Wednesday, August 8, 2007

Safeguarding Ubuntu

My wife has Ubuntu Fiesty and she always take pride in the fact that Ubuntu is one of the most secure desktop OS due to it "no open port" policy. As Ubuntu has no open port so the outside attackers cannot gain access and get hold of my private data.
A friend of mine has Fedora, with Security enhanced Linux kernel. I thought that was an overkill for desktop use. We started a debate on this and decided to check our system against vulnerabilities. Now it was a matter of "my computer" vs "his computer".

I came across an article on Security Quick-Start HOWTO for Linux and followed to find that I have the following ports open :

$ sudo netstat -ntap | grep LISTEN
Password:
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4950/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4924/cupsd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4958/python

So Ubuntu does has some ports open, however, these look like printer ports. Well these should be open if I need to use my printer - isn't it ?
I did a little more research and came across an excellent tool to scan all my open ports "nmap".
It is not there by default in Ubuntu, you can install it by
"sudo apt-get install nmap"

I ran the tool and got the following results


$ nmap localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-08 08:21 IST
Interesting ports on localhost (127.0.0.1):
Not shown: 1696 closed ports
PORT STATE SERVICE
631/tcp open ipp

Nmap finished: 1 IP address (1 host up) scanned in 0.183 seconds

A simple google search on "631/tcp open ipp" led me to detailed description by
Kurt Seifried. What he wrote was horrifying, I quote

Common problem(s): Attacks against print servers are common, the most common IPP server CUPS has suffered a number of serious flaws over the years, many of which are due to it's PDF processing code being taken directly from xpdf (an X Windowing System based program for viewing PDF files on UNIX), from the CVE database:

So, unknowingly I have rendered my home computer helpless against a very common form of attack.
Also when we download a new version of Ubuntu using bit-torrent client, we even open the bit-torrent port.
Wow!!
I had two options
  1. To stop the printer services. Why ?? I need to print sometimes and starting printer services each time I want to print does not seem a good idea. For people who do not mind it ::
    sudo /etc/init.d/hplip stop
    sudo /etc/init.d/cupsys stop
  2. Install a firewall. Ubuntu does not come by default with a firewall. However, it is easy to install one.
    sudo apt-get install firestarter
    sudo firestarter

Now I feel much safer. At least I have guarded my desktop against most common attacks and hope that my personal documents, passwords etc will remain safe.
Attackers will surely find a way to break my defences and gain access, but I will make it difficult for them.
As of now, my friend has not reported the vulnerabilities he found with SE Fedora, but surely this port issue is going to be a common one.

6 comments:

Unknown said...

Looks to me cups is set to listen for incoming connections from localhost only.

$ less /etc/cups/cupsd.conf

Cheers.

Abhay said...

This was amazing.
Silly of me. Thanks.

sebsauvage said...

err...
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4950/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4924/cupsd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4958/python

127.0.0.1:x means port x is open on the localhost only.
This port is not reachable from the internet.

If you don't beleive me, test your open ports with "Shields up" from grc.com.

So installing a firewall or disabling the services are not usefull at this point.
Still, installing a firewall is always a good idea.

Anonymous said...

>> Install a firewall. Ubuntu does not come by default with a firewall.

Actaully it does. It uses iptables and Firestarter only acts as a GUI frontend.

sebsauvage said...

Actaully it does. It uses iptables and Firestarter only acts as a GUI frontend.

Exactly.
It's just that the firewall is not enabled/configured by default :-)

Firestart is not the only firewall configuration tool, but it's easy to setup and effective.

Abhay said...

Sebastien,
Thanks for pointing it out. Tactus had mentioned similar thing.
Still it feels much better to know that the ports are not reachable from internet.

Google
 
Techzone