By default, Ubuntu ships with no open ports on public interfaces.
Not entirely true. Technically speaking, Ubuntu ships with minimum open ports, particularly 631, which is for network printing. But such services as mail transfer, ssh, ftp - they all require a server software installed on your machine. For instance , ssh port 22 is open on my machine only after I installed openssh-server.
That doesn't mean you're 100% safe, only 89% safe. The other 10% can be added by enabling the default firewall or installing your own.
Does that mean that if I got infected by a keylogger my computer would not send information to the hacker's computer?
I am no information security professional, but I wouldn't be surprised if there were keyloggers that send information through port 80, which is the standard port for internet stuff. Browsers do that, for instance. So the answer is , information could still escape your computer
Is it possible to download an application (virus/malware) that would open a port on public interface if it had root access?
Yes. As I described a little earlier if you install ftp or ssh servers, you get ports 25 and 22 open, and you install them as root; So what stops malware doing the same if it has root access ? Exactly nothing.
How do I check for open ports on public interfaces? I know netstat -a, netstat, nmap -v localhost, nmap -v -p1-65535 localhost, but they all show different information so I am not sure.
netstat and nmap are two of the basic and best command-line utilities that are used by system administrators across the world. They're already good, but require learning a bit about the flags.
netstat -tulpan is what I personally use in my checks. This shows all TCP and UDP connections, including listening ones and prints out the connections in ip address (numeric ) format. If there's an IP address that is suspicious , it can be checked with nslookup or dig or whois. In addition the -pflag will tell you what program is using which port or has connection established. That is pretty useful, you can later lookup that process as well as process id, eventually locating the executable file.
nmap is good for scanning local network as well as your own machine. Personally I use sudo nmap -sT -T4 -n 192.168.0.1/24 on my local network to check pretty quickly all the devices on my network, including my own machine. I can see what computers are on the network.
Using nmap -v -p1-65535 localhost my computer finds two ports: Discovered open port 631/tcp on 127.0.0.1 Discovered open port 51072/tcp on 127.0.0.1 Does the IP at the end mean that it's not being sent to another computer?
When you scan with localhost , that means you're scanning your own computer. Localhost,or the address that computer refers to itself, is set to 127.0.0.1. It's like asking yourself Who am I ? Well, I am me would be the response.
That means you have ports 51072 and 631 open. 631 is open by default, but 51072 is a little trickier. Ports from 1024 to 65534 are used to establish temporary connections, for example by internet browsers. Typically they're opened and then closed, but if it's persistent you may already have some form of malware installed, not necessarily a keylogger.
I'd suggest you disconnect the computer from the network immediately. Examine your Autostart entries, change password with sudo passwd $USER, enable Ubuntu's default firewall with sudo sed -i 's;ENABLED=no;ENABLED=yes;g' /etc/ufw/ufw.conf. Make sure you change/enable the router admin password (not the wifi password, the actual password that allows you make settings changes to your router), preferably from another computer.
After that you should be able to return to your internet browsing, but you may want to observe your connections, ports, behavior of the machine. Avoid doing anything that could compromise important passwords and logins. If you still have an issue, consider asking information security professionals for help.
