You are not logged in.
Hey guys,
One of the first things I do when I install linux and expose my computer to a network is to lock it down with a basic firewall. ufw is an excellent, easy to implement choice. Any thoughts to us adding a firewall installer to the bl-welcome script (with basic configuration option) or through the openbox popout menu?
Offline
No, BunsenLabs does not need a firewall by default because it has no services listening to the ports.
We have plenty of guides for users who want a firewall
For example: https://forums.bunsenlabs.org/viewtopic.php?id=1765
Offline
Ok, then...should we yank out the bit about installing a lamp stack? Provisioning a machine to behave as a server in the welcome script while not automating some sort of baseline firewall feels a bit...inconsistent, no?
Offline
should we yank out the bit about installing a lamp stack?
Yes, I think so — that option seems to be already covered by
tasksel
8)
Last edited by Head_on_a_Stick (2017-11-25 01:46:56)
Offline
Provisioning a machine to behave as a server
Many web developers install LAMP for local testing, not with any intention of serving content to the net. In fact, I wonder how many people setting up real servers would turn to BunsenLabs for the base system? A person who was not prepared to do the homework to set LAMP up by hand should not be thinking of running any service exposed to the wild web IMO.
The welcome script LAMP page has been inherited from CrunchBang, and I'd guess that corenominal was using it for testing his web pages. Removing it would be easy of course, but we have had some appreciative comments. Maybe a note about the risks of running a real server, including a mention of firewalls, could be added there?
Last edited by johnraff (2017-11-25 03:25:57)
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
Yeah, we already do a fair bit of security hardening out of the box by disabling root login, and I assume the typical BL user is more versed in linux and security in general, but my suggestion for a simple firewall installer was just because it's pretty simple to get a secure baseline configured. *shrug* I don't really have a dog in the fight, it's always one of the first things I do. Perhaps it's because of my CISSP nature.
Offline
It occurred to me that my last comment was pretty tangential and didn't follow the flow of the conversation here.
I think I may be a bit confused about the overall thesis of bl-welcome - how are we defining its utility? IMO everything that it does (aside from LAMP) is useful. The LAMP provisioning is a potential security vuln for the unfamiliar, so some type of messaging to that effect would be helpful (again, IMO). That said, I think I agree with HOAS that removing it from bl-welcome isn't the worst idea.
Offline
LAMP is useful for web developers, and as I said, in the case of local testing it doesn't represent a security risk. Some users in the past have said they appreciated having it in bl-welcome.
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
Hello everyone,
I am new in linux but love BunsenLabs and have learned a lot in the last weeks. And have a lot of fun, thank you for building such a fast and clean distro! But I am still unexperienced and while reading this thread I asked myself if I may have installed something while using the bl-welcome script that makes my system vulnerable. The Synaptic manager says that bunsen-meta-lamp isn't installed. Should I check, modify or unistall other packages to have a system appropriate for a newcomer related to safety issues? My English and my linux know how aren't yet good enough to understand the firewall issues.
Offline
^ Hello Henry, you can check if you have any open ports by visiting SheildsUP:
https://www.grc.com/x/ne.dll?bh0bkyd2
Click on the "All service ports" check — it will report "failed" because port 21 (ftp) will be closed (but not hidden) but this is normal and nothing to worry about, all other ports should show as green.
Offline
^ Hello Henry, you can check if you have any open ports by visiting SheildsUP:
https://www.grc.com/x/ne.dll?bh0bkyd2
Click on the "All service ports" check — it will report "failed" because port 21 (ftp) will be closed (but not hidden) but this is normal and nothing to worry about, all other ports should show as green.
The following is the result of the port scan, port 21 is reported "stealth", too. I hope everything is fine:
--------------------------------------------------------------------
Results from scan of ports: 0-1055
0 Ports Open/ 0 Ports Closed/ 1056 Ports Stealth
---------------------
1056 Ports Tested
ALL PORTS tested were found to be: STEALTH./ TruStealth: FAILED - ALL tested ports were STEALTH,/ - NO unsolicited packets were received,/- A PING REPLY (ICMP Echo) WAS RECEIVED.
Offline
port 21 is reported "stealth", too
Really? Well, looks like your box is better set-up than mine then
I hope everything is fine
Looks good to me
Offline