Security: Internet exposure of listening network port


Recommended Posts

Hi,

1st question:

  • Is it from a security point of view relatively safe to directly expose the listening port to the internet?

To my understanding this is necessary if I do not want to use a relay server and all devices are NATed?
A VPN would restrict use cases a lot.
I do of course not expose the Mgmt. UI - not sure how safe that would be at all.

2nd question:

  • Additionally I was wondering why there is no apparmor profile installed by default. Wouldn't that be best practice for applications with direct internet exposure?

Thanks,
-b

 

Link to comment
Share on other sites

29 minutes ago, binaryanomaly said:

Additionally I was wondering why there is no apparmor profile installed by default. Wouldn't that be best practice for applications with direct internet exposure?

I fully agree. Though, I think in practice this could lead to some problems:

  • Debian does not run AppArmor by default (only Ubuntu).
  • If the user is not aware of AppArmor, they might have troubles using Bittorrent Sync.
  • Bittorrent Sync can also be used as a normal user (there is a systemd unit file for this), this would require different AppArmor profiles.

That said, I use the following profile:

#include <tunables/global>

/usr/bin/btsync {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  / r,
  /etc/btsync/config.json r,
  /etc/issue r,
  /etc/passwd mr,
  /home/ r,
  /home/*/ r,
  /home/btsync/ rw,
  /home/btsync/** rw,
  /run/btsync/btsync.pid rwk,
  /sys/devices/** r,
  /tmp/btsync_dumps/ w,
  /var/ r,
  /var/lib/ r,
  /var/lib/btsync/ r,
  /var/lib/btsync/** mrwk,
}

(I have created the /home/btsync directory to store folders.)

Link to comment
Share on other sites

3 hours ago, iswrong said:

I fully agree. Though, I think in practice this could lead to some problems:

  • Debian does not run AppArmor by default (only Ubuntu).
  • If the user is not aware of AppArmor, they might have troubles using Bittorrent Sync.
  • Bittorrent Sync can also be used as a normal user (there is a systemd unit file for this), this would require different AppArmor profiles.

That said, I use the following profile:

(I have created the /home/btsync directory to store folders.)

Thanks @iswrong I start with your profile for the time being - until we have something from resilio ;)

Personally I think it would make a lot of sense to have a locked down, secure standard configuration with apparmor (even if it's only for Ubuntu).
People with special needs can always apply special settings and it makes them think twice
Imho there is value in a secure standard configuration.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.