ubuntu-phone team mailing list archive

[Matthias Apitz <guru@xxxxxxxxxxx>]

El día Thursday, March 09, 2017 a las 03:57:18PM +0200, Simos Xenitellis escribió:

> > $ netstat -an | egrep 'LISTEN '
> > tcp        0      0 127.0.1.1:53            0.0.0.0:* LISTEN
> > tcp        0      0 0.0.0.0:22              0.0.0.0:* LISTEN
> > tcp        0      0 0.0.0.0:8888            0.0.0.0:* LISTEN
> > tcp6       0      0 :::22                   :::* LISTEN
> >
> > port 22 is for SSH; on port 8888 I have started a python httpd to serve
> > uNav with prefetched tiles; would be good to limit access to both with
> > some firewall;
> >
> 
> uNav could simply just bind to localhost, no?

Yes, of course.

> SSH has been enabled intentionally (through hoops) by running "sudo
> android-gadget-service enable ssh",
> with the purpose of the phone being accessible by other devices.
> AFAIK, it only supports SSH public key authentication anyway.

SSH is a serious issue. Of course it is not enabled in the default image
of the device, but it is essential for folks who want make really use of the
device. And yes, the ssh daemon is only accepting public key
authentication. But what about bugs (and exploits for such bugs) below the
level of authentication. That's why I requested some kind of firewall
rules to limit access to such ports based on source IP addr, for example.

	matthias

-- 
Matthias Apitz, ✉ guru@xxxxxxxxxxx, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Aus "Nie wieder Krieg!" wurde "Nie wieder Krieg ohne Deutschlands Truppen"
The "No wars anymore!" changed now to "No wars anymore without German battle groups!"
El "¡Nunca jamás guerra!" ha cambiado a "¡Nunca jamás guerra sin tropas alemanas!"