[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Aug 29, 2015 at 11:28:10PM +0100, Brian wrote:
> On Sat 29 Aug 2015 at 22:56:50 +0200, tomas@tuxteam.de wrote:
> 
> > On Sat, Aug 29, 2015 at 01:25:28PM -0500, rlharris@oplink.net wrote:

[...]

> > > tcp  0   0    0.0.0.0:22              0.0.0.0:*  LIS  568/sshd
> > 
> > Common wisdom is to keep that (but to secure it properly [...]
[...]
> Common wisdom or old-wives tales? He probably has no need for it. Purge.

Count me als old-wive then. I know I've used that a couple of times to
diagnose things. To each one to decide (put another way: no need to take
with you the circular saw every time if you know you'll never use it :)

> > > tcp  0   0    127.0.0.1:631           0.0.0.0:*  LIS  1248/cupsd
> > 
> > Are you using your laptop as a print server? If not, the cups-client
> > package might be enough.
> 
> Its only listening on localhost. What's the problem?

You're right, I missed that.

> cups-client alone is insufficient to print to a printer attached to the
> machine.

that's correct. I assumed that the printer isn't attached to the laptop,
but that there are printer services around (I'm using lprng anyway).

> > > tcp  0   0    127.0.0.1:5432          0.0.0.0:*  LIS  675/postgres
> > > tcp  0   0    127.0.0.1:25            0.0.0.0:*  LIS  1063/exim4
> > 
> > Database server, mail server. What are they doing? For postgres,
> > you could configure it to just serve over an UNIX domain socket,
> > if the only applications around connect locally. Your call.
> > For exim4 (mail server)... depends on your mail setup.
> 
> Both are only listening on localhost. Perfectly safe.

Correct. My fault. See above

> > > tcp  0   0    127.0.0.1:2628          0.0.0.0:*  LIS  599/0
> > 
> > Uh -- what is *this*? A process called "0"? Looks really strange
> > to me.
> > 
> > > tcp6 0   0    :::111                  :::*       LIS  530/rpcbind
> > > tcp6 0   0    :::38930                :::*       LIS  540/rpc.statd
> > > tcp6 0   0    :::22                   :::*       LIS  568/sshd
> > > tcp6 0   0    ::1:631                 :::*       LIS  1248/cupsd
> > > tcp6 0   0    ::1:5432                :::*       LIS  675/postgres
> > > tcp6 0   0    ::1:25                  :::*       LIS  1063/exim4
> > 
> > Those are IPV6 variants of some of the above.
> > 
> > > udp  0   0    0.0.0.0:36358           0.0.0.0:*       612/avahi-daemon:r
> > 
> > Avahi: this is a service discovery service: your laptop is broadcasting
> > to the network "hey, here's a [printer, database, whatnot]. Wanna play
> > with me?
> > 
> > That's one of the things I ban from my computer.
> 
> Broadcating is one thing. Allowing access to a service is another.

Broadcasting is inviting :-)

> > > udp  0   0    0.0.0.0:631             0.0.0.0:*       647/cups-browsed
> > 
> > Here cups is announcing its availability. Down with it :-)
> 
> CUPS isn't doing anything. Have another go. :)

This is 631/udp, aka "CUPS browsing and polling": it's a discovery protocol
("any printers around?" "oh, yes, here's one"). So it's doing something.
And sometimes, it has even holes:

  <http://www.openwall.com/lists/oss-security/2014/04/01/4>

I'd say "down with his head". Leave 631/tcp (that's for printing) if you
use a local printer, but leave it restricted to localhost (as done by default
above).

regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlXitSwACgkQBcgs9XrR2kbH1wCfZ8A587OGnbBSTvzv+Tdncvma
wOQAn0vuYGxLn6l82Y6FqU55iqHqQeKE
=ZHCq
-----END PGP SIGNATURE-----
Reply to: