Re: essential services? ssh, nfs?

[mouss]

Tyler Smith wrote:
Hi,
I'm working through the security quick start how to, and I'm not clear
on what services are required and which ones I can safely remove. I'm
running a single laptop, which I connect to the net via wireless at
home or at cafes, and via an ethernet cable at work. 

1) I never login remotely, so I think I can safely do away with
openssh-server? 

tcp6        *:ssh                   *:*       LISTEN     3026/sshd           

2) The how-to suggests that for my setup I don't need anything to do
with NFS - netstat reports rpc.statd and portmap as listening. Can I
just purge nfs-common and portmap?

tcp         *:37381                 *:*       LISTEN     2603/rpc.statd      
tcp         *:sunrpc                *:*       LISTEN     2578/portmap        


3) I have apache installed as a dependency of doc-central. netstat
shows it to be listening to all interfaces. Is there a way to set it
to listen only for local connections? I don't understand this very
well, but it seems I shouldn't need to listen to anyone from the
outside to connect to my docs.

tcp         *:www                   *:*       LISTEN     3826/apache         

  

you need to edit apache config file. look for "Listen" and replace the 
wildcard IP by 127.0.0.1. I personally avoid changing config files that 
come with packages. so here, just use an iptables rule to block incoming 
traffic unless you want it.

4) The only remaining listeners I have are:

tcp         localhost:929           *:*       LISTEN     3721/famd           
tcp         *:auth                  *:*       LISTEN     3661/inetd          
tcp         localhost:smtp          *:*       LISTEN     3385/exim4          

What is auth?

This is the (obsolete?) ident service. you can disable it (after all, 
windows people don't have it and they have no problem surfing...).

If you use a firewall, make sure to reject packets coming in to this 
port, instead of a DROP. Otherwise, services that use ident will be slow 
at connection time.

 Since famd and exim4 are only listening to localhost,
can I conclude they are not a security risk?
  

In general, it's ok, but you still need to keep your eyes open:

- make sure incoming traffic to localhost is blocked (just drop). 127.* 
should not appear on the wire. This really belongs to the IP stack, but 
as I am not sure it is filtered there, stay safe and add an explicit rule.

- make sure you have no NAT rule that redirects incoming traffic to 
localhost.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]