Ubuntu 20.04:没有防火墙有哪些安全风险?
Ubuntu 20.04:没有防火墙有哪些安全风险?
安装了 Ubuntu 20.04,但忘记使用 ufw 启用防火墙。
SSH 22 端口:使用密钥(2048 位)登录,无需密码。 设置UsePAM=true,有风险吗?
还有其他没有防火墙的服务可能存在安全漏洞,黑客可以侵入服务器吗?
Ubuntu 20.04: what are the security risks without firewall?
Installed Ubuntu 20.04, but forget to enable firewall using ufw.
SSH 22 port: use keys(2048 bit) for login, no password.
Setting UsePAM=true, any risk?
Any other services that may have security holes without firewall, and hackers can break into the server?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
防火墙案例
是的,您应该启用防火墙。它是一个重要的安全层。
软件有错误。防火墙层可以防止某些错误或错误造成损害。
安全性是分层的,其原因与飞机具有冗余系统的原因相同。即使是单引擎飞机也被设计为在失去推力时滑行。
您了解的 SSH 和服务
虽然正确的 SSH 配置是另一个主题,但它说明了需要防火墙的原因。您的配置处于正确的轨道上,但如果没有阅读整个手册页,您仍然不确定它是否安全。
如果您不确定 SSH,防火墙可以限制来自您定义的源 IP 的访问,添加另一层。
SSH 只是您正在运行的少数可通过公共互联网访问的服务之一。有时服务会无意中向公众开放。
第三方软件
一种错误是软件更新或安装无意中打开服务并将该服务暴露给公共互联网。
我经常看到应用程序安装打开了绑定到 0.0.0.0 的私有服务,而实际上它应该绑定到 127.0.0.1。如果您不知道区别,你并不孤单。绑定到 0.0.0.0(或 *)意味着向公共互联网开放。
这不仅仅是用户工作站问题。包管理器也容易受到此影响。 NPM、Python PIP 和 Apt 都可以在您的系统上运行可执行文件。
检查开放服务
运行 sudo netstat -n 以显示活动的互联网连接。
例如,以下输出:
我不知道 udp 端口 3722 是什么,但我的系统将接受从任何地方到该端口的流量。
关闭
防火墙是网络堆栈中比应用程序低的一层,因此提供了一个防范配置和应用程序问题的层。
Case for firewall
Yes you should enable the firewall. It's an important security layer.
Software has bugs. The firewall layer prevents some bugs or mistakes from causing harm.
Security is layered for the same reason airplanes have redundant systems. Even single engine airplanes are designed to glide when they lose thrust.
SSH and Services You Know About
While proper SSH configuration is another topic, it illustrates a reason firewalls are needed. You're config is on the right track but without reading the entire man-page you're still unsure if it's secure.
If you're unsure about SSH, a firewall can limit access from source IPs that you define adding another layer.
SSH is but one of a handful of services you're running that might be accessible over the public internet. Sometimes services become open to the public unintentionally.
Third Party Software
One type of bug is a software update or install that inadvertently opens a service and exposes that service to the public internet.
I frequently see application installs that open a private service bound to 0.0.0.0 when it should be bound to 127.0.0.1. If you don't know the difference, you aren't alone. Binding to 0.0.0.0 (or *) means open to the public internet.
This isn't just a user-workstation problem. Package managers are susceptible to this too. NPM, Python PIP, and Apt all can run executables on your system.
Checking for Open Services
Run
sudo netstat -nto show active internet connections.For example, here's output:
I do not know what udp port 3722 is but my system will accept traffic from ANYWHERE to that port.
Closing
The firewall is a layer that lives lower in the network stack than applications and thus provides a layer to guard against configuration and application problems.
启用防火墙将防止您意外暴露一些您不知道已打开的内容 - telnet、ftp、数据库、Jupyter 等。
对于禁用密码和 ssh 密钥的 ssh,这是启用 shell 访问的好方法,但请注意,如果 ssh 密钥上没有密码,并且私钥被盗,那么小偷将可以访问。
另外,请记住 ssh 仅加密传输。如果您信任每个拥有或可以获得 root 访问权限的人,这没什么大不了的,但如果有人不诚实地以 root 身份连接到同一主机,那么他们仍然可以监视连接。只是需要注意一些事情。
Enabling the firewall will prevent you accidentally exposing something you didn’t know was open - telnet, ftp, databases, Jupyter to name a few.
Regarding ssh with disabled password and ssh keys, it’s a good way to enable shell access but be aware that if there is no password on the ssh key, and the private key is stolen, then the thief will have access.
Also, remember ssh only encrypts transport. If you trust everyone who has or can obtain root access, that’s not a big deal, but if someone dishonest connects as root on the same host, then they can still spy on connections. Just something to be aware of.