[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network



 Hi.

On Sat, 29 Aug 2015 13:25:28 -0500
rlharris@oplink.net wrote:

> On Sat, August 29, 2015 6:53 am, tomas@tuxteam.de wrote:
> > Also netstat (issued from your laptop) gives insight. For example
> > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are
> > root (or sudo, of course), the extra option -p tells you which process is
> > "at the other side" listening.
> >
> > Note that the dhcp client itself (which you need to get an IP address to
> > take part in your customer's network) puts you already at some risk,
> > depending on how it's configured.
> 
> Here is the output from the laptop:
> 
> # netstat -lntup
> Active Internet connections (only servers)
> Prot Rec Snd Local Address            Foreign   State PID/Program name
>      -Q  -Q                           Address
> tcp  0   0    0.0.0.0:9999            0.0.0.0:*  LIS  561/inetd
> tcp  0   0    0.0.0.0:111             0.0.0.0:*  LIS  530/rpcbind
> tcp  0   0    0.0.0.0:46225           0.0.0.0:*  LIS  540/rpc.statd
> tcp  0   0    0.0.0.0:22              0.0.0.0:*  LIS  568/sshd
> tcp  0   0    127.0.0.1:631           0.0.0.0:*  LIS  1248/cupsd
> tcp  0   0    127.0.0.1:5432          0.0.0.0:*  LIS  675/postgres
> tcp  0   0    127.0.0.1:25            0.0.0.0:*  LIS  1063/exim4
> tcp  0   0    127.0.0.1:2628          0.0.0.0:*  LIS  599/0
> tcp6 0   0    :::111                  :::*       LIS  530/rpcbind
> tcp6 0   0    :::38930                :::*       LIS  540/rpc.statd
> tcp6 0   0    :::22                   :::*       LIS  568/sshd
> tcp6 0   0    ::1:631                 :::*       LIS  1248/cupsd
> tcp6 0   0    ::1:5432                :::*       LIS  675/postgres
> tcp6 0   0    ::1:25                  :::*       LIS  1063/exim4
> udp  0   0    0.0.0.0:36358           0.0.0.0:*       612/avahi-daemon:r
> udp  0   0    0.0.0.0:631             0.0.0.0:*       647/cups-browsed
> udp  0   0    0.0.0.0:689             0.0.0.0:*       530/rpcbind
> udp  0   0    127.0.0.1:716           0.0.0.0:*       540/rpc.statd
> udp  0   0    0.0.0.0:57106           0.0.0.0:*       540/rpc.statd
> udp  0   0    0.0.0.0:111             0.0.0.0:*       530/rpcbind
> udp  0   0    192.168.1.99:123        0.0.0.0:*       664/ntpd
> udp  0   0    127.0.0.1:123           0.0.0.0:*       664/ntpd
> udp  0   0    0.0.0.0:123             0.0.0.0:*       664/ntpd
> udp  0   0    0.0.0.0:5353            0.0.0.0:*       612/avahi-daemon:r
> udp6 0   0    :::689                  :::*            530/rpcbind
> udp6 0   0    :::43913                :::*            540/rpc.statd
> udp6 0   0    :::111                  :::*            530/rpcbind
> udp6 0   0    fe80::ba70:f4ff:fe2:123 :::*            664/ntpd
> udp6 0   0    ::1:123                 :::*            664/ntpd
> udp6 0   0    :::123                  :::*            664/ntpd
> udp6 0   0    :::5353                 :::*            612/avahi-daemon:r
> udp6 0   0    :::44274                :::*            612/avahi-daemon:r
> #
> 
> Regrettably, the formatting of the output does not consider the need to
> include the output in the body of an e-mail, so editing was required to
> remove excess spaces so as to prevent every line from being wrapped.


Something like this should save you from the most troubles provided
that you don't plan to use your laptop as a print server or NFS:

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
	-j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
	-j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT

iptables -P FORWARD DROP

ip6tables -P INPUT DROP
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
	-j ACCEPT 
ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
	-j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p udp --dport 123 -j ACCEPT

ip6tables -P FORWARD DROP


Of course, it's *very* simplistic set of rules (for example, someone
may consider accepting ssh connections from arbitrary hosts a bad idea),
but it should work.


Two things I'm unsure of are:

1) Avahi's udp 5353. I don't see any value in mDNS (especially in office
network), but YMMV.

2) Whatever thing you're listening for on tcp 9999 with inetd.

Reco


Reply to: