Hi,

I'm working through the security quick start how to, and I'm not clear
on what services are required and which ones I can safely remove. I'm
running a single laptop, which I connect to the net via wireless at
home or at cafes, and via an ethernet cable at work.

1) I never login remotely, so I think I can safely do away with
openssh-server?

tcp6 *:ssh *:* LISTEN 3026/sshd

2) The how-to suggests that for my setup I don't need anything to do
with NFS - netstat reports rpc.statd and portmap as listening. Can I
just purge nfs-common and portmap?

tcp *:37381 *:* LISTEN 2603/rpc.statd
tcp *:sunrpc *:* LISTEN 2578/portmap


3) I have apache installed as a dependency of doc-central. netstat
shows it to be listening to all interfaces. Is there a way to set it
to listen only for local connections? I don't understand this very
well, but it seems I shouldn't need to listen to anyone from the
outside to connect to my docs.

tcp *:www *:* LISTEN 3826/apache

4) The only remaining listeners I have are:

tcp localhost:929 *:* LISTEN 3721/famd
tcp *:auth *:* LISTEN 3661/inetd
tcp localhost:smtp *:* LISTEN 3385/exim4

What is auth? Since famd and exim4 are only listening to localhost,
can I conclude they are not a security risk?

Thanks for your ,

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 29, 2007 at 04:11:55PM +0000, Tyler Smith wrote:
>
> I'm working through the security quick start how to, and I'm not clear
> on what services are required and which ones I can safely remove. I'm
> running a single laptop, which I connect to the net via wireless at
> home or at cafes, and via an ethernet cable at work.
>
> 1) I never login remotely, so I think I can safely do away with
> openssh-server?

If you don't need it, and a package isn't there to meet a dependancy,
get rid of it.

>
> tcp6 *:ssh *:* LISTEN 3026/sshd
>
> 2) The how-to suggests that for my setup I don't need anything to do
> with NFS - netstat reports rpc.statd and portmap as listening. Can I
> just purge nfs-common and portmap?
>
> tcp *:37381 *:* LISTEN 2603/rpc.statd
> tcp *:sunrpc *:* LISTEN 2578/portmap
>

Ditto.


> 3) I have apache installed as a dependency of doc-central. netstat
> shows it to be listening to all interfaces. Is there a way to set it
> to listen only for local connections? I don't understand this very
> well, but it seems I shouldn't need to listen to anyone from the
> outside to connect to my docs.
>
> tcp *:www *:* LISTEN 3826/apache
>

I've never run apache so don't know.

> 4) The only remaining listeners I have are:
>
> tcp localhost:929 *:* LISTEN 3721/famd
> tcp *:auth *:* LISTEN 3661/inetd
> tcp localhost:smtp *:* LISTEN 3385/exim4
>
> What is auth? Since famd and exim4 are only listening to localhost,
> can I conclude they are not a security risk?
>

What do you have uncommented in /etc/inetd.conf? I don't have anything,
so inetd doesn't start up at boot.

Finally, as the last defence, do you have a good firewall setup? I use
shorewall with a default net to all DROP and everything else REJECT,
then open ports as needed in rules.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 29 Jul 2007, Tyler Smith wrote:

> Hi,
>
> I'm working through the security quick start how to, and I'm not clear
> on what services are required and which ones I can safely remove. I'm
> running a single laptop, which I connect to the net via wireless at
> home or at cafes, and via an ethernet cable at work.
>
> 1) I never login remotely, so I think I can safely do away with
> openssh-server?
>
> tcp6 *:ssh *:* LISTEN 3026/sshd
>
> 2) The how-to suggests that for my setup I don't need anything to do
> with NFS - netstat reports rpc.statd and portmap as listening. Can I
> just purge nfs-common and portmap?
>
> tcp *:37381 *:* LISTEN 2603/rpc.statd
> tcp *:sunrpc *:* LISTEN 2578/portmap
>
>
> 3) I have apache installed as a dependency of doc-central. netstat
> shows it to be listening to all interfaces. Is there a way to set it
> to listen only for local connections? I don't understand this very
> well, but it seems I shouldn't need to listen to anyone from the
> outside to connect to my docs.
>
> tcp *:www *:* LISTEN 3826/apache
>
> 4) The only remaining listeners I have are:
>
> tcp localhost:929 *:* LISTEN 3721/famd
> tcp *:auth *:* LISTEN 3661/inetd
> tcp localhost:smtp *:* LISTEN 3385/exim4
>
> What is auth? Since famd and exim4 are only listening to localhost,
> can I conclude they are not a security risk?
>
> Thanks for your ,
>
> Tyler
>
>
> --

the general rule of thumb, is if you dont use it, turn it off. I'd turn
off almost every thing. You can leave exim and famd on.
to turn auth off, you can edit /etc/inetd.conf and comment out the line
that starts with ident.

for portmap:
update-rc.d -f portmap remove
for rpc.statd:
update-rc.d -f rpc.statd remove
ssh:
update-rc.d -f ssh remove

to bind apache to the localhost, in /etc/apache2/ports.conf change the
Listen 80 to Listen 127.0.0.1:80, then restart apache.


