[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network

On Sat 29 Aug 2015 at 22:56:50 +0200, tomas@tuxteam.de wrote:

> On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlharris@oplink.net wrote:
> > 
> > # netstat -lntup
> > Active Internet connections (only servers)
> > Prot Rec Snd Local Address            Foreign   State PID/Program name
> >      -Q  -Q                           Address
> 
> Quite a mouthful. Other answers very insightful, especially the proposals
> of blocking the relevant ports via firewall (I'd try the opposite approach
> though: block every connection from outside except those you explicitly
> want)
> 
> > tcp  0   0    0.0.0.0:9999            0.0.0.0:*  LIS  561/inetd
> 
> As others noted: what's inetd doing on 9999? Do have a look at
> its config files (somewhere in /etc/inetd.conf).
>  
> > tcp  0   0    0.0.0.0:111             0.0.0.0:*  LIS  530/rpcbind
> > tcp  0   0    0.0.0.0:46225           0.0.0.0:*  LIS  540/rpc.statd
> 
> RPC is typically needed for NFS. If you don't want to mount your
> laptop's file systems from other machines, it's probably superfluous.

So get rid of it.

> > tcp  0   0    0.0.0.0:22              0.0.0.0:*  LIS  568/sshd
> 
> Common wisdom is to keep that (but to secure it properly, by disabling
> root logins and possibly passwrd logins). Perhaps you can ssh into
> your laptop should the UI become unresponsive for some reason (e.g.
> X botches the graphics card but you still have some running programs
> you'd want to finalize in an orderly mode).

Common wisdom or old-wives tales? He probably has no need for it. Purge.
 
> > tcp  0   0    127.0.0.1:631           0.0.0.0:*  LIS  1248/cupsd
> 
> Are you using your laptop as a print server? If not, the cups-client
> package might be enough.

Its only listening on localhost. What's the problem?

cups-client alone is insufficient to print to a printer attached to the
machine.

> > tcp  0   0    127.0.0.1:5432          0.0.0.0:*  LIS  675/postgres
> > tcp  0   0    127.0.0.1:25            0.0.0.0:*  LIS  1063/exim4
> 
> Database server, mail server. What are they doing? For postgres,
> you could configure it to just serve over an UNIX domain socket,
> if the only applications around connect locally. Your call.
> For exim4 (mail server)... depends on your mail setup.

Both are only listening on localhost. Perfectly safe.

> > tcp  0   0    127.0.0.1:2628          0.0.0.0:*  LIS  599/0
> 
> Uh -- what is *this*? A process called "0"? Looks really strange
> to me.
> 
> > tcp6 0   0    :::111                  :::*       LIS  530/rpcbind
> > tcp6 0   0    :::38930                :::*       LIS  540/rpc.statd
> > tcp6 0   0    :::22                   :::*       LIS  568/sshd
> > tcp6 0   0    ::1:631                 :::*       LIS  1248/cupsd
> > tcp6 0   0    ::1:5432                :::*       LIS  675/postgres
> > tcp6 0   0    ::1:25                  :::*       LIS  1063/exim4
> 
> Those are IPV6 variants of some of the above.
> 
> > udp  0   0    0.0.0.0:36358           0.0.0.0:*       612/avahi-daemon:r
> 
> Avahi: this is a service discovery service: your laptop is broadcasting
> to the network "hey, here's a [printer, database, whatnot]. Wanna play
> with me?
> 
> That's one of the things I ban from my computer.

Broadcating is one thing. Allowing access to a service is another.

> > udp  0   0    0.0.0.0:631             0.0.0.0:*       647/cups-browsed
> 
> Here cups is announcing its availability. Down with it :-)

CUPS isn't doing anything. Have another go. :)
Reply to: