[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CUPS, Alpine, and printserving

Beartooth wrote:
> On Thu, 30 Oct 2008 22:44:19 +0100, Björn Persson wrote:
> > 1: Check that Cups is actually listening on the network. Run this
> > command as root on the machine where the printer is:
> >
> > netstat --inet --inet6 --listen --program --numeric | grep cupsd
> >
> > Does it say "192.168.x.y:631" or ""?
> 	No, neither.
> [root Hbsk2 ~]# netstat --inet --inet6 --listen --program --numeric |
> grep cupsd
> tcp        0      0
>*                   LISTEN      2526/cupsd
> tcp        0
> 0 :::631                      :::*                        LISTEN
> 2526/cupsd
> udp        0      0
>*                               2526/cupsd
> [root Hbsk2 ~]#

OK, "" means "all addresses" in this case, so that's good. Cups is 
listening on the network.

> > 2: Do you have a packet filter ("firewall") on the machine where the
> > printer is? Have you opened the IPP ports in the packet filter?
> 	How do I tell?

Run system-config-firewall and on the page "Trusted Services" check the 
box "Network Printing Server (IPP)".

> 	Lacking the skills to be sure whether I've been cracked, let
> alone those to recover, I try to be paranoid; I install denyhosts, for
> instance, and likely other defenses that don't spring to mind.

I don't think Denyhosts affects IPP, but if you have installed some product 
that's called a firewall, then it has probably replaced Fedora's packet 
filter. In that case you should allow IPP in that product instead of in 

> 	Also, the router that my ISP supplies (Netgear MBR 814) supplies
> several kinds of defenses, which I have tried to set with caution. When I
> want to do bittorrent, for instance, I have to go change the router
> settings for a while. (I try to leave them changed long enough to give
> back more that I take, before I change them back; but I haven't actually
> used the torrent in months, so they are probably tight.)

Yes, it's important that the Netgear router block IPP traffic if you're going 
to allow printing and administration over the network. Otherwise, as you 
said, some script kiddie might think it fun to print gibberish or mess with 
your printer configuration. It's also a safeguard against any security holes 
in Cups that could otherwise be exploited to crack your computer. Because of 
the way this kind of routers work, it most likely blocks anything that you 
haven't explicitly allowed.

You should also be aware that if your wireless network is open, then anyone 
who happens to be in the neighbourhood will also be able to access your 

Björn Persson

Attachment: signature.asc
Description: This is a digitally signed message part.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]