[Courses] [Security] The useful netstat

Raven, corporate courtesan raven at oneeyedcrow.net
Wed Mar 6 20:49:42 EST 2002 

Heya --

Quoth Megan Golding (Wed, Mar 06, 2002 at 11:18:47AM -0800):
> Is there a good reason to keep inetd / xinetd running?
> Let's say I'm running a web server...should I shut
> xinetd down? This seems like a big security risk to
> me.

	I personally prefer tcpserver as a superserver.  But I run
things that I need to -HUP often or don't want borked by any weird
superserver program standalone.  (Ssh, for example, since I do 80% of my
admin remotely, and don't want to run the possibility of locking myself
out of the boxes.)  It all depends on your preferred style of
administration, I think.  Some people are happier seeing things all in
one place.

	And of course, if your superserver isn't running any active
services, get rid of it.

	I would also suggest uninstalling any programs you (and your
users) are not using.  Makes life a lot less confusing, frees up disk
space, gets rid of the possibility of someone else just starting them up
again when they shouldn't be...  

> Raven -- do you have tips for spotting red flags on the netstat
> output?

	No magic button.  Just experience, and the notes I've appended
to people's netstat outputs.  Most things aren't always bad or good;
it's a balancing act between the needs of your site and security.
 
> ### I'm not familiar with this one, but a google
> search turned up the following: " The rpc.statd
> program is a support program to NFS which supports
> file locking when requested."

	Yah.  It's also one of the most commonly remotely exploitable
programs.  If you're not using it, get rid of it.
 
> From a security perspective, since I don't know what
> this is, I should probably shut it down. I suppose I
> could also read up on rpc.statd and figure out if I
> need it. Is this a good approach? ###

	Yep.  Research and paranoia, that's security.  [grin]
 
> tcp        0      0 *:sunrpc                *:*       
>              LISTEN      635/portmap
> 
> ### Again, I'm not familiar with this one. Google
> says, "Converts RPC program numbers into Internet port
> numbers." So, if I shut down rpc.statd, I probably
> don't need portmap. ###

	Yep.  Or NFS.
 
> tcp        0      0 galileo.localdomai:smtp *:*       
>              LISTEN      905/sendmail: accep
> 
> ### I hear qmail is more secure. Should I switch? ###

	Qmail or Postfix are the two that are touted for their security.
I don't know a whole lot about Exim's security history -- does anyone
else?  It is possible to keep sendmail and tweak and patch a lot so that
it's better, but if you're focused on security you probably want
something else.  I've run qmail and postfix both, and am happy with both
of them.  I haven't tried postfix in a high-volume environment yet, but
am building another server, so I hope to soon give it a whirl.
 
> tcp        0      0 *:https                 *:*       
>              LISTEN      4299/httpd
> 
> ### Why does httpd show up twice here with seemingly
> identical entries? ###

	Look closely -- it's http and https.  Ports 80 (TCP) and 443
(TCP), respectively.  Your web server is listening for both sorts of
connections, normal and secure.

Cheers,
Raven
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work

More information about the Courses mailing list