[Courses] [Security] The useful netstat

hobbit at aloss.ukuu.org.uk hobbit at aloss.ukuu.org.uk
Thu Mar 7 15:25:10 EST 2002 

On Tue, Mar 05, 2002 at 06:00:48PM -0500 or thereabouts, Raven, corporate courtesan wrote:
> 	Much more helpful is to run netstat with the -pl options.  This
> shows you the server processes that are listening too, and the processes
> that are associated with them.

I'll jump into the netstat games. This is a RH 7.2 box. It is on a
home LAN which is all behind a firewall. This firewall was set up
by my husband, and it's fairly paranoid. So in theory I'm safe. All
the same, comments welcomed. Just in case.. 

The RH 7.2 install has a little firewall tool in the install procedure
itself. I seem to recall using it in the install and tksysv a little
later to remove NFS. We do use NFS here, but I discovered I didn't
need the server. I just want to mount the /ogg filesystem off the
ogg-server so I can do "ogg123 /mnt/ogg/category/band/album/*" :)

I have edited the results for formatting only, so they fit better 
into 80 characters. I have not removed any of the lines though. 
Comments very welcome. 

Script started on Thu Mar  7 09:47:33 2002
[hobbit at aloss hobbit]$ sudo netstat -pl
Password:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State   PID/Program name 
tcp        0      0 *:printer     *:*             LISTEN  968/lpd Waiting
tcp        0      0 *:sunrpc      *:*             LISTEN  19825/portmap
tcp        0      0 *:x11         *:*             LISTEN  1661/X
tcp        0      0 *:ssh         *:*             LISTEN  912/sshd
tcp        0      0 *:smtp        *:*             LISTEN  989/exim
udp        0      0 *:800         *:*                     -
udp        0      0 *:697         *:*                     945/xinetd
udp        0      0 *:sunrpc      *:*                     19825/portmap

I think lpd is needed: the printer is attached to my machine and we 
send jobs to it from various machines on the LAN. 
I get mail to this box and send directly from the box. So I reckon I
need exim. :)
I do mess about with X servers on one machine and clients on the others.
I am not sure how and whether I'd do this with ssh involved too. I
shall look at your http://www.oneeyedcrow.net/tech/securex.html page :)

Can't see how to reformat this below. Sorry.

Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name Path
unix  2      [ ACC ]     STREAM     LISTENING     88873  21356/oafd/tmp/orbit-hobbit/orb-727392264863676337
unix  2      [ ACC ]     STREAM     LISTENING     91349303 22160/gnome-termina /tmp/orbit-hobbit/orb-501247387953915065
unix  2      [ ACC ]     STREAM     LISTENING     91057942 20354/gnome-termina /tmp/orbit-hobbit/orb-14363381261679704763
unix  2      [ ACC ]     STREAM     LISTENING     91058020 20380/gnome-termina /tmp/orbit-hobbit/orb-881769042768377018
unix  2      [ ACC ]     STREAM     LISTENING     91070100 21268/gnome-termina /tmp/orbit-hobbit/orb-1464839999278165491
unix  2      [ ACC ]     STREAM     LISTENING     87900  21237/charpick_appl /tmp/orbit-hobbit/orb-19392098531720241483
unix  2      [ ACC ]     STREAM     LISTENING     91074673 21298/gnome-termina /tmp/orbit-hobbit/orb-5850989762048369963
unix  2      [ ACC ]     STREAM     LISTENING     91391070 684/gnome-terminal  /tmp/orbit-hobbit/orb-1973906864906271941
unix  2      [ ACC ]     STREAM     LISTENING     91036858 19826/gnome-termina /tmp/orbit-hobbit/orb-753611555387314800
unix  2      [ ACC ]     STREAM     LISTENING     4115   1807/multiload_appl /tmp/orbit-hobbit/orb-5066814451871143450
unix  2      [ ACC ]     STREAM     LISTENING     4209   1817/deskguide_appl /tmp/orbit-hobbit/orb-1349052664624064339
unix  2      [ ACC ]     STREAM     LISTENING     3423   1661/X              /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     1310   1077/xfs            /tmp/.font-unix/fs7100
unix  2      [ ACC ]     STREAM     LISTENING     3482   1683/esd            /tmp/.esd/socket
unix  2      [ ACC ]     STREAM     LISTENING     3754   1709/panel          /tmp/orbit-hobbit/orb-1060930377631600276
unix  2      [ ACC ]     STREAM     LISTENING     4158   1810/screenshooter_ /tmp/orbit-hobbit/orb-1154417402161199909
unix  2      [ ACC ]     STREAM     LISTENING     3468   1677/gnome-session  /tmp/.ICE-unix/1677
unix  2      [ ACC ]     STREAM     LISTENING     1260   1009/gpm            /dev/gpmctl
unix  2      [ ACC ]     STREAM     LISTENING     3778   1732/gnome-name-ser /tmp/orbit-hobbit/orb-12343168171426562782
Active IPX sockets
Proto Recv-Q Send-Q Local Address              Foreign Address            State
[hobbit at aloss hobbit]$
Script done on Thu Mar  7 09:48:13 2002

Looking at the above, it's fairly obvious I'm running GNOME :)
I know from messing with it that oafd, gnome-*, *_applet, panel,
screenshooter and esd are all associated with GNOME. That leasve
XFS and gpm, which I think are both things I need. 

> > I'd love to learn more about stuff like tripwire (never used it) or 
> > anything that scans for changes to the list of running processes.
>  
> 	I was thinking that would be a good topic for discussion too.
> It's one of the few ways you can be relatively sure that nothing else
> has been changed on your system.

I have tried to use it, but at least in the way it is packaged in
RH I can't get the thing set up correctly and I find the docs 
non-helpful. So I'd appreciate a run-through on tripwire, too. Bit
late, since this box has been on the net for a while now: but at
least I know for the next time.

Telsa

More information about the Courses mailing list