After configuring network services, it is important to pay
attention to which ports are actually listening on the system's
network interfaces. Any open ports can be evidence of an
intrusion.
There are two basic approaches for listing the ports that are
listening on the network. The less reliable approach is to query
the network stack by typing commands such as netstat -an or lsof -i.
This method is less reliable since these programs do not connect to
the machine from the network, but rather check to see what is
running on the system. For this reason, these applications are
frequent targets for replacement by attackers. In this way,
crackers attempt to cover their tracks if they open unauthorized
network ports.
A more reliable way to check which ports are listening on the
network is to use a port scanner such as nmap.
The following command issued from the console determines which
ports are listening for TCP connections from the network:
The output of this command looks like the following:
Starting nmap 3.55 ( https://www.insecure.org/nmap/ ) at 2004-09-24 13:49 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
113/tcp open auth
631/tcp open ipp
834/tcp open unknown
2601/tcp open zebra
32774/tcp open sometimes-rpc11
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 12.857 days (since Sat Sep 11 17:16:20 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 5.190 seconds
|
This output shows the system is running portmap due to the presence of the sunrpc service. However, there is also a
mystery service on port 834. To check if the port is associated
with the official list of known services, type:
cat /etc/services | grep 834
|
This command returns no output. This indicates that while the
port is in the reserved range (meaning 0 through 1023) and requires
root access to open, it is not associated with a known service.
Next, check for information about the port using netstat or lsof. To check
for port 834 using netstat, use the
following command:
The command returns the following output:
tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind
|
The presence of the open port in netstat is reassuring because a cracker opening a
port surreptitiously on a hacked system would likely not allow it
to be revealed through this command. Also, the [p] option reveals the process id (PID) of the
service which opened the port. In this case, the open port belongs
to ypbind (NIS), which is an RPC service
handled in conjunction with the portmap
service.
The lsof command reveals similar
information since it is also capable of linking open ports to
services:
Below is the relevant portion of the output for this
command:
ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)
|
These tools reveal a great deal about the status of the services
running on a machine. These tools are flexible and can provide a
wealth of information about network services and configuration.
Consulting the man pages for lsof,
netstat, nmap,
and services is therefore highly
recommended.
