Semi-Related: How difficult is it to "hack into" a default ubuntu install?

[gigabytecoin]

I figured you coding types would know best...

How difficult is it to "hack into" a default ubuntu install that is connected to the internet 24/7 from behind a router.

Is it even possible at all? If there are no remote login programs enabled by default? (I am not even sure if there are any, I am more of a windows user.)
 - Worried Paranoid Bitcoin Holder

[BubbleBoy]

Very hard to estimate, it depends on who you are dealing with. I've had a Debian server rooted simply because it was running a vulnerable exim package for which no fix was available at the time. I required mail receive capability, so without watching Full Disclosure 24h/day or running an IPS there's no way I could have prevented it.
If you are talking about a desktop machine and local attacks, the attack surface is huge. For example someone might send you a crafted pdf that smashes KDE/Gnome when it tries to generate a thumbnail. Someone might send you a crafted USB stick that smashes the userland file system driver or even the kernel when plugged into a port.
A headless machine that's not listening to any ports and it's not used is probably secure, even if connected to the internet. Anything else, it depends who you are dealing with and how far they are willing to go (find new exploits, compromise other devices with which you exchange physical media etc.)

BTW, I bet there are many programs listening to outside connections on your Ubuntu machine. Use this command to list them:

Code:

netstat -plnt

Anything with 0.0.0.0:[portno] or :::[portno] as local bind address is a potential remote vulnerability.

[wumpus]

The most exploited vulnerabilities these days are not the 'front entrances' such as ssh and other open ports, which you can indeed shut out with a router/firewall (as long as there are no other compromised systems within your local network), but people browsing.

Usually by directing people to a site by some other means (ie, "spear fishing")

Flash exploits, Java exploits, browser exploits, and so on. The attack surface of a browser is huge.

Ubuntu is pretty bare by default network service-wise, so I wouldn't worry about that too much (just check with netstat -anp what is open to the outside). But preferably don't browse the internet on it, or do so with a severly restricted account

[marcus_of_augustus]

It has always perplexed me that the bitcoin core users seem to prefer ubuntu/debian over Redhat/Fedora/CentOS linux when they are supposedly "security conscious" elites of some sort ....

... industrial users who "need" security go the enterprise RH, Novell, suse linux direction not the other way ... just saying, seems weird.

For example, btw, has anybody got bitcoin 0.3.23.beta to build on fedora 15? (or any recent non-debian *nix derivative for that matter?)

[wumpus]

It has always perplexed me that the bitcoin core users seem to prefer ubuntu/debian over Redhat/Fedora/CentOS linux when they are supposedly "security conscious" elites of some sort ....

... industrial users who "need" security go the enterprise RH, Novell, suse linux direction not the other way ... just saying, seems weird.

For example, btw, has anybody got bitcoin 0.3.23.beta to build on fedora 15? (or any recent non-debian *nix derivative for that matter?)

Let's please sooo not start a distribution fight. There are many places on the internet where one can find the advantages and disadvantages of every single Linux distribution. The guy was asking about Ubuntu, nothing else. Start your own thread

[Martin P. Hellwig]

It has always perplexed me that the bitcoin core users seem to prefer ubuntu/debian over Redhat/Fedora/CentOS linux when they are supposedly "security conscious" elites of some sort ....

... industrial users who "need" security go the enterprise RH, Novell, suse linux direction not the other way ... just saying, seems weird.

*ahem* (FreeBSD user) ducks for cover, waiting for an OpenBSD user to reply.. :-)

[gigabytecoin]

Very hard to estimate, it depends on who you are dealing with. I've had a Debian server rooted simply because it was running a vulnerable exim package for which no fix was available at the time. I required mail receive capability, so without watching Full Disclosure 24h/day or running an IPS there's no way I could have prevented it.
If you are talking about a desktop machine and local attacks, the attack surface is huge. For example someone might send you a crafted pdf that smashes KDE/Gnome when it tries to generate a thumbnail. Someone might send you a crafted USB stick that smashes the userland file system driver or even the kernel when plugged into a port.
A headless machine that's not listening to any ports and it's not used is probably secure, even if connected to the internet. Anything else, it depends who you are dealing with and how far they are willing to go (find new exploits, compromise other devices with which you exchange physical media etc.)

BTW, I bet there are many programs listening to outside connections on your Ubuntu machine. Use this command to list them:

Code:

netstat -plnt

Anything with 0.0.0.0:[portno] or :::[portno] as local bind address is a potential remote vulnerability.

What if the Ubuntu install is behind a router that isn't forwarding any ports to the machine? I can get by with only 8 connections...

[BubbleBoy]

You might be committing the classic error of mistaking a NAT device for a firewall. Are you sure the router has plug-and-play port forwarding disabled, which can allow any buggy application to listen to external ports ? Are you sure all devices behind the router are secure ? Are you sure the router isn't susceptible to CSRF attacks where by simply viewing an apparently innocuous page, the router can be remotely controlled to forward ports ? Are you sure the router software itself doesn't have remote vulnerabilities ? Can you guarantee that the heuristics employed by the NAT software for some protocols (DNS, FTP etc.) don't expose you to outside attack (hint: they open ports) ?

As I've said, it depends who you are dealing with, and as suggested above, local/browser/social engineering exploits are the most common.
Anyway, I am always available to audit the security of any bitcoin high roller. Just PM me and I'll send an automated security scan tool that can put you mind at ease once and for all  

[Timo Y]

Flash exploits, Java exploits, browser exploits, and so on. The attack surface of a browser is huge.

The problem is that using the bitcoin client on a system without a browser is extremely cumbersome - I make most payments by copy+pasting bitcoin addresses from the web, so a browser is a must.

On the machine where I run bitcoin, I removed all plugins and add-ons from firefox and activated NoScript in addition to switching off javascript.  Anything else I can do to reduce the attack surface?

[marcus_of_augustus]

It has always perplexed me that the bitcoin core users seem to prefer ubuntu/debian over Redhat/Fedora/CentOS linux when they are supposedly "security conscious" elites of some sort ....

... industrial users who "need" security go the enterprise RH, Novell, suse linux direction not the other way ... just saying, seems weird.

For example, btw, has anybody got bitcoin 0.3.23.beta to build on fedora 15? (or any recent non-debian *nix derivative for that matter?)

Let's please sooo not start a distribution fight. There are many places on the internet where one can find the advantages and disadvantages of every single Linux distribution. The guy was asking about Ubuntu, nothing else. Start your own thread

Okay then, as far as ubuntu goes, I wouldn't put more than about 3 btc on any ubuntu machine ... it is gui-bloated bunch of crap. If you must, use ubuntu server and strip out any network capable apps and forget about running a browser in same account as wallet or even on same machine ...

... happy? Only windows would be a worse option.

(Linux user since '96.)