-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 29 Jul 2007, Tyler Smith wrote:

> Hi,
>
> I'm working through the security quick start how to, and I'm not clear
> on what services are required and which ones I can safely remove. I'm
> running a single laptop, which I connect to the net via wireless at
> home or at cafes, and via an ethernet cable at work.
>
> 1) I never login remotely, so I think I can safely do away with
> openssh-server?
>
> tcp6 *:ssh *:* LISTEN 3026/sshd
>
> 2) The how-to suggests that for my setup I don't need anything to do
> with NFS - netstat reports rpc.statd and portmap as listening. Can I
> just purge nfs-common and portmap?
>
> tcp *:37381 *:* LISTEN 2603/rpc.statd
> tcp *:sunrpc *:* LISTEN 2578/portmap
>
>
> 3) I have apache installed as a dependency of doc-central. netstat
> shows it to be listening to all interfaces. Is there a way to set it
> to listen only for local connections? I don't understand this very
> well, but it seems I shouldn't need to listen to anyone from the
> outside to connect to my docs.
>
> tcp *:www *:* LISTEN 3826/apache
>
> 4) The only remaining listeners I have are:
>
> tcp localhost:929 *:* LISTEN 3721/famd
> tcp *:auth *:* LISTEN 3661/inetd
> tcp localhost:smtp *:* LISTEN 3385/exim4
>
> What is auth? Since famd and exim4 are only listening to localhost,
> can I conclude they are not a security risk?
>
> Thanks for your ,
>
> Tyler
>
>
> --

erf, it's too early, not enough coffee yet, but you might want to add this
one to the list too:
update-rc.d -f nfs-common remove


You can also just remove the packages that control these though. But,
personally I like to keep them around, just incase I need to turn them
back on at some point. It's come in handy for me a few time to have the
services available

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Tyler Smith wrote:
> Hi,
>
> I'm working through the security quick start how to, and I'm not clear
> on what services are required and which ones I can safely remove. I'm
> running a single laptop, which I connect to the net via wireless at
> home or at cafes, and via an ethernet cable at work.
>
> 1) I never login remotely, so I think I can safely do away with
> openssh-server?
>
> tcp6 *:ssh *:* LISTEN 3026/sshd
>
> 2) The how-to suggests that for my setup I don't need anything to do
> with NFS - netstat reports rpc.statd and portmap as listening. Can I
> just purge nfs-common and portmap?
>
> tcp *:37381 *:* LISTEN 2603/rpc.statd
> tcp *:sunrpc *:* LISTEN 2578/portmap
>
>
> 3) I have apache installed as a dependency of doc-central. netstat
> shows it to be listening to all interfaces. Is there a way to set it
> to listen only for local connections? I don't understand this very
> well, but it seems I shouldn't need to listen to anyone from the
> outside to connect to my docs.
>
> tcp *:www *:* LISTEN 3826/apache
>
>

you need to edit apache config file. look for "Listen" and replace the
wildcard IP by 127.0.0.1. I personally avoid changing config files that
come with packages. so here, just use an iptables rule to block incoming
traffic unless you want it.

> 4) The only remaining listeners I have are:
>
> tcp localhost:929 *:* LISTEN 3721/famd
> tcp *:auth *:* LISTEN 3661/inetd
> tcp localhost:smtp *:* LISTEN 3385/exim4
>
> What is auth?

This is the (obsolete?) ident service. you can disable it (after all,
windows people don't have it and they have no problem surfing...).

If you use a firewall, make sure to reject packets coming in to this
port, instead of a DROP. Otherwise, services that use ident will be slow
at connection time.

> Since famd and exim4 are only listening to localhost,
> can I conclude they are not a security risk?
>

In general, it's ok, but you still need to keep your eyes open:

- make sure incoming traffic to localhost is blocked (just drop). 127.*
should not appear on the wire. This really belongs to the IP stack, but
as I am not sure it is filtered there, stay safe and add an explicit rule.

- make sure you have no NAT rule that redirects incoming traffic to
localhost.




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Tyler Smith wrote:
> Hi,
>
> I'm working through the security quick start how to, and I'm not clear
> on what services are required and which ones I can safely remove. I'm
> running a single laptop, which I connect to the net via wireless at
> home or at cafes, and via an ethernet cable at work.
>
> 1) I never login remotely, so I think I can safely do away with
> openssh-server?
>
> tcp6 *:ssh *:* LISTEN 3026/sshd
>
> 2) The how-to suggests that for my setup I don't need anything to do
> with NFS - netstat reports rpc.statd and portmap as listening. Can I
> just purge nfs-common and portmap?
>
> tcp *:37381 *:* LISTEN 2603/rpc.statd
> tcp *:sunrpc *:* LISTEN 2578/portmap
>
>
> 3) I have apache installed as a dependency of doc-central. netstat
> shows it to be listening to all interfaces. Is there a way to set it
> to listen only for local connections? I don't understand this very
> well, but it seems I shouldn't need to listen to anyone from the
> outside to connect to my docs.
>
> tcp *:www *:* LISTEN 3826/apache
>
>

you need to edit apache config file. look for "Listen" and replace the
wildcard IP by 127.0.0.1. I personally avoid changing config files that
come with packages. so here, just use an iptables rule to block incoming
traffic unless you want it.

> 4) The only remaining listeners I have are:
>
> tcp localhost:929 *:* LISTEN 3721/famd
> tcp *:auth *:* LISTEN 3661/inetd
> tcp localhost:smtp *:* LISTEN 3385/exim4
>
> What is auth?

This is the (obsolete?) ident service. you can disable it (after all,
windows people don't have it and they have no problem surfing...).

If you use a firewall, make sure to reject packets coming in to this
port, instead of a DROP. Otherwise, services that use ident will be slow
at connection time.

> Since famd and exim4 are only listening to localhost,
> can I conclude they are not a security risk?
>

In general, it's ok, but you still need to keep your eyes open:

- make sure incoming traffic to localhost is blocked (just drop). 127.*
should not appear on the wire. This really belongs to the IP stack, but
as I am not sure it is filtered there, stay safe and add an explicit rule.

- make sure you have no NAT rule that redirects incoming traffic to
localhost.




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
>
> the general rule of thumb, is if you dont use it, turn it off. I'd turn
> off almost every thing. You can leave exim and famd on.
> to turn auth off, you can edit /etc/inetd.conf and comment out the line
> that starts with ident.
>
> for portmap:
> update-rc.d -f portmap remove
> for rpc.statd:
> update-rc.d -f rpc.statd remove
> ssh:
> update-rc.d -f ssh remove
>
> to bind apache to the localhost, in /etc/apache2/ports.conf change the
> Listen 80 to Listen 127.0.0.1:80, then restart apache.
>
>

Thanks Jeff, Doug, and everyone!

I purged the ssh-server, and followed Jeff's advice to remove
everything else. On rebooting now I have:

root:tyler# netstat -tap | grep LISTEN
localhost:www *:* LISTEN 4371/apache
localhost:smtp *:* LISTEN 3331/exim4

I don't know what happened to famd, but it's gone now. I did have to
change my bookmarks for doc-central from blackbart.mynetwork/dc to
localhost/dc, and that's working. The actual change in the apache conf
was in the file /etc/apache/httpd.conf. Other than that there were no
surprises.

Now that I have nothing listening to the outside world, do I still
need a firewall? I have been using firestarter, but not consistently.

Cheers,

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 29, 2007 at 05:52:12PM +0000, Tyler Smith wrote:

> Now that I have nothing listening to the outside world, do I still
> need a firewall? I have been using firestarter, but not consistently.
>

I look at a firewall as icing on the cake. If you reject and log local
to net, anything trying to go out that you haven't configured gives you
something to trace. For example, I recently put etch onto my 486 and
installed ntp. Between the time I installed it and when I configured it
to look to my main box, it came configured to try to access the debian
ntp pool. Those packets were rejected but I go an email from my main
box warning me about it.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 29, 2007 at 05:52:12PM +0000, Tyler Smith wrote:

> Now that I have nothing listening to the outside world, do I still
> need a firewall? I have been using firestarter, but not consistently.
>

I look at a firewall as icing on the cake. If you reject and log local
to net, anything trying to go out that you haven't configured gives you
something to trace. For example, I recently put etch onto my 486 and
installed ntp. Between the time I installed it and when I configured it
to look to my main box, it came configured to try to access the debian
ntp pool. Those packets were rejected but I go an email from my main
box warning me about it.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org