Now, I should say most desktop linux don't have these things configured because it WILL block things and applications good or bad. However, if you are security concise, it will be worth configuring these things in your system to open up any application that wants to use the internet. Article from Video: christitus.com/linux-security-mistakes/

Mr. Titus, I watch all of your videos. I am battling stage 4 cancer, and I keep my mind off it with your fantastic computer insight! Thank you!

Chris, thanks for the info, but before we can talk about individual computers on local network and their security we need to have a conversation about the most important device on your intranet: the router. This is a first line of defense and if it is not secure then your entire intranet is not secured. Please make a video about that.

Great video, thank you! I'm currently a Junior Penetration Tester, and I think this touches on something we don't generally get taught. Load up Kali, fire off nmap, poke a few ports and send off a fairly standard report full of accepted mitigations. More videos on general hardening for Mac, Linux and Windows (I know, Windows will take years off your life) would help to give something different back to clients on top of the usual advice. I don't know anyone at work who's ever mentioned it.

Selinux is enabled by default in Fedora workstation it's not in permissive mode and the rules these days are generally pretty decent so you typically don't get spammed with alerts anymore. In terms of firewall, as a lot of people have already mentioned, Fedora comes with firewalld enabled and configured, you just need to set the profile (in KDE you can do it directly from the NIC configuration) and you can configure additional rules if needed using the firewall-cmd command

On the firewall - Fedora should come with firewalld / firewall-cmd running with FedoraWorkstation zone as the active zone. Using UFW on top of that wouldn't cause a conflict? I like UFW, but have been using / learning firewalld - usually I set a workstation to the 'public' zone which only has limited services.

I don't think regular users need to open any ports at all. They don't run web servers (80, 443) on their desktop computers and probably don't run ssh server (22) too. So its better to just deny all incoming ports without exceptions by default. And the techy people who does run servers, certainly already smart enough to open required ports.

0:47 100% agreed Security is a journey not a destination - Chris Titus

Thank you. It's awesome to see someone make a basic "hardening" video for Linux. There's not many creators I've found do a "for dummies" video yet. Legend.

Before installing a firewall check if it is usefull. Do a portscan like this: 'lsof -i -P -n | grep -i listen'. This shows a list of all listening (ie open) tcp ports on your system. On my standard Ubuntu system this list is empty. So there are no open ports and installing a firewall is rather pointless.

If anyone wants to take a look at other utilities/features on Linux, here it is: - SECCOMP - no_new_privs bit - secure bits - Linux capabilities - Namespaces and pivot_root (not a security feature, but this is how container isolation works)

Chris, Fedora comes with a firewall already-firewalld. Could you show us how to use what the operating ships with instead?

SELinux and AppArmor are standard in OpenSUSE and Fedora. Two very enterprise focussed distros 💪😌

I know this is an older video but I'd like to say that, I diss 99 % of the Linux users out there. You're one of the 1 % I can respect. Just for context, I'm a system administrator for a large company. We use most of the OS'es out there.

1. A firewall is useless if it doesn't have any listening services behind it. 2. Allowing ports 22, 80 and 443 is pointless unless you are running a server. 3. Fail2ban makes no sense on a desktop computer at all. Why would anyone run a SSH-server on their desktop? 4. To sum it up: No listening services = no firewall necessary. Opening up the firewall for all listening services means that the firewall blocks nothing.

ufw on fedora? Why? Also allow ports 80 and 443 on a workstation? Why? Also you got 3 errors while editing your ufw configuration.

Priceless info, always! Thanks again Chris!

Why do you open up incoming ports on your client?

RPM based distros use firewalld out of the box not ufw

Are there any distributions that come configured, by default, with the setting that our host is recommending (or something similar)? For example, the Qubes distribution is highly, highly focused on privacy and security. I have never used it (seems you need qualified hardware to take full advantage of its security features). I am not savvy enough to configure all of the settings in Linux. Down the road, when I am able to obtain a computer that I can dedicate for using Linux, I would like to find a distribution that has its security settings already in place, because I will not remember what to do. I understand that no two people will agree on every security setting. But the big ones, such as "ufw" that was demonstrated in this video... are there distributions that have that already set? There are countless distributions. Too many for me to figure out which ones put security first. I thought that Qubes was the answer (maybe it is?). But they have a web page dedicated to scoring hardware, and not too many computers check all of the security boxes.

