From time to time, you may receive an e-mail from the lab’s vulnerability scanner telling you about a vulnerability on your laptop. These are important, and you should contact us (firstname.lastname@example.org) with any questions you might have about them. But I want to focus on a very specific one I’m seeing a lot of.
There is a surprisingly high number of laptops out there that are running web servers that are accessible to other computers. Some of you may be doing this intentionally, and some of you may not be. What I want to do is make sure if you are among these people. you’re aware of the situation and are protected accordingly.
If you get a notice about an SSL vulnerability or a PHP vulnerability, chances are very high you’re running a web server on your computer. You need to either lock this down on your own, or contact us to help you do it.
If you don’t know what do, just let us know at email@example.com and we’ll work with you to make sure you’re secure. What we’ll do is work with you to determine if you do need to run a web server, and if so, to harden it properly so you’re not in danger. I wanted to send out a nice quick recipe anyone could follow to lock this down, but I haven’t found a simple and quick recipe using built-in tools that’s universally going to work for everybody.
(If you run Little Snitch on a Mac, just block incoming connections on ports 80, 443, and 8080. https://dl.dropbox.com/s/e6zq985pershdz1/Screenshot%202018-10-04%2018.00.44.png is an example for port 80.)