search

imthenachoman / How-To-Secure-A-Linux-Server

An evolving how-to guide for securing a Linux server.
Creative Commons Attribution Share Alike 4.0 International
17.25k stars 1.1k forks source link

UFW, custom application & ports #57

Open raidoo9 opened 4 years ago

raidoo9 commented 4 years ago

Hi,

Thank you for putting this guide together.

Looking for some assistance with creating custom application profiles for UFW for the software I use on my Pi.

I'm not sure if these ports are all needed or if they need in or out access? Also I would like to restrict access to my lan if the apps dont need wan access?

Would appreciate any help

Thanks

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:37601 0.0.0.0: users:(("avahi-daemon",pid=375,fd=14)) udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0: users:(("avahi-daemon",pid=375,fd=12)) udp UNCONN 0 0 0.0.0.0:8999 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=29)) udp UNCONN 0 0 192.168.0.28:1900 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=35)) udp UNCONN 0 0 127.0.0.1:1900 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=33)) udp UNCONN 0 0 0.0.0.0:1900 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=32)) udp UNCONN 0 0 127.0.0.1:33651 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=19)) udp UNCONN 0 0 127.0.0.1:8125 0.0.0.0: users:(("netdata",pid=599,fd=18)) udp UNCONN 0 0 127.0.0.1:37898 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=34)) udp UNCONN 0 0 127.0.0.1:53 0.0.0.0: users:(("unbound",pid=708,fd=5)) udp UNCONN 0 0 192.168.0.28:40514 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=21)) udp UNCONN 0 0 0.0.0.0:68 0.0.0.0: users:(("dhcpcd",pid=580,fd=10)) udp UNCONN 0 0 192.168.0.28:6771 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=20)) udp UNCONN 0 0 127.0.0.1:6771 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=18)) udp UNCONN 0 0 0.0.0.0:6771 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=17)) udp UNCONN 0 0 192.168.0.28:36981 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=36)) udp UNCONN 0 0 0.0.0.0:32899 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=37)) udp UNCONN 0 0 :5353 : users:(("avahi-daemon",pid=375,fd=13)) udp UNCONN 0 0 [::1]:48913 : users:(("qbittorrent-nox",pid=582,fd=24)) udp UNCONN 0 0 :8999 : users:(("qbittorrent-nox",pid=582,fd=30)) udp UNCONN 0 0 [fe80::996:7a13:5297:ad6a]:37676 : users:(("qbittorrent-nox",pid=582,fd=26)) udp UNCONN 0 0 [::1]:8125 : users:(("netdata",pid=599,fd=16)) udp UNCONN 0 0 :32782 : users:(("avahi-daemon",pid=375,fd=15)) udp UNCONN 0 0 :546 : users:(("dhcpcd",pid=580,fd=15)) udp UNCONN 0 0 [::1]:53 : users:(("unbound",pid=708,fd=3)) udp UNCONN 0 0 [fe80::996:7a13:5297:ad6a]:6771 : users:(("qbittorrent-nox",pid=582,fd=25)) udp UNCONN 0 0 [::1]:6771 : users:(("qbittorrent-nox",pid=582,fd=23)) udp UNCONN 0 0 :6771 : users:(("qbittorrent-nox",pid=582,fd=22)) tcp LISTEN 0 20 127.0.0.1:25 0.0.0.0: users:(("exim4",pid=1349,fd=3)) tcp LISTEN 0 128 127.0.0.1:8125 0.0.0.0: users:(("netdata",pid=599,fd=31)) tcp LISTEN 0 128 0.0.0.0:222 0.0.0.0: users:(("sshd",pid=600,fd=3)) tcp LISTEN 0 128 0.0.0.0:19999 0.0.0.0: users:(("netdata",pid=599,fd=4)) tcp LISTEN 0 5 0.0.0.0:8999 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=28)) tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0: users:(("lighttpd",pid=695,fd=4)) tcp LISTEN 0 128 0.0.0.0:52050 0.0.0.0: users:(("MyMediaForAlexa",pid=350,fd=7)) tcp LISTEN 0 128 0.0.0.0:52051 0.0.0.0: users:(("MyMediaForAlexa",pid=350,fd=3)) tcp LISTEN 0 128 127.0.0.1:53 0.0.0.0: users:(("unbound",pid=708,fd=6)) tcp LISTEN 0 20 [::1]:25 [::]: users:(("exim4",pid=1349,fd=4)) tcp LISTEN 0 128 [::1]:8125 [::]: users:(("netdata",pid=599,fd=30)) tcp LISTEN 0 128 [::]:222 [::]: users:(("sshd",pid=600,fd=4)) tcp LISTEN 0 128 [::]:19999 [::]: users:(("netdata",pid=599,fd=5)) tcp LISTEN 0 5 [::]:8999 [::]: users:(("qbittorrent-nox",pid=582,fd=27)) tcp LISTEN 0 50 :8080 : users:(("qbittorrent-nox",pid=582,fd=40)) tcp LISTEN 0 128 [::]:80 [::]: users:(("lighttpd",pid=695,fd=5)) tcp LISTEN 0 128 [::1]:53 [::]:* users:(("unbound",pid=708,fd=4))

imthenachoman commented 4 years ago

The list you pasted, what does it represent?

I am not experienced with Pi. Have you tried posting on https://stackoverflow.com/, or https://askubuntu.com/? Folks there might be able to help better than I.

raidoo9 commented 4 years ago

Apologies, the pasted list is the output of the command listed under the section "ss - Seeing Ports Your Server Is Listening On"

sudo ss -lntup

I'm just wondering if, and how, I can transfer the information from the output list to create UFW rules to allow the applications I use, similar to the ones you use in the UFW part of the guide?

Thanks

imthenachoman commented 3 years ago

Were you able to ever get this figured out? I got a bit caught up with some personal things and am only now getting time to come back to this.

raidoo9 commented 3 years ago

Hey, Thanks for following up. I had no luck then it got put on hold due to personal issues. Any advice would still be greatly appreciated.

imthenachoman commented 3 years ago

You want all of the ports listed to be open on your UFW?