On Sun 22 Jul 2012 at 18:08:25 +0800, lina wrote: > On Sun, Jul 22, 2012 at 5:31 PM, Stan Hoeppner <s...@hardwarefreak.com> wrote: > > On 7/22/2012 3:37 AM, lina wrote: > > > >> P.S I also found > >> > >> tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN > >> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN > >> tcp 0 0 0.0.0.0:538 0.0.0.0:* LISTEN > > > > Instead of doing this piecemeal, post the output of: > > > > ~$ netstat -ant|grep LISTEN > > > > and we'll go through the list together, trimming the fat. > > # netstat -ant|grep LISTEN > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:538 0.0.0.0:* LISTEN > tcp6 0 0 :::143 :::* LISTEN > tcp6 0 0 :::80 :::* LISTEN > tcp6 0 0 :::22 :::* LISTEN > tcp6 0 0 ::1:631 :::* LISTEN > > Thanks, I only know 22, 25, 631 80 for ssh, email, cups and http, > respectively,
CUPS and the mailserver only listen for connections from localhost. This is as safe as it gets without removing the two services. The ssh and webserver daemons are available on the network. Presumably this is what you want. Their security will depend on how you have configured them. Debian sshd can be run safely with the default install. For port 538 try lsof -i :538 It's probably gdomap, which is part of GNUstep. By default it will not probe for other servers (see /etc/default/gdomap), so that looks ok. Only you know whether you need GNUstep. Port 143 is likely to be imap. It too can be accessed from the network. Is that your intention? Heaven above knows why you need a firewall. These services are quite capable of getting on with life without iptables being involved. So are you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120722113234.GC7631@desktop
