Thought I’d pose this question in poll form to get more opinions on the matter. Only really interested in opinions on personal VMs and dedis as, of course, anything production/mission critical should be secured to the fullest.
My typical security practice is to install fail2ban, create a user, and disable root SSH login, then call it a day. I’ve never had a security breach (knock on wood), but I’m not sure if that’s due to me never really being specifically targeted or if my basic security is thwarting any attacks. I don’t run any mailservers and I try to limit any attack vectors (i.e. disabling portmapper services, etc.).
So the question is: Do you think iptables rules are essential for personal machines? Feel free to drop a comment to expand a bit on your selection.
P.S. I’m going to try to do a weekly poll that will vary on subject from week-to-week
- LOCK IT DOWN (firewall rules are absolutely necessary)
- CHILLAX BRO (you’re fine as long as you follow decent security practices)
- What’s this ‘iptables’ of which you speak?
I change SSH port number and enable firewalld. Done.
I tend to, it’s simple enough and I have refined the iptables over a number of iterations, normally it is just a question of pasting it into a file and then putting iptables-restore into rc.local… why wouldn’t I? I tend to lock down services that aren’t “public” for example SSH only from my home IP.
I guess, for me, it all depends on what’s actually idling in my container.
I will join the group of “enable whatever required, lock everything else down” people.
I only firewall off things that need to be, and if nothing needs to be then I never touch the firewall. For example, a public facing service that has to be public facing but should only communicate with one end point, that I can firewall off to reduce access to potentially vulnerable applications. The rest though, why firewall off ports that aren’t open? If it’s open on the public interface, and isn’t redis, it’s for the general public to access (or for me to access on demand from random locations).
I’m with @Jarland on this, I also restrict the SSH login to only my user and that’s pretty much it
Yeah, I’m more relaxed with personal stuff.
Firewalled ports won’t give a response at all. Not sure if this makes any sense, but it makes me sleep better I guess… It sounds weird now.
You should run a bare basic firewall that locks down all external ports except those that you are using.
I only set a very hard password and done. No problem in over 10 years. More chances of being compromised due to php script or an unpatched security flaw which has nothing to do with ssh login or having firewall setup.
I guess a better question is why wouldn’t you use iptables? Like the first guy said, get a set of rules you always use and copy/paste them. Default block ftw so you don’t have to worry about some odd running service that you didn’t even know was installed on your VM.
Is there a technical benefit I’m unaware of? Entirely possible that there is.
My only excuse is a little more security. Like @coreyman said you never know with those pesky VMs! I guess a netstat will tell you everything is open, but I am definitely in the deny by default. I tend to run duo 2fa on my SSH sessions on personal machines too…
One example was the dns reflection exploit that came out for BIND a few years ago. There were people running bind servers that didn’t even know they were running them. If you had ‘deny all’ rules by default you wouldn’t have been vulnerable. Here is a good article on it.
Not necessarily staring at netstat every time I update software, so who knows what gets opened up in a new version of some software that I’m not paying attention to.
I just install ufw, deny incoming, allow outgoing, punch some holes out for whatever services I’m running and then enable the firewall. Takes about a minute, tops.
Ty. Suppose being perfectly aware of what is listening at all times is equivalent then. I figure if I’m compromised by what I want open, game over anyway. Always a few ways to skin a cat
Well you can’t know what you don’t know.
This is the type of wisdom that I signed up for.