Skip Navigation

Attack Surface Diet

www.evilsocket.net Attacking UNIX Systems via CUPS, Part I

Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s

Attacking UNIX Systems via CUPS, Part I

"A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)."

Just spent some time removing CUPS from my Linux servers where it is not needed and only added to my attack surface. What other services should be removed from Linux servers?

1
1 comments
  • That's not an easy question to answer, since it depends on your use case. Of you're running a mail server, you need SMTP; if you aren't, you don't. There is no one-size-fits-all.

    However, I will suggest an approach that can guide you:

    • Use the firewall, whatever you have installed, and bock off everything except ssh.
    • One by one, expose the ports you need, conservatively.
    • If you run web services, reverse proxy everything through a single server, preferablys one that's only reverse proxying, is running as bare bones as possible, and is as simple as possible.
    • Once you get things working, go through and shut down and remove any services that you aren't exposing or using via 127.0.0.1.
    • Once this is done, if you are technically capable, set up a Wireguard VPN with your home computer / laptop (preferable two), make sure the connections survive reboots, and then close and lock the door: firewall-block SSH except from your private VPN connections.

    In the end, you may have only 3 ports open: https, SMTP, and IMAP. Assuming you've secured the web, smtp, and imap servers, this is about as secure as you're going to get with a single server.

    If you are able to, run each service on it's own VPS: web server on one, IMAP and SMTP on another, and any web applications on their own servers. Connect them only via your VPN, and only through necessary ports, and close everything else. Shut down ssh between the servers, only allowing ssh connections from your laptop. Personally, I think it's not too bad to run web apps in podman containers and expose those ports to the proxy server over there VPN, but ideally there'd be one VPS poet app, with servers not being able to talk to each other through the firewall.

    TL;DR: secure your network before focusing on shutting down and removing programs. Lock down your firewall. Set up a private VPN, and restrict as much internal traffic to it as possible.