ubuntu-phone team mailing list archive

[Oliver Grawert <ogra@xxxxxxxxxx>]

hi,
Am Donnerstag, den 09.03.2017, 21:01 +0100 schrieb Matthias Apitz:
> El día Thursday, March 09, 2017 a las 03:57:18PM +0200, Simos
> Xenitellis escribió:
> 
> > 
> > > 
> > > $ netstat -an | egrep 'LISTEN '
> > > tcp        0      0 127.0.1.1:53            0.0.0.0:* LISTEN
> > > tcp        0      0 0.0.0.0:22              0.0.0.0:* LISTEN
> > > tcp        0      0 0.0.0.0:8888            0.0.0.0:* LISTEN
> > > tcp6       0      0 :::22                   :::* LISTEN
> > > 
> > > 
...
> > >  That's why I requested some kind of firewall
> rules to limit access to such ports based on source IP addr, for
> example.

just limit the client ip range in the sshd conf ...

as others mentioned the only port that is open by default for an end-
user is port 53 listening to requests coming from localhost. given that
all other ports are closed a firewall gains you exactly nothing except
complexity and the danger that you mess up configuring it ...

while the phone is mostly used by developers, the focus of the system
design was end users. be assured that my mom would neither run a python
server for uNav nor would she know how to even open up ssh (or know
what to do with it). 

also ... why would you keep ssh running when not actively developing ?
it is surely nothing you should keep constantly running while not using
the phone in development mode if you are seriously concerned about your
device security.

these are developer options you should be using while developing,
nothing the system enables by default.

ciao
	oli

Attachment: signature.asc
Description: This is a digitally signed message part