-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Aug 29, 2015 at 06:39:46PM -0500, rlhar...@oplink.net wrote: > On Sat, August 29, 2015 3:56 pm, to...@tuxteam.de wrote: > >> tcp 0 0 0.0.0.0:9999 0.0.0.0:* LIS 561/inetd > > > > As others noted: what's inetd doing on 9999? Do have a look at > > its config files (somewhere in /etc/inetd.conf). > > As I noted previously, port 9999 is the approx server; there is a line for > it in /etc/inetd.conf: > > #:OTHER: Other services > 9999 stream tcp nowait approx /usr/sbin/approx /usr/sbin/approx
Sorry, missed that. You might consider binding the listening socket to 127.0.0.1 unless you want to provide the service network-wide. > >> tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd > > > > Common wisdom is to keep that (but to secure it properly, by disabling > > root logins and possibly passwrd logins). Perhaps you can ssh into your > > laptop should the UI become unresponsive for some reason (e.g. X botches > > the graphics card but you still have some running programs you'd want to > > finalize in an orderly mode). > > On the desktop, I do use "screen" over ssh to access another desktop, but > I can do without ssh access to the laptop. Your call :-) > >> tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd > > > > Are you using your laptop as a print server? If not, the cups-client > > package might be enough. > > Then should I unistall the cups-daemon and cups-server-common packages? See the other discussion. The cups server is bound to localhost (a fact I overlooked on my first mail, as pointed out by Brian), and thus not reachable from the network: thus most probably harmless; it would "serve" locally-attached printers (for example, an USB-attached printer) to local clients. In such a configuration, you'd need it. > >> tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres tcp > >> 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4 > > > > Database server, mail server. What are they doing? For postgres, > > you could configure it to just serve over an UNIX domain socket, if the > > only applications around connect locally. Your call. For exim4 (mail > > server)... depends on your mail setup. > > I thought that I had left mail unconfigured, but perhaps not. As far as I know Debian itself needs a minimal working mail infrastructure, so that might be just part of this. Locally-bound, thus harmless, as above. > >> tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0 > > > > Uh -- what is *this*? A process called "0"? Looks really strange > > to me. > > 2628 turns out to be the port for the dictionary server; I am using > localhost as the server. Also locally bound. > No. I simply was trying to make the laptop synchronize its clock whenever > it connects to the Internet. It appears that the package ntpdate is > adequate for a laptop, and that is the package I should have installed; > but I installed package ntp, which obviates the need for ntpdate. Hm. The "real" NTPD has quite a few advantages over plain ntpdate (among other things it calibrates the local clock, thus minimizing skew even when there's no connectivity). Perhaps there's a way to configure it so that it doesn't provide a service, which in the case of a laptop wouldn't make any sense. But I don't know whether ntpd configuration allows that (you can set it to pretty restrictive, though). > > > I'd disable/uninstall many of those [...] > > At this point, I think that I should make a fresh installation, keeping in > mind the comments which you and others have made. Dunno. We went with a very fine comb over things. It's always a balance between convenience/feasibility and security. You're not at the NSA, trying to whistle-blow, after all (use TAILS for that, and some help from trusted friends). If you reduce the lists by a bit, you'll end up with a manageable set of things you could try to uninstall (and see what'd go down with it: I don't know how much of GNOME is torn down these days if you take down Avahi, just for one example). The most interesting part here is the process. What makes you secure is some awareness of what's in your box and what it's doing there. Regards - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlXivlIACgkQBcgs9XrR2kYH9wCcD0SPPe28IgErxWnWChP5Tz0e shoAnRivub03uj1II+o+yK1RjKQDY3xi =PVEJ -----END PGP SIGNATURE-----
