Michael Lazin via plug on 27 Jul 2021 16:08:22 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] ufw doesn't block entrance from localhost


This may seem obvious, but if you have something listening locally, at least on Ubuntu 20.04, the port is open locally in spite of any firewall rules.  I will demonstrate:

$ nc -vz 127.0.0.53 53
Connection to 127.0.0.53 53 port [tcp/domain] succeeded!
$ nc -vz 10.0.0.73 53
nc: connect to 10.0.0.73 port 53 (tcp) failed: Connection refused


https://unix.stackexchange.com/questions/612416/why-does-etc-resolv-conf-point-at-127-0-0-53

This article points to systemd resolved to being the reason that this port is open locally, but this raises a question.  If you have any port open and UFW firewall rules don't block ingress from localhost, it is possible that malware could be designed to connect to local ports on Linux.  This was literally only a thought I had when I noticed this strange behavior, it seemed counter-intuitive that you could lock down all ports with UFW and yet you can connect to ports locally with netcat. 

I googled this and found this fascinating article on blocking ports:

https://blog.imunify360.com/hiddenwasp-how-to-detect-malware-hidden-on-linux-iot

It doesn't say anything about blocking ports on localhost.  I wonder if others have thought of this/does this look like an actual threat vector, or is this just a natural function of the design of systemd with no dangerous consequences?  I am curious what others might think, because this seems like a possible security oversight if there is no way to block ports on localhost, but maybe I am missing something. 

Thanks,

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug