Re: essential services? ssh, nfs?

To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: Re: essential services? ssh, nfs?
From: mouss <mlist.only@free.fr>
Date: Sun, 29 Jul 2007 19:22:27 +0200
Message-id: <[🔎] 46ACCCD3.30208@free.fr>
Reply-to: mouss <no.spam.here@free.fr>
In-reply-to: <[🔎] slrnfapihi.m57.tyler.smith@blackbart.mynetwork>
References: <[🔎] slrnfapihi.m57.tyler.smith@blackbart.mynetwork>

Tyler Smith wrote:

Hi,

I'm working through the security quick start how to, and I'm not clear
on what services are required and which ones I can safely remove. I'm
running a single laptop, which I connect to the net via wireless at
home or at cafes, and via an ethernet cable at work.
1) I never login remotely, so I think I can safely do away with
openssh-server?tcp6 *:ssh *:* LISTEN 3026/sshd
2) The how-to suggests that for my setup I don't need anything to do
with NFS - netstat reports rpc.statd and portmap as listening. Can I
just purge nfs-common and portmap?
tcp *:37381 *:* LISTEN 2603/rpc.statdtcp *:sunrpc *:* LISTEN 2578/portmap
3) I have apache installed as a dependency of doc-central. netstat
shows it to be listening to all interfaces. Is there a way to set it
to listen only for local connections? I don't understand this very
well, but it seems I shouldn't need to listen to anyone from the
outside to connect to my docs.
tcp *:www *:* LISTEN 3826/apache

you need to edit apache config file. look for "Listen" and replace thewildcard IP by 127.0.0.1. I personally avoid changing config files thatcome with packages. so here, just use an iptables rule to block incomingtraffic unless you want it.

4) The only remaining listeners I have are:
tcp localhost:929 *:* LISTEN 3721/famdtcp *:auth *:* LISTEN 3661/inetdtcp localhost:smtp *:* LISTEN 3385/exim4
What is auth?

This is the (obsolete?) ident service. you can disable it (after all,windows people don't have it and they have no problem surfing...).

If you use a firewall, make sure to reject packets coming in to thisport, instead of a DROP. Otherwise, services that use ident will be slowat connection time.

 Since famd and exim4 are only listening to localhost,
can I conclude they are not a security risk?


In general, it's ok, but you still need to keep your eyes open:

- make sure incoming traffic to localhost is blocked (just drop). 127.*should not appear on the wire. This really belongs to the IP stack, butas I am not sure it is filtered there, stay safe and add an explicit rule.

- make sure you have no NAT rule that redirects incoming traffic tolocalhost.

Reply to:

References:
- essential services? ssh, nfs?
  - From: Tyler Smith <tyler.smith@mail.mcgill.ca>

Prev by Date: Re: essential services? ssh, nfs?
Next by Date: Re: searching for graphical torrent client
Previous by thread: Re: essential services? ssh, nfs?
Next by thread: how to set network io priority for a process?
Index(es):
- Date
- Thread