I learned a lot from you keep doing everything you're doing KZbin Chris

Hi Chris, thank you for these great tips. Can you do a video (or two videos, one on each) about how to configure and use SELinux and AppArmor?

@2:54 you talk about limiting SSH but you mark the 22/TCP, so SSH should be limited and not 22/TCP?

Thank you, Chris. Can you do a video on how to increase security on Windows? For 8.1 as well as the newer, barf, versions? I would greatly appreciate it.

Hey just wanted to say thank you for this video, I just switched from Ubuntu after moving from Window's 6 month's ago to Fedora and didn't realize UFW wasn't prepackaged. I'm still relatively new to Linux but, it is so much better than window's in my opinion and I love learning but security and open source was my main reason for switching. Anyway i'm rambling, but very thankful for the info, now i have UFW on my Fedora 38.!

1) F2b is painful to conf. 2) firewall very much so. 3) prioritizing repos, much worse the packages, is extremely painful to conf on top of keeping up with multiple repos (keeping up with repos ain't nearly as painful cuz they change rarely). 4) the pkg manager always uses the newest packages and will warn you when a dep conflict occurs (so I don't understand your point). 5) AppArmor/SEL is the worst pain to conf.

Thanks for the info! I may have watched this video before, applied the recommended UFW settings, and quickly forgot all about it (my system said that UFW was active), but just to be sure I set the settings you lay out anyway. It's very easy to get caught in the mindset, "I use Linux so I'm safe". You still have to take basic precautions, even if Linux might be safer in some ways than Windows.

Hi Chris. Thanks for the video, excellent work. Perhaps Safing Portmaster is a better firewall option for desktop users as it's got an excellent gui and can easily block individual apps.

I gonna remember your quote "security is a journey not a destination" 😋👍

Encrypt the drive with sensitive data on it, because like Windows, a live disk can get access. This is how data is stolen off of laptops stolen. If these drives were encrypted, then there would be a lot less data breaches out there from stolen laptops.

Good stuff as always Chris!

Thanks for this video. I am learning and loving linux now. Using Nobara 36 distro based on Fedora 36.

I'll take a look at that apparmor docs right away. Thanks for the heads up Chris! ✌😎

Great advice. Thanks Chris

Thank you! I was looking for something like this!

Why are those ports allowed INTO the system if you are not a server? shoudnt those be outgoing only?

Thanks Chris for the info, definitely learned a few things.

Setting up arch as we speak. Cool vid

On a laptop why not go with defaults: deny anything coming into this system? It's what I do... I get it if you have apps and processes that require it, but I'd lock it down until I found that I needed a config change.... (?)

Great work 🥳🥳🥳 Thank you 💜💜💜

Great info as usual much appreciated 🙏

Very helpful video, thank you once again for the great content!!! :)

Chris, thanks for this video. the funny thing is, after applying the UFW rules and for some odd reason, Brave was longer able to access certain websites! I thought it was something else but Firefox had no problems. have to keep an eye on that Brave browser!

NFT Table :)) Btw You're using fedora, firewalld comes by default, not ufw.

Questions: What about setting up firewall rule on pfSense, which I use to manage my local network and WAN. Put it another way, what's the key difference/benefit between setting up firewall on network level and local machine?

Thanks for good lessons today Chris

thanks for the great video, at the 2:29, it should be sudo dnf install ufw and sudo dnf install fail2ban not apt

Thanks for the information, I'm always learning from your videos. I wonder if you might be able to comment on the proper configuration when running virtual machines on a Linux desktop using QEMU / KVM. Is it sufficient to run a firewall on only the host machine? Are there any special considerations when setting up QEMU? Perhaps the subject for another video.... Thanks again!

Fedora uses firewalld by default iirc, on the fail2ban recommendation I'd urge you to look into crowdsec, amazing project!

Fedora has always been enforce mode by default when I've used it

Awesome thanks for sharing!

Currently starting network administration associates, just installed Linux to force myself to learn it and having a lot of trouble so far but i want to stick with it!!

Does UFW uses nftable backend since iptables was remove from Debian ?

Great Video!

Always use a VPN and a proxy chain!

Great VID!

Superb and thanks a lot

Thanks for this video. Please make a video about AppArmor, how do use it in the correct way. This application is on my linux system and I does not notice it, before I watch your video. So, I hope there is time for do that. otherwise give me a hint - where I can looking at. The right way. Thanks for helping - to understanding linux better.

