Re: laptop protection in an office network
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlharris@oplink.net wrote:
> On Sat, August 29, 2015 6:53 am, tomas@tuxteam.de wrote:
> > Also netstat (issued from your laptop) gives insight. For example
> > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are
> > root (or sudo, of course), the extra option -p tells you which process is
> > "at the other side" listening.
> >
> > Note that the dhcp client itself (which you need to get an IP address to
> > take part in your customer's network) puts you already at some risk,
> > depending on how it's configured.
>
> Here is the output from the laptop:
>
> # netstat -lntup
> Active Internet connections (only servers)
> Prot Rec Snd Local Address Foreign State PID/Program name
> -Q -Q Address
Quite a mouthful. Other answers very insightful, especially the proposals
of blocking the relevant ports via firewall (I'd try the opposite approach
though: block every connection from outside except those you explicitly
want)
> tcp 0 0 0.0.0.0:9999 0.0.0.0:* LIS 561/inetd
As others noted: what's inetd doing on 9999? Do have a look at
its config files (somewhere in /etc/inetd.conf).
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LIS 530/rpcbind
> tcp 0 0 0.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd
RPC is typically needed for NFS. If you don't want to mount your
laptop's file systems from other machines, it's probably superfluous.
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd
Common wisdom is to keep that (but to secure it properly, by disabling
root logins and possibly passwrd logins). Perhaps you can ssh into
your laptop should the UI become unresponsive for some reason (e.g.
X botches the graphics card but you still have some running programs
you'd want to finalize in an orderly mode).
> tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd
Are you using your laptop as a print server? If not, the cups-client
package might be enough.
> tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4
Database server, mail server. What are they doing? For postgres,
you could configure it to just serve over an UNIX domain socket,
if the only applications around connect locally. Your call.
For exim4 (mail server)... depends on your mail setup.
> tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0
Uh -- what is *this*? A process called "0"? Looks really strange
to me.
> tcp6 0 0 :::111 :::* LIS 530/rpcbind
> tcp6 0 0 :::38930 :::* LIS 540/rpc.statd
> tcp6 0 0 :::22 :::* LIS 568/sshd
> tcp6 0 0 ::1:631 :::* LIS 1248/cupsd
> tcp6 0 0 ::1:5432 :::* LIS 675/postgres
> tcp6 0 0 ::1:25 :::* LIS 1063/exim4
Those are IPV6 variants of some of the above.
> udp 0 0 0.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r
Avahi: this is a service discovery service: your laptop is broadcasting
to the network "hey, here's a [printer, database, whatnot]. Wanna play
with me?
That's one of the things I ban from my computer.
> udp 0 0 0.0.0.0:631 0.0.0.0:* 647/cups-browsed
Here cups is announcing its availability. Down with it :-)
> udp 0 0 0.0.0.0:689 0.0.0.0:* 530/rpcbind
> udp 0 0 127.0.0.1:716 0.0.0.0:* 540/rpc.statd
> udp 0 0 0.0.0.0:57106 0.0.0.0:* 540/rpc.statd
> udp 0 0 0.0.0.0:111 0.0.0.0:* 530/rpcbind
See above.
> udp 0 0 192.168.1.99:123 0.0.0.0:* 664/ntpd
> udp 0 0 127.0.0.1:123 0.0.0.0:* 664/ntpd
> udp 0 0 0.0.0.0:123 0.0.0.0:* 664/ntpd
Providing time services?
> udp 0 0 0.0.0.0:5353 0.0.0.0:* 612/avahi-daemon:r
See above.
> udp6 0 0 :::689 :::* 530/rpcbind
> udp6 0 0 :::43913 :::* 540/rpc.statd
> udp6 0 0 :::111 :::* 530/rpcbind
> udp6 0 0 fe80::ba70:f4ff:fe2:123 :::* 664/ntpd
> udp6 0 0 ::1:123 :::* 664/ntpd
> udp6 0 0 :::123 :::* 664/ntpd
> udp6 0 0 :::5353 :::* 612/avahi-daemon:r
> udp6 0 0 :::44274 :::* 612/avahi-daemon:r
IPV6 variants of some of the above.
> Regrettably, the formatting of the output does not consider the need to
> include the output in the body of an e-mail, so editing was required to
> remove excess spaces so as to prevent every line from being wrapped.
I feel your pain :-)
I'd disable/uninstall many of those. OTOH, you might need them in other
settings, so firewalling them out might be the right choice (and a chance
to learn iptables :-)
regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlXiHJIACgkQBcgs9XrR2kZI7QCfXp6SyrA+eaB2fL9rrUvJfH95
focAnjeEbn4i6rbEg0gYDynrkixh/46l
=SnzJ
-----END PGP SIGNATURE-----
Reply to: