[Courses] [Security] The useful netstat

Raven, corporate courtesan raven at oneeyedcrow.net
Wed Mar 6 18:28:40 EST 2002 

Heya --

	Okay, there's some cleaning up that we can likely do here.  I
doubt you need all these services.

Quoth Katie Bechtold (Wed, Mar 06, 2002 at 09:33:23AM -0500):
> [root at blue root]# netstat -pl
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address
> State       PID/Program name   
> tcp        0      0 localhost:32769         *:*
> LISTEN      865/xinetd          

	Is this a Red Hat box?  Red Hat often uses this port for
outgoing client connections.

http://www.seifried.org/security/ports/32769.html

> tcp        0      0 *:printer               *:*
> LISTEN      922/lpd Waiting     

	Are you running print services on this host?  If not, you can
kill this entirely.

> tcp        0      0 *:x11                   *:*
> LISTEN      2751/X 

	With X11, you don't want to stop X, you just want to stop it
from listening on a port for other machines to connect to.  (I'm
assuming that you don't want to serve X to any machine other than your
local one.)  I actually did a Web page about this a few months back,
since this is such a common problem.

http://www.oneeyedcrow.net/tech/securex.html
             
> tcp        0      0 *:http                  *:*
> LISTEN      1052/httpd          

	I'm assuming you want this.  [grin]

> tcp        0      0 *:auth                  *:*
> LISTEN      825/identd         

	You'll need it if you IRC from this box.  Some people disable it
as a "leaks information" security concern.  It's not a big deal either
way, I don't think.  For a very locked-down system you'd want to turn it
off, but for a home system you're probably okay.
 
> tcp        0      0 *:ssh                   *:*
> LISTEN      883/sshd            
> tcp        0      0 localhost:smtp          *:*
> LISTEN      982/sendmail: accep 

	You want to keep these too, I'm assuming, so you can ssh to your
box and use it as a mail server.  (Note that if you only want to send
mail from your box, and don't need to recieve mail directly to it, you
can set sendmail to only listen locally.)

> tcp        0      0 *:x11-ssh-offset        *:*
> LISTEN      2371/sshd           
> tcp        0      0 *:6011                  *:*
> LISTEN      2415/sshd           
> tcp        0      0 *:https                 *:*
> LISTEN      1052/httpd          
> tcp        0      0 *:6012                  *:*
> LISTEN      2495/sshd         

	Do you use X forwarding for ssh?  That's what the 6010
(x11-ssh-offset), 6011, and 6012 ports are.  If you don't use it, turn
it off in /etc/sshd_config, or wherever such things live for your flavor
of ssh.  I use OpenSSH, so for me it's

X11Forwarding no 

in /etc/sshd_config.  

> Active UNIX domain sockets (only servers)
> Proto RefCnt Flags       Type       State         I-Node PID/Program
> name    Path
> unix  2      [ ACC ]     STREAM     LISTENING     1414   1176/xfs
> /tmp/.font-unix/fs7100
> unix  2      [ ACC ]     STREAM     LISTENING     1292   1029/gpm
> /dev/gpmctl
> unix  2      [ ACC ]     STREAM     LISTENING     2158   1435/oafd
> /tmp/orbit-katie/orb-1579713980692359511
> unix  2      [ ACC ]     STREAM     LISTENING     7161434 2751/X
> /tmp/.X11-unix/X0
> Active IPX sockets
> Proto Recv-Q Send-Q Local Address              Foreign Address
> State
 
	These are less worrisome.  Strange that you have "Active IPX
sockets" in there -- did you add Netware support to your kernel, or are
you on a Netware network?
 
> Before the doing the netstat you see above, I:
> - stopped portmap and removed it from my init script for runlevel 5
> (is it just a coincidence that it apparently was running on port
> 666? :)

	[laughs]  Port 666 is surprisingly common.  I guess everyone
wants to be cool and evil, or something.  I've seen FTP warez servers
run off this port, trojans listening for connections on this port, as
well as portmap.

> - tried to stop X, but it always restarted

	See above URL; the techniques in there should fix your problem
with that, without killing your X server.

> - stopped rpc.statd; it wasn't clear to me which init script starts
> it
> - removed nfslock from init script for runlevel 5
> - stopped netfs; removed from init script for runlevel 5

	Yah, NFS is one of those things that in my opinion should be off
by default, and can be deliberately turned on if necessary.

	You don't have an init script called S87rpcstat or anything like
that?  It's been pretty clearly labeled for me most of the time.
Portmap might also run it.
 
> Other than that, this is basically a freshly installed RedHat 7.2
> system.

	Bahaha!  I guessed right! [grin]

> I'm using it as my desktop system, so I don't think I have
> a good reason to be running lpd or httpd.  I do want to run sshd and
> some mailserver (so mutt can send mail out), though.

	Then yes, you want to turn off print services and Apache if
you're not using them.  Do you want to be able to recieve mail directly
to this box, too, or will you be POP or IMAPping it from another server?

> I don't know about identd; is it considered a security risk?

	If you've got a recent version of identd, it's a low risk.
There have been ident exploits in the past, but I think most of 'em are
fixed in recent versions.

> I'll also note that this system is behind a NAT router, so maybe
> running unneeded services isn't a humongous risk, but I want to know
> how to do it right anyway.
 
	NAT will save you from some things, but not everything.  It's no
replacement for a good firewall.  Much depends on how your router does
the NAT.  If it's one-to-one address mapping, then you're not
significantly safer.  If it's port forwarding, that is considerably
safer, because outside attackers are less likely to know your box is
there.  Your NAT device can still get portscanned, of course.

Cheers,
Raven

"I am so very girly."
  -- RavenBlack, on 'feminine' and 'masculine' traits

More information about the Courses mailing list