[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlharris@oplink.net wrote:
> On Sat, August 29, 2015 6:53 am, tomas@tuxteam.de wrote:
> > Also netstat (issued from your laptop) gives insight. For example
> > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are
> > root (or sudo, of course), the extra option -p tells you which process is
> > "at the other side" listening.
> >
> > Note that the dhcp client itself (which you need to get an IP address to
> > take part in your customer's network) puts you already at some risk,
> > depending on how it's configured.
> 
> Here is the output from the laptop:
> 
> # netstat -lntup
> Active Internet connections (only servers)
> Prot Rec Snd Local Address            Foreign   State PID/Program name
>      -Q  -Q                           Address

Quite a mouthful. Other answers very insightful, especially the proposals
of blocking the relevant ports via firewall (I'd try the opposite approach
though: block every connection from outside except those you explicitly
want)

> tcp  0   0    0.0.0.0:9999            0.0.0.0:*  LIS  561/inetd

As others noted: what's inetd doing on 9999? Do have a look at
its config files (somewhere in /etc/inetd.conf).
 
> tcp  0   0    0.0.0.0:111             0.0.0.0:*  LIS  530/rpcbind
> tcp  0   0    0.0.0.0:46225           0.0.0.0:*  LIS  540/rpc.statd

RPC is typically needed for NFS. If you don't want to mount your
laptop's file systems from other machines, it's probably superfluous.

> tcp  0   0    0.0.0.0:22              0.0.0.0:*  LIS  568/sshd

Common wisdom is to keep that (but to secure it properly, by disabling
root logins and possibly passwrd logins). Perhaps you can ssh into
your laptop should the UI become unresponsive for some reason (e.g.
X botches the graphics card but you still have some running programs
you'd want to finalize in an orderly mode).

> tcp  0   0    127.0.0.1:631           0.0.0.0:*  LIS  1248/cupsd

Are you using your laptop as a print server? If not, the cups-client
package might be enough.

> tcp  0   0    127.0.0.1:5432          0.0.0.0:*  LIS  675/postgres
> tcp  0   0    127.0.0.1:25            0.0.0.0:*  LIS  1063/exim4

Database server, mail server. What are they doing? For postgres,
you could configure it to just serve over an UNIX domain socket,
if the only applications around connect locally. Your call.
For exim4 (mail server)... depends on your mail setup.

> tcp  0   0    127.0.0.1:2628          0.0.0.0:*  LIS  599/0

Uh -- what is *this*? A process called "0"? Looks really strange
to me.

> tcp6 0   0    :::111                  :::*       LIS  530/rpcbind
> tcp6 0   0    :::38930                :::*       LIS  540/rpc.statd
> tcp6 0   0    :::22                   :::*       LIS  568/sshd
> tcp6 0   0    ::1:631                 :::*       LIS  1248/cupsd
> tcp6 0   0    ::1:5432                :::*       LIS  675/postgres
> tcp6 0   0    ::1:25                  :::*       LIS  1063/exim4

Those are IPV6 variants of some of the above.

> udp  0   0    0.0.0.0:36358           0.0.0.0:*       612/avahi-daemon:r

Avahi: this is a service discovery service: your laptop is broadcasting
to the network "hey, here's a [printer, database, whatnot]. Wanna play
with me?

That's one of the things I ban from my computer.

> udp  0   0    0.0.0.0:631             0.0.0.0:*       647/cups-browsed

Here cups is announcing its availability. Down with it :-)

> udp  0   0    0.0.0.0:689             0.0.0.0:*       530/rpcbind
> udp  0   0    127.0.0.1:716           0.0.0.0:*       540/rpc.statd
> udp  0   0    0.0.0.0:57106           0.0.0.0:*       540/rpc.statd
> udp  0   0    0.0.0.0:111             0.0.0.0:*       530/rpcbind

See above.

> udp  0   0    192.168.1.99:123        0.0.0.0:*       664/ntpd
> udp  0   0    127.0.0.1:123           0.0.0.0:*       664/ntpd
> udp  0   0    0.0.0.0:123             0.0.0.0:*       664/ntpd

Providing time services?

> udp  0   0    0.0.0.0:5353            0.0.0.0:*       612/avahi-daemon:r

See above.

> udp6 0   0    :::689                  :::*            530/rpcbind
> udp6 0   0    :::43913                :::*            540/rpc.statd
> udp6 0   0    :::111                  :::*            530/rpcbind
> udp6 0   0    fe80::ba70:f4ff:fe2:123 :::*            664/ntpd
> udp6 0   0    ::1:123                 :::*            664/ntpd
> udp6 0   0    :::123                  :::*            664/ntpd
> udp6 0   0    :::5353                 :::*            612/avahi-daemon:r
> udp6 0   0    :::44274                :::*            612/avahi-daemon:r

IPV6 variants of some of the above.

> Regrettably, the formatting of the output does not consider the need to
> include the output in the body of an e-mail, so editing was required to
> remove excess spaces so as to prevent every line from being wrapped.

I feel your pain :-)

I'd disable/uninstall many of those. OTOH, you might need them in other
settings, so firewalling them out might be the right choice (and a chance
to learn iptables :-)

regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlXiHJIACgkQBcgs9XrR2kZI7QCfXp6SyrA+eaB2fL9rrUvJfH95
focAnjeEbn4i6rbEg0gYDynrkixh/46l
=SnzJ
-----END PGP SIGNATURE-----
Reply to: