Paranoid Penguin - Brutally Practical Linux Desktop Security

Navigate hostile networks with impunity!
Turning Off Network Listeners

So, assuming you're fully patched already—and I assure you I am—let's get busy disabling network listeners. The first step in doing this is to find them. If I run the command netstat --inet -al on my Ubuntu laptop, I see what is shown in Listing 1.

You can see I'm running the Swat front end for administering Samba services, the Secure Shell dæmon, the Internet Printing Protocol and Squid (whose default port is TCP 3128). Hmm, you'd never guess that I recently wrote articles on Samba and Squid, would you?

Well, those articles are long finished, so right now I don't have any compelling reason to keep any of these services running, especially when I travel. I not only need to shut them down, but also disable their startup scripts. I could simply uninstall them, but I might need them later. Still, as a general rule, if you can uninstall unnecessary software, you should. Doing so via your preferred package manager is simple enough for me to skip describing here.

At the application level, I can use Swat to shut down Samba cleanly. This clobbers the netbios nameservice (netbios-ns) and netbios datagram (netbios-dgm) udp listeners in Listing 1. But, I also need to disable the Samba startup scripts and Swat itself.

Distributions vary in how they handle startup scripts for system dæmons like these. On SUSE, you can use YaST2 or the command insserv. On Red Hat, Fedora and CentOS systems, use the command chkconfig.

Because my system runs Ubuntu, I can use either the Services Settings applet (Figure 1) in my X Window System's Applications menu or the update-rc.d command. Let's start with the Services Settings applet, which, by the way, is part of GNOME and, therefore, may very well be installed on your non-Ubuntu GNOME desktop too.

Figure 1. GNOME Services Applet

Figure 1 shows the Services Settings applet after I've already clicked the Unlock button and provided my root password. Figure 1 also shows the bottom of the list of services running on my system, but that's where some of the juicier items are. I definitely want to uncheck the boxes next to Proxy cache service (squid), Remote shell server (ssh) and Web server (apache2).

What about Printer service (cups)? I'll disable that too, because at DEFCON, it's highly unlikely I'll need to print anything (or even have the opportunity to). But, note that as Listing 1 shows, my system is listening only for incoming IPP connections on the loopback interface (localhost:ipp). It isn't listening for remote connections to this service.

Me being me, I'll disable it anyhow. A “local” attack vector is local only until some other process is hijacked by a remote attacker, at which point the hijacked process might be used to spawn some other process that can attach to the thing having the “local” vulnerability.

Along the same lines—that is, in the interests of generalized paranoia—I'll also disable the following in Services Settings (not shown in Figure 1):

  • Account information resolver (winbind).

  • Folder sharing service (samba).

  • Multicast DNS service discovery (avahi-daemon).

  • Network service (xinetd).

Those are all things I'm sure I can live without in an untrusted environment. File sharing in particular, in the form of Samba and its winbind service, is to be avoided in such settings. Now if I re-run my netstat --inet -al command, I see only what is shown in Listing 2.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I just have been to a seminar

pari sportif's picture

I just have been to a seminar and they told us the exact same thing. Thanks for sharing, you made a great point.

Great Article, but can you tell us some more?

winfree's picture

Great read this month. I really like that you address an issue for very insecure networks but relate it to everyday use. I was motivated afterward to check the security of my NFS/SVN server as well. When I did a netstat --inet -al, I saw lost of things I wasn't expecting. Maybe you could cover security of the "small home" server one of these next months (or is there something I missed in the past?).
Also, you mentioned using IMAPS, POP3S, etc... IMAP with the SSL option (say in Thunderbird) is just that, right?
As a closing comment, I appreciate that you also included info on the Firefox Add-ons like Ghostery, I'll be checking those out soon. But what about TOR? Does The Onion Router offer any security? Does it compromise security since you're asking others to handle your packets? What about if VPN isn't an option? I know I've used it in the past to get past domain name filtering on networks (all forums and blogs were blocked at my work once, including the ones on PHP I needed access to).
Thanks again for a good read, just when I was thinking I might not renew my subscription, you convinced me otherwise.

The thing about life is, no one gets out alive. Enjoy it while you can!