By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf, to include the following:
Browsing Off BrowseAllow none
The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts.
To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf:
Port 631and replacing it with the Listen directive:
Listen localhost:631This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally.
By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive.
The cups
package can be removed with the following command:
$ apt-get remove cups
If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface.
The cups
service can be disabled with the following command:
$ sudo systemctl mask --now cups.service
Turn off unneeded services to reduce attack surface.