On Sun, Jul 29, 2007 at 04:11:55PM +0000, Tyler Smith wrote: > > I'm working through the security quick start how to, and I'm not clear > on what services are required and which ones I can safely remove. I'm > running a single laptop, which I connect to the net via wireless at > home or at cafes, and via an ethernet cable at work. > > 1) I never login remotely, so I think I can safely do away with > openssh-server?
If you don't need it, and a package isn't there to meet a dependancy, get rid of it. > > tcp6 *:ssh *:* LISTEN 3026/sshd > > 2) The how-to suggests that for my setup I don't need anything to do > with NFS - netstat reports rpc.statd and portmap as listening. Can I > just purge nfs-common and portmap? > > tcp *:37381 *:* LISTEN 2603/rpc.statd > tcp *:sunrpc *:* LISTEN 2578/portmap > Ditto. > 3) I have apache installed as a dependency of doc-central. netstat > shows it to be listening to all interfaces. Is there a way to set it > to listen only for local connections? I don't understand this very > well, but it seems I shouldn't need to listen to anyone from the > outside to connect to my docs. > > tcp *:www *:* LISTEN 3826/apache > I've never run apache so don't know. > 4) The only remaining listeners I have are: > > tcp localhost:929 *:* LISTEN 3721/famd > tcp *:auth *:* LISTEN 3661/inetd > tcp localhost:smtp *:* LISTEN 3385/exim4 > > What is auth? Since famd and exim4 are only listening to localhost, > can I conclude they are not a security risk? > What do you have uncommented in /etc/inetd.conf? I don't have anything, so inetd doesn't start up at boot. Finally, as the last defence, do you have a good firewall setup? I use shorewall with a default net to all DROP and everything else REJECT, then open ports as needed in rules. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
