[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network

On Sat 29 Aug 2015 at 21:39:21 +0300, Reco wrote:

>  Hi.
> 
> On Sat, 29 Aug 2015 13:25:28 -0500
> rlharris@oplink.net wrote:
> 
> > On Sat, August 29, 2015 6:53 am, tomas@tuxteam.de wrote:
> > > Also netstat (issued from your laptop) gives insight. For example
> > > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are
> > > root (or sudo, of course), the extra option -p tells you which process is
> > > "at the other side" listening.
> > >
> > > Note that the dhcp client itself (which you need to get an IP address to
> > > take part in your customer's network) puts you already at some risk,
> > > depending on how it's configured.
> > 
> > Here is the output from the laptop:
> > 
> > # netstat -lntup
> > Active Internet connections (only servers)
> > Prot Rec Snd Local Address            Foreign   State PID/Program name
> >      -Q  -Q                           Address
> > tcp  0   0    0.0.0.0:9999            0.0.0.0:*  LIS  561/inetd
> > tcp  0   0    0.0.0.0:111             0.0.0.0:*  LIS  530/rpcbind
> > tcp  0   0    0.0.0.0:46225           0.0.0.0:*  LIS  540/rpc.statd
> > tcp  0   0    0.0.0.0:22              0.0.0.0:*  LIS  568/sshd
> > tcp  0   0    127.0.0.1:631           0.0.0.0:*  LIS  1248/cupsd
> > tcp  0   0    127.0.0.1:5432          0.0.0.0:*  LIS  675/postgres
> > tcp  0   0    127.0.0.1:25            0.0.0.0:*  LIS  1063/exim4
> > tcp  0   0    127.0.0.1:2628          0.0.0.0:*  LIS  599/0
> > tcp6 0   0    :::111                  :::*       LIS  530/rpcbind
> > tcp6 0   0    :::38930                :::*       LIS  540/rpc.statd
> > tcp6 0   0    :::22                   :::*       LIS  568/sshd
> > tcp6 0   0    ::1:631                 :::*       LIS  1248/cupsd
> > tcp6 0   0    ::1:5432                :::*       LIS  675/postgres
> > tcp6 0   0    ::1:25                  :::*       LIS  1063/exim4
> > udp  0   0    0.0.0.0:36358           0.0.0.0:*       612/avahi-daemon:r
> > udp  0   0    0.0.0.0:631             0.0.0.0:*       647/cups-browsed
> > udp  0   0    0.0.0.0:689             0.0.0.0:*       530/rpcbind
> > udp  0   0    127.0.0.1:716           0.0.0.0:*       540/rpc.statd
> > udp  0   0    0.0.0.0:57106           0.0.0.0:*       540/rpc.statd
> > udp  0   0    0.0.0.0:111             0.0.0.0:*       530/rpcbind
> > udp  0   0    192.168.1.99:123        0.0.0.0:*       664/ntpd
> > udp  0   0    127.0.0.1:123           0.0.0.0:*       664/ntpd
> > udp  0   0    0.0.0.0:123             0.0.0.0:*       664/ntpd
> > udp  0   0    0.0.0.0:5353            0.0.0.0:*       612/avahi-daemon:r
> > udp6 0   0    :::689                  :::*            530/rpcbind
> > udp6 0   0    :::43913                :::*            540/rpc.statd
> > udp6 0   0    :::111                  :::*            530/rpcbind
> > udp6 0   0    fe80::ba70:f4ff:fe2:123 :::*            664/ntpd
> > udp6 0   0    ::1:123                 :::*            664/ntpd
> > udp6 0   0    :::123                  :::*            664/ntpd
> > udp6 0   0    :::5353                 :::*            612/avahi-daemon:r
> > udp6 0   0    :::44274                :::*            612/avahi-daemon:r
> > #
> > 
> > Regrettably, the formatting of the output does not consider the need to
> > include the output in the body of an e-mail, so editing was required to
> > remove excess spaces so as to prevent every line from being wrapped.
> 
> 
> Something like this should save you from the most troubles provided
> that you don't plan to use your laptop as a print server or NFS:
> 
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
> iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
> 	-j ACCEPT
> iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
> 	-j ACCEPT 
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p udp --dport 123 -j ACCEPT
> 
> iptables -P FORWARD DROP
> 
> ip6tables -P INPUT DROP
> ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
> ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
> ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
> 	-j ACCEPT 
> ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
> 	-j ACCEPT
> ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
> ip6tables -A INPUT -p udp --dport 123 -j ACCEPT
> 
> ip6tables -P FORWARD DROP
> 
> 
> Of course, it's *very* simplistic set of rules (for example, someone
> may consider accepting ssh connections from arbitrary hosts a bad idea),
> but it should work.

Why does he need any iptables rules? I see nothing at risk there. It
seems to me he can be confident his computer is safe.

> Two things I'm unsure of are:
> 
> 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office
> network), but YMMV.

There is much value in mDNS in an office network with CUPS nowadays.

> 2) Whatever thing you're listening for on tcp 9999 with inetd.

Ditto.
Reply to: