1.1-192.168.1.100 -j DROP
block a complete subnet:
iptables -t raw -I PREROUTING -s 192.168.1.0/24 -j DROP