Thought I’d do a quick AV Linux experiences post this week on security. Now I must admit I’m a very trusting person in general, but also a bit paranoid about what services I have running on my machine I’m using. This week I was poking around to see what all makes this particular distribution run better for Audio and Video applications. Some things I will share in other posts as time progresses, but one thing that caught my eye was security, or the lack thereof. To me any machine connected to a network should have some way of wielding off port scans and run some kind of iptables script. Now if you are running AV/Linux or any other compilation of Linux do a quick

#netstat -tunlp
or
#lsof -i

you will notice, as in this case, quite a lot of open ports and services running and listening for connections to outbound networks.

I can say with conviction that you won’t need a inetd or xinitd super server running portmap or nfs
unless you wish to do so on purpose.

It is safe to close port 22 by either
#service sshd stop for a quick shutdown of the port, but only temporary so till next reboot.
Or if you really don’t need to remotely log in remove it all together with apt or synaptic package manager. # apt-get purge ssh

this is my apt history.log showing which daemons I removed

Start-Date: 2014-10-25 20:37:11
Commandline: apt-get purge openbsd-inetd
Purge: openbsd-inetd:i386 (0.20080125-6)
End-Date: 2014-10-25 20:37:18

Start-Date: 2014-10-25 20:38:11
Commandline: apt-get purge portmap
Install: libtirpc1:i386 (0.2.0-2, automatic), rpcbind:i386 (0.2.0-4.1, automatic)
Purge: portmap:i386 (6.0.0-2), nfs-common:i386 (1.2.2-4squeeze2)
End-Date: 2014-10-25 20:38:22

Start-Date: 2014-10-25 20:39:20
Commandline: apt-get purge rpcbind
Purge: rpcbind:i386 (0.2.0-4.1)
End-Date: 2014-10-25 20:39:23

NFS >? I thought even Samba was installed. That’s all nice if you need to transfer files to another machine running Windows variants or such. Myself I prefer to use a portable hard drive for plug ins, track stems, and other important files I don’t want to lose. My one Terabyte USB drive is filling up nicely already with backups. Check into rsync the handy command line tool to backup into the same directory every time while only checking for the new files to add to the backup drive, very dandy that is!

So I got to strip out services and daemons not needed in my case and when I do I will. I find this the best way to approach security on Linux, server and hobby machine alike.

If you use another Debian or Ubuntu based install you can probably apply this simple tip to your benefit. Most of the time developers will aim at supporting protocols that go far beyond the needs of regular users. Don’t just blindly use or run what is offered, explore!! and as always have fun!!! laters

Advertisements