Re: essential services? ssh, nfs?
On Sun, Jul 29, 2007 at 04:11:55PM +0000, Tyler Smith wrote:
>
> I'm working through the security quick start how to, and I'm not clear
> on what services are required and which ones I can safely remove. I'm
> running a single laptop, which I connect to the net via wireless at
> home or at cafes, and via an ethernet cable at work.
>
> 1) I never login remotely, so I think I can safely do away with
> openssh-server?
If you don't need it, and a package isn't there to meet a dependancy,
get rid of it.
>
> tcp6 *:ssh *:* LISTEN 3026/sshd
>
> 2) The how-to suggests that for my setup I don't need anything to do
> with NFS - netstat reports rpc.statd and portmap as listening. Can I
> just purge nfs-common and portmap?
>
> tcp *:37381 *:* LISTEN 2603/rpc.statd
> tcp *:sunrpc *:* LISTEN 2578/portmap
>
Ditto.
> 3) I have apache installed as a dependency of doc-central. netstat
> shows it to be listening to all interfaces. Is there a way to set it
> to listen only for local connections? I don't understand this very
> well, but it seems I shouldn't need to listen to anyone from the
> outside to connect to my docs.
>
> tcp *:www *:* LISTEN 3826/apache
>
I've never run apache so don't know.
> 4) The only remaining listeners I have are:
>
> tcp localhost:929 *:* LISTEN 3721/famd
> tcp *:auth *:* LISTEN 3661/inetd
> tcp localhost:smtp *:* LISTEN 3385/exim4
>
> What is auth? Since famd and exim4 are only listening to localhost,
> can I conclude they are not a security risk?
>
What do you have uncommented in /etc/inetd.conf? I don't have anything,
so inetd doesn't start up at boot.
Finally, as the last defence, do you have a good firewall setup? I use
shorewall with a default net to all DROP and everything else REJECT,
then open ports as needed in rules.
Doug.
Reply to: