Cybersecurity Recommendations

Concerning 1: An additional firewall, or sophisticated configurations, are usually not necessary for a desktop. But keep your firewalld & selinux online. As you said, a desktop usually does not need open ports. Thus, their default configurations already provide much security for the average user without annoying the user by blocking things.

When it comes to SELinux: if you install software from the Fedora repositories, then SELinux-policy files are usually installed in conjunction with the software if SELinux policy adjustments are necessary. And these are well configured and well tested SELinux policies! Nevertheless, as mentioned above, security is a process, not a product, and the user is, whenever he does something, the major firewall of the system :slight_smile:

Concerning 2: I would not say that a server needs different or more firewalls, at least not on Fedora/CentOS and most Linux distributions, but it is more likely that a server needs customized configurations for SELinux & firewalld (such as open ports).

Concerning 3: Yes, it is by default enabled in targeting mode.

Concerning 4: You should consider that a Linux server may provide files/data for other machines (e.g., file server). So there are situations in which it can make sense to have a virus scanner to mitigate distributing malicious files. However, a virus scanner is usually not necessary for Linux systems. Ironically, virus scanners can be themselves attack vectors into systems :slight_smile: All the disadvantages of proprietary software (especially if it needs invasive access rights to the system, such as virus scanner : ) apply to antivirus software as well. From that point of view, the open source ClamAV of our Repo would be my favorite on Fedora (and Linux in general): concerning its advantages and disadvantages, I would say that on a Linux, it is the best compromise if you want/need to have one.

Concerning your open ports: The ports of your firewall-cmd output are not “generally open”. These are the non-standardized ports that your users/applications can use to establish connections on the Internet - which is indeed necessary. As you do not want to have standardized ports open on your system (such as 80 / 443 for HTTP(S)), it is important that those (<=1024) are not open.

Explanation why the use of non-standardized ports is necessary if you want to use the Internet:
E.g., your browser may request a connection at port 443 at wikipedia (which is the standardized HTTPS port). Wikipedia has to have that port for its webservers open, but of course you do not provide a webserver yourself. But how can your browser connect to wikipedia if it does not have a port from which it can send the request? It uses the non-standardized ports! E.g., request FROM port 15000 to port 443.

Since your browser requested HTTPS from 15000 to wikipedia:443, your firewall knows that and if wikipedia:443 answers, your firewall will let the answer pass to your browser as it was requested.

But as these ports can be “opened” only from within, requests/answers from outside, which were not requested from inside in advance, remain ignored!

If you want to know with certainty if something is open, use nmap, which is in the fedora repo, and use it to scan your own system. When it is just about port scanning, you can do this from the computer that it itself tested (scan your computer’s IP address of the Internet-connected network; e.g. 192.168.0.15; not an internal address!).

Hope that makes sense so far.

1 Like

Okay I need sometime to process this information. this super insightful thanks. So should I close that port thats open. Since your advocating for enabling the default firewall what are the recommended settings

1 Like

I don’t see that ports are open, so I think everything is ok with your system. It is ok (and necessary) that your applications can use the ports >1024. And your firewall is already running which is a default state :slight_smile:

My comment about nmap is meant in general, it is an easy and quick way to verify the “overall state” of a system concerning open ports.

But as your firewalld assumes applications from within to be trustworthy, its capability to protect you from malicious processes is limited as long as you want to use the Internet. This is one point where SELinux adds some preventive protection, although it cannot release you from thinking carefully which applications you install & run.

1 Like

no sweat thanks very much. although this port is open. below,.

[solomon@fedora ~]$ sudo firewall-cmd --list-ports
1025-65535/tcp 1025-65535/udp

1 Like

That’s just the non-standardized ports your applications (e.g. browser) need to establish connections on the Internet, such as accessing websites :slight_smile:

2 Likes

That list does not say the ports are open. It says they are available.