My upstream node is an IPFire Mini-Appliance with Red (external), Green(internal), Blue(WiFi) , and Orange(DMZ) zones and a nice web management interface.

Hey, Will UFW work on fedora with firewalld allready installed? Should i remove firewalld and use UFW? And what is a good setup for firewalld?

I still find it very bizarre that people easily add repositories and allow to install every package from there. Even limiting the names of the packages doesn't change that you simply trust every piece of software from this host address because you don't know what's inside the package. Shouldn't repositories at least provide signatures and public keys from the maintainers of packages? So as a user you could trust people instead of addresses or hosts which might get hacked or infected? I think Arch for example provides a keyring package which contains the public keys of the maintainers from the official repositories. So if the signatures don't match, you can't install a certain package. I think something like that should be the goal, right? Because a host providing a package doesn't really matter as long as it provides the official and signed content, you can verify. So in case any malware or vulnerability might to a user, it's transparent whom to blame. But something which I find missing in this video is far worse than bad verification processes. People still copy & paste code from the internet and execute it without asking questions. People on Windows do this, on macOS and on Linux... this is just plain bad when you don't know what it's doing. I also think this is worse than a missing firewall because a firewall is only necessary when you open ports. Obviously it's less hassle to setup good firewall rules than checking your ports to be sure. But in general there's far less software on Linux which randomly opens a port for arbitrary reasons than on Windows for example... that is the most reason you need to have a firewall on Windows. Because the OS itself will open so much backdoors, you could think it wants to be infiltrated.

Does a HARDWARE FIREWALL, in your router or modem sufficient to protect you, or do you need software as well?

on a desktop you almost never need ssh leave it off

As I understand, UFW is not a firewall, but an interface. The actual firewall is part of the kernel. Am I missing something?

Those firewalls rules are very easy to do with nftables and iptables. In nftables it takes less than 10 lines. Why would desktop users need to open incoming traffic to 80/443 ? Why would desktop users need to allow incoming SSH connections over IPv6? That makes it likely the SSH port is open to the whole world because IPv6 is not behind a NAT firewall and incoming connections on the router may not be blocked. LIMIT SSH in the firewall is not fail2ban, it is rate limiting connections to SSH. It's just slowing down the bruteforcing of SSH to where it's impractical. SSH needs to be secured on it's own. Logins with passwords disabled, root logins disabled, all cryptography algos that you don't use disabled. mDNS is not just DNS. It's zeroconf Apple stuff that is usually useless and an extra liability. It should be disabled in systemd-networkd and it's traffic blocked too.

Good video, but not sure why you would need ports 80 and 443 open if you are not running a web server.

2:35 Why did it say "error problem running" and why did he not react to that? Was that expected? Is it not an issue?

great video, good info.

Good info, you definitely hit the big three. Also, it may not be a bad idea to do some follow up videos on each of those with some more in-depth explanations and examples of what they do. Based on on I'm seeing in the comments it looks like it may benefit a lot of folks.

Thanks again. Maybe a future vid could delv more deeply into other issues that are the next big 3.

Thanks for the info- as desktop users numbers go up we will be a larger target.

One important security advice, don't be tempted to install whatever software from whatever places. Be conservative and instead use only the main OS repository. If you need more, maybe add Flatpak, but still be very conservative on what to get from it. If a software is available in your OS repo - just download that version, and not Flatpak's one.

Chris, what do you think abt feasibility of free antivirus soft (Clam for example) on workstations?

In Fedora is Firewalld...

Can't I just configure Firewalld the same way as UFW?

but what about firewalld? it's pre intalled in my fedora.

Question, by the way love your channel! But how come when I check my public ip then run nmap it said 23/tcp open telnet and 53/tcp open domain; So i closed these using ufw deny and i run nmap again on my public ip and there still open, but UFW says Deny IN. I am not sure what is going on here, I just installed Mint and trying to lock it down.

Great, thanks!

1:30 Doesnt Fedora have FirewallD enabled and active by default??

I have ufw on my Ubuntu and it shows active in the terminal but does not show anything else. But how can I get into ufw in order to set up the rules? New user.

What is your take on RPM Fusion Chris?

good video,today i learn new things about linux

hmm isn't fedora shipped with firewalld by default? would explain why ufw was not present...

