this post was submitted on 30 Sep 2024
0 points (50.0% liked)

Linux

8114 readers
56 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 1 year ago
MODERATORS
[email protected]
0
Attack Surface Diet (www.evilsocket.net)
submitted 1 month ago by [email protected] to c/[email protected]
1 comments fedilink hide all child comments
 

"A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)."

Just spent some time removing CUPS from my Linux servers where it is not needed and only added to my attack surface. What other services should be removed from Linux servers?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 month ago

That's not an easy question to answer, since it depends on your use case. Of you're running a mail server, you need SMTP; if you aren't, you don't. There is no one-size-fits-all.

However, I will suggest an approach that can guide you:

  • Use the firewall, whatever you have installed, and bock off everything except ssh.
  • One by one, expose the ports you need, conservatively.
  • If you run web services, reverse proxy everything through a single server, preferablys one that's only reverse proxying, is running as bare bones as possible, and is as simple as possible.
  • Once you get things working, go through and shut down and remove any services that you aren't exposing or using via 127.0.0.1.
  • Once this is done, if you are technically capable, set up a Wireguard VPN with your home computer / laptop (preferable two), make sure the connections survive reboots, and then close and lock the door: firewall-block SSH except from your private VPN connections.

In the end, you may have only 3 ports open: https, SMTP, and IMAP. Assuming you've secured the web, smtp, and imap servers, this is about as secure as you're going to get with a single server.

If you are able to, run each service on it's own VPS: web server on one, IMAP and SMTP on another, and any web applications on their own servers. Connect them only via your VPN, and only through necessary ports, and close everything else. Shut down ssh between the servers, only allowing ssh connections from your laptop. Personally, I think it's not too bad to run web apps in podman containers and expose those ports to the proxy server over there VPN, but ideally there'd be one VPS poet app, with servers not being able to talk to each other through the firewall.

TL;DR: secure your network before focusing on shutting down and removing programs. Lock down your firewall. Set up a private VPN, and restrict as much internal traffic to it as possible.