dive wrote :
(...) The only ports open are X on 6000 and CUPS on 631. I am not running sshd or any other services that would allow remote log on. Are there any exploits that can run thru those 2 ports that I should protect against?
As you already know it, the door of your house is closed to everyone, but when you need to allow a friend of yours to enter your house, you open the door and let him/her in. The same apply to your computer which is connected to the Internet : nobody needs to access it, unless you really need/want it. That is the reason why you should not have accessible port from the Internet. Now, you can decide to close these opened ports one by one and/or to use a firewall. To use a firewall, see my previous message
How to close the standard X port ?
To close the standard X
port (6000+), create the /etc/X11/xinit/xserverrc
file, edit it and be sure it contains the following lines :
exec /usr/X11R6/bin/X -nolisten tcp
Be sure it has proper permissions and ownership :
# chmod 755 /etc/X11/xinit/xserverrc
# chown root.root /etc/X11/xinit/xserverrc
Now, each time you will start X, it will not try to open any TCP port. The drawback of this solution is that you won't be able to connect to your computer from another one, but I doubt you really need it.
How to deny remote connection to the CUPS daemon ?
To be sure the CUPS
daemon only listens on your local computer, you can edit the /etc/cups/cupsd.conf
file and replace the following line :
After the change, you can connect to the CUPS daemon at http://127.0.0.1:631