WTF are you talking about ? First neither selinux or apparmor are permissive by default at least not in RHEL, Fedora, or Ubuntu. They may be if you install them on a system that does not include these tools by default but installing and configuration of these tools is way beyond this video. UFW is a decent tool are other tools you mention but why install additional packages when iptables will do the same? It just doesn't make sense on servers. Also a firewall does nothing at all if you do not have a server installed or if you allow connections to the server. For example a firewall does nothing if you do not have a web server installed as nothing is listening on port 80 or if you are running a web server you then allow port 80 through the firewall so in this example a firewall does nothing. It is by far more important to learn to secure the servers you do install. Last although I now use rpm systems I have never seen problems with multiple repositories and pinning is not generally necessary nor does it add security. Either your repo is trustworthy or not and pinning is not a security feature. Instead don't add repos you do not use or trust. While I appreciate security you really need to do a little more homework.

In the video you are using fedora which comes with firewall-d by default so I don't see any need to install ufw

Chris, can you please update your The Ultimate Linux Gaming Guide on your site for fedora 36 because I want to install nvidia drivers and optimus but every tutorial I found is for x-org and/or for older version of fedora and I'm on fedora 36 kde spin and it uses wayland.

Most users don't use a public ip address. So it is quite safe from the gecko. Furthermore most routers have a firewall. In addition if you activate a firewall on your computer you are in a good territory.

Linux desktop by default is pretty much insecure. But almost none of these points matter. On a NAT network like home, firewall is not that useful. Also there is no point in allowing 80 and 443 incoming ports. Usually people doesn't run webserver on desktop. Repo pinning is a valid point but a better approach would be not to add repo at all. Use a container like podman for such softwares. Selinux or apparmour comes by default on standard desktops like Fedora or Ubuntu. These are MAC and has nothing to do with app security. For that use sandbox like bubblewrap (flatpak), landlock and secure display protocol like wayland.

Is portmaster is the better firewall than firewalld and ufw/gufw

Doesn't Fedora use firewalld?

4:50 Linux repositories. Excellent point on multiple repository conflicts (which repository updates my system to which program version). Beyond this I feel a giant gaping hole in Linux security is the lack of corporate oversight for updates to the repository. Assume you are a hacker that wants to infect a system with malware. Would it make more sense to devote time to persuading users to install your malware or push the malware to a Linux repository? Beyond repositories consider there are more than 600 Linux distributions. Who is inspecting all of the distributions, all of the respins, all of the distribution/respin releases, and every update to all of the repositories which Linux distribution owners might create? So why the concern over a corporately maintained repository and for that matter distros? A corporation has the finances to assign technical resources to review submissions to their repository, pay for external audits, and secure the repository from infiltration. This corporate repository would immediately come under the scrutiny of security and privacy advocates. Currently there are over 600 distros out there. How much security/privacy advocate attention are each of these distributions, much less their repositories, receiving? Who would want a corporately distributed Linux offering? Someone like me. I purchased a notebook from a Microsoft Store location in December 2015 and 6 years later MS won’t allow me to upgrade to Windows 11 as my processor is not an eighth-generation or higher processor. Running Windows 10, my Microsoft Store notebook will simultaneously run VirtualBox Windows 11 and Windows 10 VMs. In 17 months, MS will provide no option for this hardware purchased at one of their store. For me, a Linux variant would be more than sufficient but where do you get a Linux variant with corporate oversight that compares favorably on a cost basis to Microsoft. Consider MS Windows 10-year life cycle with a free upgrade to Windows 11. BestBuy sells Windows 11 for $130. Considering a Windows 10 purchase will get you about 20 years of support, remember the Windows 11 free upgrade, you’re paying about $130/20 years = $6.5 per year for software, updates, and limited support. I would literally pay a corporation providing secured access to their distros/repositories $10/year vs bending the knee to MS and saving a few bucks per year.

Could anyone help if I have fedora and didn't know about 'firewalld' and installed 'ufw' - how would I uninstall or remove ufw?

Good the other point is to think in layers but glad you stated that. BTW did you see the github shenanigans?

thanks for all bro one question no relation whit this video but i now how can install steam in me distro i'm used tinycore and no find how pls help me

fedora uses by default firewalld the command is firewall-cmd

what distro are you using?

You are simply awesome 😘

T-man update with a great video once again!

I have a question about ufw (or how firewalls work in general I guess). Just for fun I set ufw to deny everything including all outgoing. My internet connection effectively halted, which was expected. BUT my bittorrent client Deluge continued to download files. Can someone explain how this can be?

Good video.