Re: laptop protection in an office network
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, Aug 29, 2015 at 11:28:10PM +0100, Brian wrote:
> On Sat 29 Aug 2015 at 22:56:50 +0200, tomas@tuxteam.de wrote:
>
> > On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlharris@oplink.net wrote:
[...]
> > > tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd
> >
> > Common wisdom is to keep that (but to secure it properly [...]
[...]
> Common wisdom or old-wives tales? He probably has no need for it. Purge.
Count me als old-wive then. I know I've used that a couple of times to
diagnose things. To each one to decide (put another way: no need to take
with you the circular saw every time if you know you'll never use it :)
> > > tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd
> >
> > Are you using your laptop as a print server? If not, the cups-client
> > package might be enough.
>
> Its only listening on localhost. What's the problem?
You're right, I missed that.
> cups-client alone is insufficient to print to a printer attached to the
> machine.
that's correct. I assumed that the printer isn't attached to the laptop,
but that there are printer services around (I'm using lprng anyway).
> > > tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres
> > > tcp 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4
> >
> > Database server, mail server. What are they doing? For postgres,
> > you could configure it to just serve over an UNIX domain socket,
> > if the only applications around connect locally. Your call.
> > For exim4 (mail server)... depends on your mail setup.
>
> Both are only listening on localhost. Perfectly safe.
Correct. My fault. See above
> > > tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0
> >
> > Uh -- what is *this*? A process called "0"? Looks really strange
> > to me.
> >
> > > tcp6 0 0 :::111 :::* LIS 530/rpcbind
> > > tcp6 0 0 :::38930 :::* LIS 540/rpc.statd
> > > tcp6 0 0 :::22 :::* LIS 568/sshd
> > > tcp6 0 0 ::1:631 :::* LIS 1248/cupsd
> > > tcp6 0 0 ::1:5432 :::* LIS 675/postgres
> > > tcp6 0 0 ::1:25 :::* LIS 1063/exim4
> >
> > Those are IPV6 variants of some of the above.
> >
> > > udp 0 0 0.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r
> >
> > Avahi: this is a service discovery service: your laptop is broadcasting
> > to the network "hey, here's a [printer, database, whatnot]. Wanna play
> > with me?
> >
> > That's one of the things I ban from my computer.
>
> Broadcating is one thing. Allowing access to a service is another.
Broadcasting is inviting :-)
> > > udp 0 0 0.0.0.0:631 0.0.0.0:* 647/cups-browsed
> >
> > Here cups is announcing its availability. Down with it :-)
>
> CUPS isn't doing anything. Have another go. :)
This is 631/udp, aka "CUPS browsing and polling": it's a discovery protocol
("any printers around?" "oh, yes, here's one"). So it's doing something.
And sometimes, it has even holes:
<http://www.openwall.com/lists/oss-security/2014/04/01/4>
I'd say "down with his head". Leave 631/tcp (that's for printing) if you
use a local printer, but leave it restricted to localhost (as done by default
above).
regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlXitSwACgkQBcgs9XrR2kbH1wCfZ8A587OGnbBSTvzv+Tdncvma
wOQAn0vuYGxLn6l82Y6FqU55iqHqQeKE
=ZHCq
-----END PGP SIGNATURE-----
Reply to: