A friend of mine has Fedora, with Security enhanced Linux kernel. I thought that was an overkill for desktop use. We started a debate on this and decided to check our system against vulnerabilities. Now it was a matter of "my computer" vs "his computer".
I came across an article on Security Quick-Start HOWTO for Linux and followed to find that I have the following ports open :
$ sudo netstat -ntap | grep LISTEN
Password:
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4950/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4924/cupsd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4958/python
So Ubuntu does has some ports open, however, these look like printer ports. Well these should be open if I need to use my printer - isn't it ?
I did a little more research and came across an excellent tool to scan all my open ports "nmap".
It is not there by default in Ubuntu, you can install it by
"sudo apt-get install nmap"
I ran the tool and got the following results
$ nmap localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-08 08:21 IST
Interesting ports on localhost (127.0.0.1):
Not shown: 1696 closed ports
PORT STATE SERVICE
631/tcp open ipp
Nmap finished: 1 IP address (1 host up) scanned in 0.183 seconds
A simple google search on "
631/tcp open ipp" led me to detailed description byKurt Seifried. What he wrote was horrifying, I quote
Common problem(s): Attacks against print servers are common, the most common IPP server CUPS has suffered a number of serious flaws over the years, many of which are due to it's PDF processing code being taken directly from xpdf (an X Windowing System based program for viewing PDF files on UNIX), from the CVE database:
So, unknowingly I have rendered my home computer helpless against a very common form of attack.
Also when we download a new version of Ubuntu using bit-torrent client, we even open the bit-torrent port.
Wow!!
I had two options
- To stop the printer services. Why ?? I need to print sometimes and starting printer services each time I want to print does not seem a good idea. For people who do not mind it ::
sudo /etc/init.d/hplip stop
sudo /etc/init.d/cupsys stop - Install a firewall. Ubuntu does not come by default with a firewall. However, it is easy to install one.
sudo apt-get install firestarter
sudo firestarter
Now I feel much safer. At least I have guarded my desktop against most common attacks and hope that my personal documents, passwords etc will remain safe.
Attackers will surely find a way to break my defences and gain access, but I will make it difficult for them.
As of now, my friend has not reported the vulnerabilities he found with SE Fedora, but surely this port issue is going to be a common one.
6 comments:
Looks to me cups is set to listen for incoming connections from localhost only.
$ less /etc/cups/cupsd.conf
Cheers.
This was amazing.
Silly of me. Thanks.
err...
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4950/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4924/cupsd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4958/python
127.0.0.1:x means port x is open on the localhost only.
This port is not reachable from the internet.
If you don't beleive me, test your open ports with "Shields up" from grc.com.
So installing a firewall or disabling the services are not usefull at this point.
Still, installing a firewall is always a good idea.
>> Install a firewall. Ubuntu does not come by default with a firewall.
Actaully it does. It uses iptables and Firestarter only acts as a GUI frontend.
Actaully it does. It uses iptables and Firestarter only acts as a GUI frontend.
Exactly.
It's just that the firewall is not enabled/configured by default :-)
Firestart is not the only firewall configuration tool, but it's easy to setup and effective.
Sebastien,
Thanks for pointing it out. Tactus had mentioned similar thing.
Still it feels much better to know that the ports are not reachable from internet.
Post a Comment