How to protect a PC with ufw?

[hack3rcon]

Hello,
I'm using Debian 10.5 x86_64 and I installed Gufw and enabled it. By default, "Incoming" is "Deny" and "Outgoing" is "Allow". I want to protect my PC from some popular attacks and I'm thankful if anyone here advice me.
I found some thing like https://billing.xenmin.com/knowledgebas ... ge=english, but to be honest I don't know it is enough or not.

Thank you.

[reinob]

do you have any services listening on open ports?
check with

Code: Select all

# netstat -ptln | grep -v " 127.0.0.1:" | grep -v " ::1:"

If nothing shows up, then you don't need a firewall.
If something shows up, then post here again.

[hack3rcon]

The output is:

Code: Select all

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      981/sshd            
tcp6       0      0 :::22                   :::*                    LISTEN      981/sshd            

A Linux system without any service is not vulnerable!? Some attacks like DDoS doesn't need any service and just IP!

[Head_on_a_Stick]

Some attacks like DDoS doesn't need any service and just IP!

Please read the "what is a DDoS attack" section in the link you provided in the OP. Those attacks only affect a server and you're not running a server (at least according to your posted command output).

[reinob]

A Linux system without any service is not vulnerable!? Some attacks like DDoS doesn't need any service and just IP!

Read what @Head_on_a_Stick has written.

I might also add that in principle your computer can be "attacked" even if no ports are open, e.g. using vulnerabilities in the packet handling itself. These are however kernel vulnerabilities, which probably can be better addressed by the kernel developers than by some random forum guy using ufw.

Please also note that DoS != DDoS.

[hack3rcon]

Thus, a normal user like me can't do anything?

[Head_on_a_Stick]

If you're not running a server then you don't need to do anything because you're not at risk from a DDoS attack.

At the moment you don't need a firewall at all and all it's doing with your current configuration is blocking your SSH daemon.

[reinob]

Thus, a normal user like me can't do anything?

Yes, you can for example try to decide when a particular situation should be considered a DDoS attack vs normal server usage.

Say you have a web server and suddenly you receive 1000 connections from different addresses. Is it an attack? or is your web site just popular?

Once you've established the criteria for telling one from the other, you can implement the required filter.

[hack3rcon]

Thus, a normal user like me can't do anything?

Yes, you can for example try to decide when a particular situation should be considered a DDoS attack vs normal server usage.

Say you have a web server and suddenly you receive 1000 connections from different addresses. Is it an attack? or is your web site just popular?

Once you've established the criteria for telling one from the other, you can implement the required filter.

Good questions. How can I detect good connections from bad connections?

[reinob]

Good questions. How can I detect good connections from bad connections?

That's a rather subjective question.

In your specific case, since you only have a ssh server listening, you might just ignore the question.
A good connection will end up in a logged on user.
A bad connection will fail authentication.

If you use OpenSSH *and* either very (emphasis on VERY) good passwords or use public key authentication, then you can relax and watch how random computers try to get into yours.

If you want to stop them from trying after a few attempts, you can use fail2ban.

You can also run openssh on another random port, which is less likely to be targetted (but it will).

If you want to slow down potential attackers, you can use a "tarpit", so that they stick around for a while.. normally the connection breaks after one minute, but that's one attacker doing one attempt per minute vs 1000s, so it may actually slow them down.

Read: https://nullprogram.com/blog/2019/03/22/ if you want to learn something interesting.