ubuntu-phone team mailing list archive

[Matthias Apitz <guru@xxxxxxxxxxx>]

El día Saturday, March 11, 2017 a las 11:52:22AM +0100, Oliver Grawert escribió:

> > > > tcp        0      0 0.0.0.0:22              0.0.0.0:* LISTEN
> > > > tcp        0      0 0.0.0.0:8888            0.0.0.0:* LISTEN
> > > > tcp6       0      0 :::22                   :::* LISTEN
> > > > 
> > > > 
> ...
> > > >  That's why I requested some kind of firewall
> > rules to limit access to such ports based on source IP addr, for
> > example.
> 
> just limit the client ip range in the sshd conf ...

This is in a read only file system.

> as others mentioned the only port that is open by default for an end-
> user is port 53 listening to requests coming from localhost. given that
> all other ports are closed a firewall gains you exactly nothing except
> complexity and the danger that you mess up configuring it ...

ofc, this should have a default config (all prohibited) and only experts
would open what the think to need;

> while the phone is mostly used by developers, the focus of the system
> ...
> 
> also ... why would you keep ssh running when not actively developing ?
> it is surely nothing you should keep constantly running while not using
> the phone in development mode if you are seriously concerned about your
> device security.
> 
> these are developer options you should be using while developing,
> nothing the system enables by default.

because I do any transports of file (pictures, downloads, ...) via SSH;

	matthias

-- 
Matthias Apitz, ✉ guru@xxxxxxxxxxx, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045