Thursday, July 17, 2008

The Last HOPE device preparations

While preparing to head down to The Last Hope, I figured that I'd lock down my N800 a bit more than I usually do. The network environment might be "somewhat" hostile, and I prefer to expose my device as little as I can.

The N800 has a terminal application, but it is inadequate for serious work. I started by installing the openssh package from the maemo repository, but I also realize that this means that I get an openssh server running on the device. Have to remember to shut that off when I'm done ;)



After booting, the N800 has an impressive array of ports listening on the network:

Nokia-N800-51-3:~# lsof -i
COMMAND    PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd       742   root    3u  IPv4   2608       TCP *:ssh (LISTEN)
dnsmasq   1041 nobody    4u  IPv4   4328       TCP Nokia-N800-51-3:domain (LISTEN)
dnsmasq   1041 nobody    5u  IPv4   4329       UDP Nokia-N800-51-3:domain
dnsmasq   1041 nobody    8u  IPv4   5637       UDP *:49156
sshd      1273   root    3r  IPv4   5545       TCP 10.16.1.100:ssh->10.16.1.101:1542 (ESTABLISHED)
telepathy 1292   user    4u  IPv4   6459       UDP 10.16.1.100:49157
telepathy 1292   user    5u  IPv4   6460       TCP 10.16.1.100:49157 (LISTEN)
telepathy 1292   user    6u  IPv4   6461       UDP Nokia-N800-51-3:49157
telepathy 1292   user    7u  IPv4   6462       TCP Nokia-N800-51-3:49157 (LISTEN)
telepathy 1292   user    8u  IPv4   6465       UDP Nokia-N800-51-3:49158->Nokia-N800-51-3:domain
telepathy 1292   user   10u  IPv4   6468       UDP Nokia-N800-51-3:49159->Nokia-N800-51-3:domain

That's obviously too much. Let's start by disabling telepathy. Telepathy is the N800's messaging application, and I usually have a SIP account set up. Disabling that account  immediately removed all instances of the program and also closed all ports it had open.

I do not worry too much about sshd, since I will remove the ssh-server package when I'm done cleaning up. That leaves the dnsmasq package, which is needed to resolve host names.

To fix the dnsmasq ports, all you have to do is edit /etc/dnsmasq.conf and uncomment the line with the phrase 'bind-interfaces'. Switch to offline mode and then reconnect to the wireless network, and you should be all set:

Nokia-N800-51-3:~# lsof -ni
COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     743   root    3u  IPv4   2623       TCP *:ssh (LISTEN)
dnsmasq 1042 nobody    4u  IPv4   4345       TCP 127.0.0.1:domain (LISTEN)
dnsmasq 1042 nobody    5u  IPv4   4346       UDP 127.0.0.1:domain
sshd    1293   root    3r  IPv4   6037       TCP 10.16.1.100:ssh->10.16.1.101:1631 (ESTABLISHED)

In an environment like The Last HOPE, you really really want to only do stuff when you are VPN'ed into a secure network. I connect to my VPN gateway by IP (just in case someone is doing some poisoning). The maemo vpnc-gui package will allow you to do just that.

As a result, this will leave me with 0 ports open that are exposed to the other Last HOPE contestants and I feel a little safer bringing my tablet ;)

Do not forget to turn off ssh by removing the package (safest) or by removing the ssh package from your boot sequence. Please do not forget to make sure to have a root backdoor if you chose the latter option.