Re: cups security summary
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale == Dale Southard [EMAIL PROTECTED] writes: Dale If you've done step 1, step 2 is redundant protection. There Dale shouldn't be anything listening on 631 anyplace except loopback. Right, but step 2 has no negative effects (other than some extra time needed to learn how to set up the firewall), and ensures that no one can connect to port 631 even if you accidentally misconfigure something, or something overwrites your configuration. IMHO, pretty much every box should have its own firewall installed. It prevents various bad things from happening (trojans, misconfigured daemons) and is an extra layer of protection just in case. You can set it up to deny all packets except for - packets which are part of a connection that you established (e.g. HTTP replies) - whatever ports you want open to the public - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tm2nZRhU33H9o38RAlB6AJ9dCp2HsASAYX4lnF0OHRxlhyXKLQCgwWol lKhtaGUMfqM8VW5kqzL8zps= =dMWw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? -- http://www.torrin.net I hate pine. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale == Dale Southard [EMAIL PROTECTED] writes: Dale If you've done step 1, step 2 is redundant protection. There Dale shouldn't be anything listening on 631 anyplace except loopback. Right, but step 2 has no negative effects (other than some extra time needed to learn how to set up the firewall), and ensures that no one can connect to port 631 even if you accidentally misconfigure something, or something overwrites your configuration. IMHO, pretty much every box should have its own firewall installed. It prevents various bad things from happening (trojans, misconfigured daemons) and is an extra layer of protection just in case. You can set it up to deny all packets except for - packets which are part of a connection that you established (e.g. HTTP replies) - whatever ports you want open to the public - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tm2nZRhU33H9o38RAlB6AJ9dCp2HsASAYX4lnF0OHRxlhyXKLQCgwWol lKhtaGUMfqM8VW5kqzL8zps= =dMWw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? -- http://www.torrin.net I hate pine. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
Torrin [EMAIL PROTECTED] writes: OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Step 1 causes cups to bind to only to the loopback interface. After making the change, restart the cupsd and nmap scan your loopback (localhost) and public interfaces -- you shouldn't see 631 open on anything but the loopback. If you've done step 1, step 2 is redundant protection. There shouldn't be anything listening on 631 anyplace except loopback. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? In any unix printing architecture, there has to be a way to get the client's data to the host's print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why lp/lpr is usually SUID or SGID). In cups, the print data is transferred to the server via http protocol. This means the client program doesn't need any special privileges, but does require that the server be listening on a port somewhere. Which is ultimately a better idea from a security perspective is a matter of opinion and situation -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
