Re: laptop protection in an office network
Hi.
On Sat, 29 Aug 2015 13:25:28 -0500
rlharris@oplink.net wrote:
> On Sat, August 29, 2015 6:53 am, tomas@tuxteam.de wrote:
> > Also netstat (issued from your laptop) gives insight. For example
> > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are
> > root (or sudo, of course), the extra option -p tells you which process is
> > "at the other side" listening.
> >
> > Note that the dhcp client itself (which you need to get an IP address to
> > take part in your customer's network) puts you already at some risk,
> > depending on how it's configured.
>
> Here is the output from the laptop:
>
> # netstat -lntup
> Active Internet connections (only servers)
> Prot Rec Snd Local Address Foreign State PID/Program name
> -Q -Q Address
> tcp 0 0 0.0.0.0:9999 0.0.0.0:* LIS 561/inetd
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LIS 530/rpcbind
> tcp 0 0 0.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd
> tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd
> tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4
> tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0
> tcp6 0 0 :::111 :::* LIS 530/rpcbind
> tcp6 0 0 :::38930 :::* LIS 540/rpc.statd
> tcp6 0 0 :::22 :::* LIS 568/sshd
> tcp6 0 0 ::1:631 :::* LIS 1248/cupsd
> tcp6 0 0 ::1:5432 :::* LIS 675/postgres
> tcp6 0 0 ::1:25 :::* LIS 1063/exim4
> udp 0 0 0.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r
> udp 0 0 0.0.0.0:631 0.0.0.0:* 647/cups-browsed
> udp 0 0 0.0.0.0:689 0.0.0.0:* 530/rpcbind
> udp 0 0 127.0.0.1:716 0.0.0.0:* 540/rpc.statd
> udp 0 0 0.0.0.0:57106 0.0.0.0:* 540/rpc.statd
> udp 0 0 0.0.0.0:111 0.0.0.0:* 530/rpcbind
> udp 0 0 192.168.1.99:123 0.0.0.0:* 664/ntpd
> udp 0 0 127.0.0.1:123 0.0.0.0:* 664/ntpd
> udp 0 0 0.0.0.0:123 0.0.0.0:* 664/ntpd
> udp 0 0 0.0.0.0:5353 0.0.0.0:* 612/avahi-daemon:r
> udp6 0 0 :::689 :::* 530/rpcbind
> udp6 0 0 :::43913 :::* 540/rpc.statd
> udp6 0 0 :::111 :::* 530/rpcbind
> udp6 0 0 fe80::ba70:f4ff:fe2:123 :::* 664/ntpd
> udp6 0 0 ::1:123 :::* 664/ntpd
> udp6 0 0 :::123 :::* 664/ntpd
> udp6 0 0 :::5353 :::* 612/avahi-daemon:r
> udp6 0 0 :::44274 :::* 612/avahi-daemon:r
> #
>
> Regrettably, the formatting of the output does not consider the need to
> include the output in the body of an e-mail, so editing was required to
> remove excess spaces so as to prevent every line from being wrapped.
Something like this should save you from the most troubles provided
that you don't plan to use your laptop as a print server or NFS:
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p udp --dport 123 -j ACCEPT
ip6tables -P FORWARD DROP
Of course, it's *very* simplistic set of rules (for example, someone
may consider accepting ssh connections from arbitrary hosts a bad idea),
but it should work.
Two things I'm unsure of are:
1) Avahi's udp 5353. I don't see any value in mDNS (especially in office
network), but YMMV.
2) Whatever thing you're listening for on tcp 9999 with inetd.
Reco
Reply to: