[Courses] [Security] The useful netstat

Megan Golding meggolding at yahoo.com
Wed Mar 6 12:18:47 EST 2002 

--- Katie Bechtold <katie at katie-and-rob.org> wrote:
> [root at blue root]# netstat -pl
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign
> Address
> State       PID/Program name   
> tcp        0      0 localhost:32769         *:*
> LISTEN      865/xinetd          

Is there a good reason to keep inetd / xinetd running?
Let's say I'm running a web server...should I shut
xinetd down? This seems like a big security risk to
me.

Other than xinetd, I didn't see anything that screamed
at me on Katie's list. Raven -- do you have tips for
spotting red flags on the netstat output?

[snip]

I have a box at home that's a web server, running in
NAT space behind a firewall and IDS. netstat shows the
following running:

[root at galileo root]# netstat -pl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign
Address         State       PID/Program name
tcp        0      0 *:1024                  *:*       
             LISTEN      663/rpc.statd

### I'm not familiar with this one, but a google
search turned up the following: " The rpc.statd
program is a support program to NFS which supports
file locking when requested."

>From a security perspective, since I don't know what
this is, I should probably shut it down. I suppose I
could also read up on rpc.statd and figure out if I
need it. Is this a good approach? ###

tcp        0      0 *:sunrpc                *:*       
             LISTEN      635/portmap

### Again, I'm not familiar with this one. Google
says, "Converts RPC program numbers into Internet port
numbers." So, if I shut down rpc.statd, I probably
don't need portmap. ###

tcp        0      0 *:http                  *:*       
             LISTEN      4299/httpd

### This is a web server, so I expected this entry.
###

tcp        0      0 *:ssh                   *:*       
             LISTEN      832/sshd

### Need remote access, so I expect this one, too. ###

tcp        0      0 galileo.localdomai:smtp *:*       
             LISTEN      905/sendmail: accep

### I hear qmail is more secure. Should I switch? ###

tcp        0      0 *:https                 *:*       
             LISTEN      4299/httpd

### Why does httpd show up twice here with seemingly
identical entries? ###

udp        0      0 *:1024                  *:*       
                         663/rpc.statd

udp        0      0 *:839                   *:*       
                         663/rpc.statd

udp        0      0 *:sunrpc                *:*       
                         635/portmap



__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

More information about the Courses mailing list