As stated by Christopher, if you want to actually see what ports are open then use the nmap command with your LAN ip address to get a listing of what it finds.
The output will look something like this

$ nmap 192.168.xx.xxx
Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-08 16:37 CST
Nmap scan report for myhost.home.domain (192.168.xx.xxx)
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3551/tcp open  apcupsd

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
3 Likes

Wow! I hadn’t looked at this post for a few days because I didn’t think there was much that I could do - this is some amazing stuff and super informative ladies, gentleman and everyone in between! The main concern I had was that I suspected that if this was an intentional attack, then there’d be some form of keylogger. Thanks so much for all of the above and it’s gonna take awhile to comb through this so I’m glad this is left open so we can all give it a go!

I knew bluetooth wasn’t exactly secure. I have a ThinkPad w/ an encrypted hard drive so I suppose that I assumed in order to see what I’m connected to one would need to have access to the info. on my physical computer - but i’m sure there’s a way to tell. I’m also using OpenVPN through AWS and setting up OpenVPN was actually a disaster ha so I guess what I’m getting at is that this could be coming from any and all angles. I should probably just learn as much about networking and encryption as possible - otherwise I’ll just be solving one of the million things that could potentially be insecure.

1 Like

@bennyisaiah

First, the command is nmap , not np.

Second, I am very sorry but I have to correct myself. I have a big thinking error in there (a little mixing with out-/inbound in my head) :frowning:

Forget the following:

if you use non-standardized ports for listening to the Internet to wait for requests (e.g. when you have a webserver), it will not work by default :slight_smile:

Given the default configuration of firewalld, services can indeed listen to the ports >1024 and if a port in this range was opened by a service from within, a connection can be established. Nevertheless, as elaborated in the previous posts, this does not imply that these ports are open: test with nmap.

That’s just the non-standardized ports your applications (e.g. browser) need to establish connections on the Internet, such as accessing websites :slight_smile:

Allowing these ports is not necessary for, e.g., your browser. They are allowed to avoid problems for the users, and to avoid encouraging them to completely turn off firewalld. You have to test yourself if you have other services that need these ports to be allowed.

I think you meant nmap 192.168.1.222
You may also have to install that app.

right, thanks. I will check that now

thanks although that command didnt work

Would I would try ?

np (my ip address here)

[solomon@fedora ~]$ nmap 192.168.1.222
bash: nmap: command not found...
Similar command is: 'map'
[solomon@fedora ~]$ 

you have to install it.
dnf install nmap

2 Likes

got it ! thanks it worked!

Host is up (0.020s latency).
Not shown: 999 closed ports
PORT     STATE    SERVICE
9595/tcp filtered pds

Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds
[solomon@fedora ~]$ 

So I really want to know how the internet works.

Is this right ?

to connect to this domain we are at right now

is it my desktop connects to my router (through wireless Internet protocol)

then my router tells the ISP to connect me to here (Cybersecurity Recommendations - #32 by bennyisaiah)

then my ISP tells my dns resolver to send me to that domain.

then that domain sends a signal back the same path that it went to get back to my monitor on my desk ?

is that about right? is there any other junctions or parts in the journey I missed

On one hand, this gets a bit off-topic. On the other hand, the Internet is a bit too complex to put it into a short explanation.

If you want to get in touch with its architecture, I suggest to start with the TCP/IP and OSI reference model

2 Likes

In general it is like this

PC <-> router <-> internet <-> server.

Since you are not running a server and have no ports open, the communication starts at the PC which sends the request to a server (somewhere) on the internet. That server replies to the request and that reply is allowed back in by your router & firewall since it is a reply to a connection you established.

If someone on the internet tries to connect to your system your PC firewall denies the connection since you have no ports open to allow a connection. The router also plays a part since you are usually on a private network (192.168.x.x/24 is a private network) and it will send connections out and only returns replies to that already established connection to your PC.

1 Like

There is a small mistake this is like this
Your pc->router through wifi->your isp->dns resolver->wifi router->your pc->wifi router->isp->website server
Everything happens in a different ports
And internet today is far more complex here i am just over simplified the whole protocol.

1 Like

That would be a new topic, maybe even for a different Forum. Closing… offtopic