Ubuntu Hardy and "Printer Sharing" -- securiry question - Ubuntu

This is a discussion on Ubuntu Hardy and "Printer Sharing" -- securiry question - Ubuntu ; I have a server with Ubuntu Hardy (8.04). I have a printer on the inside network with a 10.* address (HP 4050N). I just set it up as a default printer on my Hardy server (which has a static internet ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Ubuntu Hardy and "Printer Sharing" -- securiry question

  1. Ubuntu Hardy and "Printer Sharing" -- securiry question

    I have a server with Ubuntu Hardy (8.04).

    I have a printer on the inside network with a 10.* address (HP 4050N).

    I just set it up as a default printer on my Hardy server (which has a
    static internet IP).

    My question is, is that secure. Does the printer server limit itself to
    local network only (based on interfaces and netmasks)?

    Or can any internet user connect to my printer service? (undesirable)

    i

  2. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Ignoramus9437 skrev:
    > I have a server with Ubuntu Hardy (8.04).
    >
    > I have a printer on the inside network with a 10.* address (HP 4050N).
    >
    > I just set it up as a default printer on my Hardy server (which has a
    > static internet IP).
    >
    > My question is, is that secure. Does the printer server limit itself to
    > local network only (based on interfaces and netmasks)?
    >
    > Or can any internet user connect to my printer service? (undesirable)
    >
    > i


    If your server is connected directly (and without a firewall) to the
    Internet, then it will be possible for users (from anywhere) to print.
    You should install a firewall and configure it to only allow local
    machines to print.

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  3. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Ignoramus9437 wrote:
    > I have a server with Ubuntu Hardy (8.04).
    >
    > I have a printer on the inside network with a 10.* address (HP 4050N).
    >
    > I just set it up as a default printer on my Hardy server (which has a
    > static internet IP).
    >
    > My question is, is that secure. Does the printer server limit itself to
    > local network only (based on interfaces and netmasks)?
    >
    > Or can any internet user connect to my printer service? (undesirable)


    it is secure, because you are using an ip address that is defined as a
    "Private ip address". by definition, private ip addresses are the
    following ranges:

    10.0.0.0 - 10.255.255.255
    192.168.0.0 - 192.168.255.255
    172.16.0.0 - 172.31.255.255

    anything addessed with these ranges will not be accessible from the
    internet, only from within your local area network.

  4. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    On 2008-04-11, Jacob Tranholm wrote:
    > Ignoramus9437 skrev:
    >> I have a server with Ubuntu Hardy (8.04).
    >>
    >> I have a printer on the inside network with a 10.* address (HP 4050N).
    >>
    >> I just set it up as a default printer on my Hardy server (which has a
    >> static internet IP).
    >>
    >> My question is, is that secure. Does the printer server limit itself to
    >> local network only (based on interfaces and netmasks)?
    >>
    >> Or can any internet user connect to my printer service? (undesirable)
    >>
    >> i

    >
    > If your server is connected directly (and without a firewall) to the
    > Internet, then it will be possible for users (from anywhere) to print.
    > You should install a firewall and configure it to only allow local
    > machines to print.
    >


    Thanks. Just double checking, do you know this for a fact or just
    guessing?

    Some services are good about checking whether a connection comes from
    a local address, and some allow all machines and defer this question
    to the firewall.

    i

  5. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    On 2008-04-11, Rodger Lee wrote:
    > Ignoramus9437 wrote:
    >> I have a server with Ubuntu Hardy (8.04).
    >>
    >> I have a printer on the inside network with a 10.* address (HP 4050N).
    >>
    >> I just set it up as a default printer on my Hardy server (which has a
    >> static internet IP).
    >>
    >> My question is, is that secure. Does the printer server limit itself to
    >> local network only (based on interfaces and netmasks)?
    >>
    >> Or can any internet user connect to my printer service? (undesirable)

    >
    > it is secure, because you are using an ip address that is defined as a
    > "Private ip address". by definition, private ip addresses are the
    > following ranges:
    >
    > 10.0.0.0 - 10.255.255.255
    > 192.168.0.0 - 192.168.255.255
    > 172.16.0.0 - 172.31.255.255
    >
    > anything addessed with these ranges will not be accessible from the
    > internet, only from within your local area network.


