I am a cyber security researcher. Here you will find information I have found useful.
I was not surprised to find my Kali virtual machine unprotected, after all this is a VM for normally used by penetration testers, and it would be convenient to have all services that you create be available for ex-filtration.
For example, you are on an investigation of a compromise, and perhaps you are spinning up a samba share to copy data over from a Windows host. While that share is up, it is also vulnerable to exploitation from an attacker that may still be on the network. There are of course, ways to mitigate by using username/passwords on the share, but why not control access all together.
First lets install UFW, the standard installation does not include UFW.
sudo apt install ufw sudo ufw enable
Next lets set the default deny rule for all incoming traffic
sudo ufw default deny incoming
I also like to be unreachable on the network and ignore Ping. In the /etc/ufw/before.rules
comment out the following lines:
# ok icmp codes for INPUT -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT # ok icmp code for FORWARD -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
Now when I create a service I can open that port temporarily and close it when finished.
sudo ufw allow from {target-ip} to any port 445 sudo python3 smbserver.py -smb2support Exfil /home/sambamount
When you are done with the service the port can be removed with:
sudo ufw status numbered sudo ufw delete {number}
It can't hurt to take extra precautions when connecting to any network.