[Voyage-linux] Open TCP Ports

Darryl Ross (spam-protected)
Tue May 19 19:20:57 HKT 2009 

Hi Robert,

You can find out the registered and well known ports by using:

$ getent services <portnum>

This gets the information from the /etc/services file. Just as a small 
note though, I have noticed differences between my RH systems and debian 
systems. Eg, My RH system shows port 1723 (below) but my voyage system 
doesn't. Bit of a difference in the file sizes:

redhat$ ls -lh /etc/services
-rw-r--r-- 1 root root 354K Feb 23  2006 /etc/services
voyage$ ls -lh /etc/services
-rw-r--r-- 1 root root 19K Aug 28  2008 /etc/services

If you can't find the port in the services file, a google search may 
help you out.

Also, I note you didn't list any of the open UDP ports?

> tcp 0 0 0.0.0.0:68 0.0.0.0:* LISTEN

This is the DHCP client port. You are using a DHCP assigned address?

> tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN

MySQL, bound only to the loopback port.

> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

portmap - There are a few services which use portmap, but the most 
common one is the NFS server. For anything else I would assume you would 
know if you need it.

> tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN

DNS server. Dnsmasq is running in the standard image, do you still have 
it running?

> tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN

Point to Point Tunneling Protocol (PPTP). Are you running a PPTP based VPN?

> tcp 0 0 192.168.1.64:35760 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35762 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35757 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35758 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35759 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35761 192.168.1.66:83 TIME_WAIT

These are sockets that have been closed but the kernel is waiting on for 
a period of time to make sure there is no more data 'on the wire' still.

> tcp6 0 0 :::53 :::* LISTEN

DNS server on IPv6

> tcp6 0 0 :::22 :::* LISTEN

SSH server on IPv6 - but you already knew this one.

> tcp6 0 1128 ::ffff:192.168.1.64:22 ::ffff:192.168.1.:51880 ESTABLISHED
> tcp6 0 0 ::ffff:192.168.1.64:22 ::ffff:192.168.1.:51877 ESTABLISHED

As you said, established connections.

> Can you guys recommend the best way to get these closed up? Just helps
> eliminate the vulnerabilities.

If you are not using NFS, you can stop portmap and NFS and remove the 
startup scripts by using update-rc.d.

Also, you can find out what program has a port open by giving netstat 
the '-p' option. This should give you more information to decide whether 
you need a particular port open.

# netstat -lpn

Regards
Darryl

More information about the Voyage-linux mailing list