When tightening up security on a Linux server, one of the first things the system administrator does, is find out which ports are open. In other words, which applications are listening on a port that is reachable from the network and/or internet.
We'll use netstat for this purpose. On a prompt, type:
$ sudo netstat --tcp --listen -p
Overview of the options:
--tcp | Show applications that use the TCP protocol (exclude UDP) |
--listen | Show only applications that listen, and exclude clients |
-p | Show the process ID and name of the application to which the port belongs |
Netstat sometimes pauses during output. This is normal; it tries to resolve the addresses into human readable host names*. If you don't want this, use the -n option.
Example output from my laptop which runs Fedora 8 (I have removed the columns Foreign Address and State for the sake of brevity):
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address PID/Program name tcp 0 0 telislt.sron.nl:irdmi 2381/nasd tcp 0 0 *:55428 1965/rpc.statd tcp 0 0 telislt.sron.:commplex-main 6573/ssh tcp 0 0 *:mysql 2307/mysqld tcp 0 0 *:sunrpc 1945/rpcbind tcp 0 0 192.168.122.1:domain 2533/dnsmasq tcp 0 0 telislt.sron.nl:privoxy 3581/ssh tcp 0 0 telislt.sron.nl:ipp 2553/cupsd tcp 0 0 telislt.sron.nl:smtp 2352/sendmail: acce tcp 0 0 *:8730 6030/skype tcp 0 0 *:http 2371/httpd tcp 0 0 localhost6.localdom:privoxy 3581/ssh tcp 0 0 *:ssh 2205/sshd
Whenever there is an asterisk (star) instead of a host name, netstat tells us that the port is listened to on ALL interfaces, not only the local interface but also any present interfaces connected to the outside world. These are the ones we want to hunt down.
Now we know the program names, we can find out more about them. We'll take for instance the rpc.statd program. First we locate the complete path of this process:
$ whereis rpc.statd rpc: /sbin/rpc.statd /usr/sbin/rpc.svcgssd /usr/sbin/rpc.idmapd /usr/sbin/rpc.mountd /usr/sbin/rpc.rquotad /usr/sbin/rpc.gssd /usr/sbin/rpc.nfsd /etc/rpc /usr/include/rpc
Whereis does a search and finds /sbin/rpc.statd. On RPM-based systems, we can request more information about the owning package:
$ rpm -qif /sbin/rpc.statd .... The nfs-utils package provides a daemon for the kernel NFS server and related tools, which provides a much higher level of performance than the traditional Linux NFS server used by most users.
Now we know whether we want this package or not. If not, just remove it and the port will be closed. If we need the functionality, does it need to listen to the outside network? If not, we would typically Read The Fine Manual to see whether we can configure this package to listen locally.
Repeating this exercise for each line in the netstat output will tighten a server its security.