Cupsd a security risk when using a public wifi; i.e., coffee shop?

Laptop running Majaro stable- lsof -i -P -n yields cupsd listening on one IPv6 and one IPv4 port. Since I sometimes do financials on the laptop I dont like unused listening ports even on LAN. I have investigated through system-unit-files, the packages on the machine. They are cups.service, cups.path, cups-browsed.service, cups-lpd@.service, cups-lpd.socket and cups.socket. I have disabled all of these using systemctl and I still see cupsd listening on 2 ports admittedly with LAN addresses but- as I stated in the title I wonder how secure this listening might be and how to disable cupsd?

had a similar “problem” with a service. i was used to “systemctl disable any.service” and “systemctl stop any.service” but meanwhile you also need to mask/unmask a service because it would still be possible that a application might use parts of a service even if it is disabled. to prevent this to happen you additional need to use “systemctl mask any.service” to make sure that a service is disabled under any circumstance.

1 Like

Open ports are not necessarily a problem or a risk.

No matter which system you are using It is good practice to not unnecessarily expose your system on unsafe networks.


To be able to print from your system - you need cups - eventually - so instead of disabling the services and sockets I recommend you use a firewall to block incoming requests.

cups is originally developed by Apple - and unless you share a printer - don’t worry

The cups configuration interface is only available on https://localhost:631


Olli & linux-aarhus

Kind thanks to both of you for the interest and help. I am going to try masking cups. I already use firewalld and find it so far excellent.

“No matter which system you are using It is good practice to not unnecessarily expose your system on unsafe networks.”
I completely agree. There are times when traveling that I need internet access and here in Ecuador, I have not found many public networks I would consider safe. I think that is true everywhere…

Again many thanks to you both for the kind replies…

$ lsof -i -P -n
cupsd      678            root    7u  IPv6  21345      0t0  TCP [::1]:631 (LISTEN)
cupsd      678            root    8u  IPv4  21346      0t0  TCP (LISTEN)

Those are “localhost” adresses and not reachable from the outside anyway?

1 Like

Hi freggel.doe

Yes, local host addresses are from my understanding, reachable only from the LAN. That I might need to use a public wifi location like a coffee shop in my travels is what concerns me. Used to be a coffee shop a lot of tourists frequented in Plaza Foch in Quito Ecuador. I lived in Quito for a year and had an ISP… but many did not. I used to go there occasionally for coffee (never used the internet) but I assume that the 80-100 people at tables inside and on the patio were on the same LAN. One time I walked behind someone with a laptop open and running and it looked to me like he was packet sniffing from what I could see of the screen. Led to some interesting conjecture about what might be possible in such a location if someone was doing things like updating their social media…or worse, moving some money around at their bank…or checking their e mail, any or all of which might lead to identity theft, yes? Maybe I am paranoid…

Those addresses should only be reachable from the machine itself, not from any other machine on the same LAN or WLAN…

You might well be correct. Many thanks for your interest. It will give me an opportunity to investigate and learn more. From my limited understanding, cupsd is looking for network printers. If thats the case would it not be reachable from outside of the machine?

Regards and thanks again for the information.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.