Re: laptop protection in an office network
On Sat 29 Aug 2015 at 22:56:50 +0200, tomas@tuxteam.de wrote:
> On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlharris@oplink.net wrote:
> >
> > # netstat -lntup
> > Active Internet connections (only servers)
> > Prot Rec Snd Local Address Foreign State PID/Program name
> > -Q -Q Address
>
> Quite a mouthful. Other answers very insightful, especially the proposals
> of blocking the relevant ports via firewall (I'd try the opposite approach
> though: block every connection from outside except those you explicitly
> want)
>
> > tcp 0 0 0.0.0.0:9999 0.0.0.0:* LIS 561/inetd
>
> As others noted: what's inetd doing on 9999? Do have a look at
> its config files (somewhere in /etc/inetd.conf).
>
> > tcp 0 0 0.0.0.0:111 0.0.0.0:* LIS 530/rpcbind
> > tcp 0 0 0.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd
>
> RPC is typically needed for NFS. If you don't want to mount your
> laptop's file systems from other machines, it's probably superfluous.
So get rid of it.
> > tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd
>
> Common wisdom is to keep that (but to secure it properly, by disabling
> root logins and possibly passwrd logins). Perhaps you can ssh into
> your laptop should the UI become unresponsive for some reason (e.g.
> X botches the graphics card but you still have some running programs
> you'd want to finalize in an orderly mode).
Common wisdom or old-wives tales? He probably has no need for it. Purge.
> > tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd
>
> Are you using your laptop as a print server? If not, the cups-client
> package might be enough.
Its only listening on localhost. What's the problem?
cups-client alone is insufficient to print to a printer attached to the
machine.
> > tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres
> > tcp 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4
>
> Database server, mail server. What are they doing? For postgres,
> you could configure it to just serve over an UNIX domain socket,
> if the only applications around connect locally. Your call.
> For exim4 (mail server)... depends on your mail setup.
Both are only listening on localhost. Perfectly safe.
> > tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0
>
> Uh -- what is *this*? A process called "0"? Looks really strange
> to me.
>
> > tcp6 0 0 :::111 :::* LIS 530/rpcbind
> > tcp6 0 0 :::38930 :::* LIS 540/rpc.statd
> > tcp6 0 0 :::22 :::* LIS 568/sshd
> > tcp6 0 0 ::1:631 :::* LIS 1248/cupsd
> > tcp6 0 0 ::1:5432 :::* LIS 675/postgres
> > tcp6 0 0 ::1:25 :::* LIS 1063/exim4
>
> Those are IPV6 variants of some of the above.
>
> > udp 0 0 0.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r
>
> Avahi: this is a service discovery service: your laptop is broadcasting
> to the network "hey, here's a [printer, database, whatnot]. Wanna play
> with me?
>
> That's one of the things I ban from my computer.
Broadcating is one thing. Allowing access to a service is another.
> > udp 0 0 0.0.0.0:631 0.0.0.0:* 647/cups-browsed
>
> Here cups is announcing its availability. Down with it :-)
CUPS isn't doing anything. Have another go. :)
Reply to: