A friend of mine has Fedora, with Security enhanced Linux kernel. I thought that was an overkill for desktop use. We started a debate on this and decided to check our system against vulnerabilities. Now it was a matter of "my computer" vs "his computer".
I came across an article on Security Quick-Start HOWTO for Linux and followed to find that I have the following ports open :
$ sudo netstat -ntap | grep LISTEN
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4950/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4924/cupsd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4958/python
So Ubuntu does has some ports open, however, these look like printer ports. Well these should be open if I need to use my printer - isn't it ?
I did a little more research and came across an excellent tool to scan all my open ports "nmap".
It is not there by default in Ubuntu, you can install it by
"sudo apt-get install nmap"
I ran the tool and got the following results
$ nmap localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-08 08:21 IST
Interesting ports on localhost (127.0.0.1):
Not shown: 1696 closed ports
PORT STATE SERVICE
631/tcp open ipp
Nmap finished: 1 IP address (1 host up) scanned in 0.183 seconds
A simple google search on "
631/tcp open ipp"led me to detailed description by
Kurt Seifried. What he wrote was horrifying, I quote
Common problem(s): Attacks against print servers are common, the most common IPP server CUPS has suffered a number of serious flaws over the years, many of which are due to it's PDF processing code being taken directly from xpdf (an X Windowing System based program for viewing PDF files on UNIX), from the CVE database:
So, unknowingly I have rendered my home computer helpless against a very common form of attack.
Also when we download a new version of Ubuntu using bit-torrent client, we even open the bit-torrent port.
I had two options
- To stop the printer services. Why ?? I need to print sometimes and starting printer services each time I want to print does not seem a good idea. For people who do not mind it ::
sudo /etc/init.d/hplip stop
sudo /etc/init.d/cupsys stop
- Install a firewall. Ubuntu does not come by default with a firewall. However, it is easy to install one.
sudo apt-get install firestarter
Now I feel much safer. At least I have guarded my desktop against most common attacks and hope that my personal documents, passwords etc will remain safe.
Attackers will surely find a way to break my defences and gain access, but I will make it difficult for them.
As of now, my friend has not reported the vulnerabilities he found with SE Fedora, but surely this port issue is going to be a common one.