    No.

    The printer has a private address 10.*.

    The Linux server has two addresses, Internet address 75.* and private
    address 10.*. That's how it both sees the printer and can act as a
    Internet server for HTTP, SSH etc.

    What I am concerned is that printing is possibly shared to all
    internet users through 75.* IP address.

    i

  6. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Ignoramus9437 wrote:
    > On 2008-04-11, Rodger Lee wrote:


    > What I am concerned is that printing is possibly shared to all
    > internet users through 75.* IP address.


    per /etc/services, if you are using cups with your printer, then block
    port 631 at your firewall to prevent internet printing:


    $ cat /etc/services | grep 631

    ipp 631/tcp # Internet Printing Protocol
    ipp 631/udp


  7. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Ignoramus9437 wrote:
    > Thanks. Just double checking, do you know this for a fact or just
    > guessing?
    >
    > Some services are good about checking whether a connection comes from
    > a local address, and some allow all machines and defer this question
    > to the firewall.
    >
    > i


    I know for a fact that CUPS in some configurations are accessible from
    the Internet. Whether this is true for the default Hardy config, or your
    config, I am not sure... I have always configured my CUPS to only allow
    local access and further configured a firewall to block internet access.

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  8. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Jacob Tranholm wrote:
    > Ignoramus9437 skrev:
    >> I have a server with Ubuntu Hardy (8.04).
    >>
    >> I have a printer on the inside network with a 10.* address (HP 4050N).
    >>
    >> I just set it up as a default printer on my Hardy server (which has a
    >> static internet IP).
    >> My question is, is that secure. Does the printer server limit itself to
    >> local network only (based on interfaces and netmasks)?
    >> Or can any internet user connect to my printer service? (undesirable)
    >>
    >> i

    >
    > If your server is connected directly (and without a firewall) to the
    > Internet, then it will be possible for users (from anywhere) to print.
    > You should install a firewall and configure it to only allow local
    > machines to print.
    >

    I do not know about Ubuntu, but CentOS 4's CUPS system provides a screen for
    sharing printers. If you open the machine to anything other than itself, you
    can list those other IP addresses that are allowed to use your printer. So
    in my case, I allow only the other computer on my LAN to use it. But if I
    really trusted you, I could allow your machine to print on my printer too.

    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 13:40:01 up 24 days, 18:42, 5 users, load average: 4.07, 4.17, 4.14

  9. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Ignoramus9437 wrote:
    >
    > Thanks. Just double checking, do you know this for a fact or just
    > guessing?
    >
    > Some services are good about checking whether a connection comes from
    > a local address, and some allow all machines and defer this question
    > to the firewall.
    >
    > i


    You can check your /etc/cups/cupsd.conf and make sure you have either:


    Order allow,deny
    Allow @LOCAL


    Or something similar (for instance Allow 10.*, Allow 127.* or Allow
    @IF(eth1) (if your local network is at eth1 and internet at eth0)) defined.

    But I would still also configure a firewall...

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  10. Re: Ubuntu Hardy and "Printer Sharing" -- securiry question

    Thanks. I looked at cupsd.conf. By default, it only listens on
    localhost. So I was safe.

    However, now I think that this printer sharing is pointless -- the
    printer is available as a 10.* IP address to the whole home network,
    anyway, so each computer can be configured to just print on it
    directly.

    This continues my efforts to reduce dependency of my home network on
    my home "server". I already moved DHCP service from my server to the
    cable modem. I did the same with network forwarding, now the modem
    acts as a gateway as opposed to my home linux server.

    This makes my network more reliable in the light of possibility that
    my basement server crashes or breaks or becomes disconnected.

    So, for now, about the only function that my basement server would do
    for my home computers, is file serving.

    There is only one exception as to why sharing a printer on localhost
    may be useful: it would be useful to print from a laptop that is away
    from home, if I want to print something on the home printer. (example,
    I just bought something from a website and want to print the receipt
    page).

    I can do a ssh tunnel from my laptop to home, to make home printer
    appear as a local printer on port 631 on the laptop.

    The regular home computers, would print on their own.

    i

+ Reply to Thread