About

I am a cyber security researcher.  Here you will find  information I have found useful.  

UFW (uncomplicated firewall)

A necessary addition to any Linux installation

I was not surprised to find my Kali virtual machine unprotected, after all this is a VM for normally used by penetration testers, and it would be convenient to have all services that you create be available for ex-filtration.

Treat foreign networks as hostile

For example, you are on an investigation of a compromise, and perhaps you are spinning up a samba share to copy data over from a Windows host. While that share is up, it is also vulnerable to exploitation from an attacker that may still be on the network. There are of course, ways to mitigate by using username/passwords on the share, but why not control access all together.

Get familiar with controlling UFW

First lets install UFW, the standard installation does not include UFW.

    sudo apt install ufw 
    sudo ufw enable
    

Next lets set the default deny rule for all incoming traffic

    sudo ufw default deny incoming
    

I also like to be unreachable on the network and ignore Ping. In the /etc/ufw/before.rules comment out the following lines:

    # ok icmp codes for INPUT

    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
    
    # ok icmp code for FORWARD
    -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
    

Now when I create a service I can open that port temporarily and close it when finished.

    sudo ufw allow from {target-ip} to any port 445
    sudo python3 smbserver.py -smb2support Exfil /home/sambamount
    

When you are done with the service the port can be removed with:

    sudo ufw status numbered
    sudo ufw delete {number}
    
Conclusion

It can't hurt to take extra precautions when connecting to any network.