Those of you who are new to Ubuntu and Ubuntu based distros, may not be aware that you need to enable your firewall, yourself. By default it ships disabled, which leaves you vulnerable. You can check this by doing:
sudo ufw status
If it returns disabled, it easy to enable.
sudo ufw enable
It's well worth your while reading up on it, for your own security.
I wouldn't say it leaves you 'vulnerable' per say. Ubuntu doesn't ship with the firewall enabled by default because there aren't any services listening anyway. However, if your machine were to be compromised or attacked, an active and well configured firewall can mitigate/prevent the damage. Enabling the firewall is a good idea, and I would recommend it if you have the skill to do so.
There are three services I can think of that are listening after a default Ubuntu install, and two of which are consistently overlooked, even though the more experienced linux community have been pushing for a fix. This is why so many of us rebuild Unity, and will not use Ubuntu from a default install, otherwise you may as well install windows.
Wow, I had no idea, and that kinda worries me. Thanks for the heads up.
Is this something that the average layman should be worried about? For example if I was only ever going to use LibreOffice and browse the web a bit, would this be something to concern myself with?
possibly SSH as I believe OpenSSH server is installed by default. Maybe that is just on Arch I forget. Most likely the MX ports are open but services most likely are not listening on them. SSH is the only one I can think of.
If think your mistyped or misunderstand ports. All ports are 'open' by default as there is no firewall to close them. So an application can start and make use of an unused port at any time for someone to connect to.
Outgoing connectiins also use ports and lots of them but that's not a problem.
SSH is installed by default but unless its changed it is not enabled by default.
I'd be interested to know the services @thirdmortal knows of that are enabled by default.
Regardless, not running a firewall in a home environment does not necessarily make you vulnerable. You are already behind a firewall from your router, there's very little malware to attack Linux machines on local networks and your not going to be attacked by whoever's living with you.
Edit, in saying that there's still no reason not to enable the firewall its good practice.
I'm sure as an experienced Linux user you'll be aware of the possible dangers of sticking with the default port 22 when using SSH based services, so this is more for the benefit of the noobs who may read this. So please don't feel insulted.
Change your SSH port to something else. Casual hackers scan for port 22, so changing it to 2222 or indeed any number you like above 1000 helps. The first 1000 are reserved. I believe the highest port number is 65,535, off the top of my head. Generally, I use numbers between 2000 to 10000 for ports, but that's arbitrary. There's no harm in doing this and might save you from becoming a victim.
none taken. I just get off-put when people read my username and assume I am some Linux know-it-all or something. I've just had that username since 2003 and it has stuck with me the entire time. I also like group-think and getting shit done right the first time. Hell, I never thought someone would actually hire me to install Linux on their network. I am working on locking down the local network I am working on. The tricky part is that the place i'm working for has a ISP-managed network. I had to call the ISP to reserve IPs and MACs for specific machines as well as troubleshoot the ones that wouldnt connect. Getting them to allow specific ports through their enterprise (barracuda?) firewall will probably be a nightmare. I want to change all the default ports but I have to work in a controlled-limited environment. Hell, I have major plans for the network. Ex: File server, Mail server, Media server, Music server, Open-LDAP, Print Server, Imaging (PXE) server, etc. But all in good time. The biggest issue the apartment complex company has right now are these League of Legends douchebags that use the public machines to play LoL and get pissed when something doesnt work and so decide to punch the screen breaking the computer since against all the recommendations from the geeks, they keep buying All-in-ones. Now, I have managed to get them to put the System76 Meerkat in the budget as a replacement. Example, they replaced 6 HPs with 6 Dells. within 1 week, 2 of the 6 Dells, had shattered screens. Thankfully, LoL is a bitch to work on Linux and I have setup the Ubuntu boxes to boot straight into the Guest-account and customized the account so that the launcher bar is auto hidden but with a Docky Dock at the bottom that is locked down to prevent modifying the dock. So, all they can see is something that looks like a Mac.
Your case is not unusual. While I was doing my degree, there was a fellow student who was shit hot at Unix admin (Linux wasn't around then). Problem was he didn't get on well with the other academic stuff; basically his skills were practical. Consequently at the end of the first year, he was asked to leave.
We went for a fair well drink with him to a local bar, where by chance there was a group of business men cursing Unix, because they couldn't get it do what they wanted. He intervened, saying he could sort their network out in 20 minutes or so. They looked sceptical, but accepted his offer. Sure enough, he did what he said and was offered a job on the spot. In a couple of years, he went on to head their admin centre, for their entire European operation.
thanks for the tips. It is true that most of my Linux stuff is practical knowledge. I never took a course until my latest degree in Networking where I was required to take Linux administration classes which I looked forward to but were overall a letdown since most in the class were people who thought that since it was a computer course it would be an easy A. Hell, we got bogged down so much we never got past SAMBA and Apache servers. some of these morons would try to use the mouse in a CLI only server environment and couldnt remember commands like cd. even though we had been using them for 2 semesters.
I can do a lot of stuff Linux side on my own and generally dont ask for help unless Im stumped but since this is a production environment and shit needs to work right the first time, I go to the forums since there are many more people more knowledgeable at this than myself and they would know how to setup it up good and stable. Most of my knowledge is self-taught from tinkering around in Gentoo, slax, debian etc. It probably doesnt help that I have Aspergers either. ^_^
Yes, my computer science degree was 80% padding. Totally useless academic crap, or so it seemed to me. In hindsight I think it's meant to be like that. They point you in the right direction and you find out the rest. It's not teaching as such.
And what are those three services? I have never heard anyone even mention two. If some people are willing to go as far as rebuilding from source, why have I not heard of this?
The openssh-server is not installed, but the openssh-client is. The server's purpose is to manage incoming SSH connections, while the client is for connecting to SSH servers. The client is not listening for incoming connections like the server.