Hardening Hardy

Hardy includes a new package called ufw (uncomplicated firewall). There is an argument that Ubuntu doesn't need a firewall because it doesn't run any services. The other way of looking at it is there is nothing to stop a downloaded script from installing a server and accepting connections.

Here's how to enable ufw to lock down the box and open one port.

#check the defaults before starting the firewall
james@t61jc:~$ sudo iptables -L -n | grep 'INPUT (policy'
Chain INPUT (policy ACCEPT)
james@t61jc:~$ sudo ufw enable
Firewall started and enabled on system startup
james@t61jc:~$ sudo iptables -L -n | grep 'INPUT (policy'
Chain INPUT (policy DROP)
# enabling ufw drops all incoming connections
james@t61jc:~$ sudo ufw status
Firewall loaded
james@t61jc:~$ sudo ufw allow 80
Rule added
james@t61jc:~$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
80:tcp                     ALLOW   Anywhere
80:udp                     ALLOW   Anywhere

james@t61jc:~$ sudo ufw delete allow 80
Rule deleted
james@t61jc:~$ sudo ufw status
Firewall loaded
james@t61jc:~$ 

I really like it and it's a lot safer than rolling your own scripts. More on ufw and doing thing the old way.

The other security-related addition is the update Keyring Manager. I use it to store WIFI and ssh keys. The keys can be automatically added to the login keyring so there's no need to use ssh-add after login if you want an easy life.

Two simple additions that make it safer to use Ubuntu beyond the desktop.