[Voyage-linux] Open TCP Ports

Robert Rawlins - Think Blue (spam-protected)
Tue May 19 20:02:39 HKT 2009 

Darryl, thanks for the reply.

You're right about the DHCP client port, I'm running this as DHCP at the
moment so that would explain that nicely :-)

Portmap and DNS on the other hand I'm not quite sure about, I know very
little about both, are they essential to run the system? You say DNS is
installed by default for voyage, is this only required if using the system
as a Router or AP, or will I need this for generally use, for instance
running 'wget www.google.com'? If I can get away without it on the system to
close down a port then that would be excellent.

I'm pretty sure we're not using NSF server, generally all access to the
systems is done through SSH, using both Putty and WinSCP. Do you think I
should be able to remove this? PPTP, again, we have no VPN running here so
this could likely be removed?

voyage:~# netstat -lpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name
tcp        0      0 0.0.0.0:68              0.0.0.0:*               LISTEN
2853/pump
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
3115/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
2887/portmap
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
3015/dnsmasq
tcp        0      0 0.0.0.0:1723            0.0.0.0:*               LISTEN
3494/pptpd
tcp6       0      0 :::53                   :::*                    LISTEN
3015/dnsmasq
tcp6       0      0 :::22                   :::*                    LISTEN
3504/sshd
udp        0      0 0.0.0.0:32768           0.0.0.0:*
3015/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*
3015/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*
3015/dnsmasq
udp        0      0 0.0.0.0:69              0.0.0.0:*
3485/inetd
udp        0      0 0.0.0.0:111             0.0.0.0:*
2887/portmap
udp6       0      0 :::53                   :::*
3015/dnsmasq

That is the output of the suggested command from you, seems to confirm you
assumptions about what services were using the ports.

I'm pretty sure  can remove pptpd, I'd like your advice about the others.

Cheers mate,

Rob

-----Original Message-----
From: Darryl Ross [mailto:spam at afoyi.com] 
Sent: 19 May 2009 12:21
To: Robert Rawlins - Think Blue
Cc: voyage-linux at voyage.hk
Subject: Re: [Voyage-linux] Open TCP Ports

Hi Robert,

You can find out the registered and well known ports by using:

$ getent services <portnum>

This gets the information from the /etc/services file. Just as a small 
note though, I have noticed differences between my RH systems and debian 
systems. Eg, My RH system shows port 1723 (below) but my voyage system 
doesn't. Bit of a difference in the file sizes:

redhat$ ls -lh /etc/services
-rw-r--r-- 1 root root 354K Feb 23  2006 /etc/services
voyage$ ls -lh /etc/services
-rw-r--r-- 1 root root 19K Aug 28  2008 /etc/services

If you can't find the port in the services file, a google search may 
help you out.

Also, I note you didn't list any of the open UDP ports?

> tcp 0 0 0.0.0.0:68 0.0.0.0:* LISTEN

This is the DHCP client port. You are using a DHCP assigned address?

> tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN

MySQL, bound only to the loopback port.

> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

portmap - There are a few services which use portmap, but the most 
common one is the NFS server. For anything else I would assume you would 
know if you need it.

> tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN

DNS server. Dnsmasq is running in the standard image, do you still have 
it running?

> tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN

Point to Point Tunneling Protocol (PPTP). Are you running a PPTP based VPN?

> tcp 0 0 192.168.1.64:35760 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35762 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35757 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35758 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35759 192.168.1.66:83 TIME_WAIT
> tcp 0 0 192.168.1.64:35761 192.168.1.66:83 TIME_WAIT

These are sockets that have been closed but the kernel is waiting on for 
a period of time to make sure there is no more data 'on the wire' still.

> tcp6 0 0 :::53 :::* LISTEN

DNS server on IPv6

> tcp6 0 0 :::22 :::* LISTEN

SSH server on IPv6 - but you already knew this one.

> tcp6 0 1128 ::ffff:192.168.1.64:22 ::ffff:192.168.1.:51880 ESTABLISHED
> tcp6 0 0 ::ffff:192.168.1.64:22 ::ffff:192.168.1.:51877 ESTABLISHED

As you said, established connections.

> Can you guys recommend the best way to get these closed up? Just helps
> eliminate the vulnerabilities.

If you are not using NFS, you can stop portmap and NFS and remove the 
startup scripts by using update-rc.d.

Also, you can find out what program has a port open by giving netstat 
the '-p' option. This should give you more information to decide whether 
you need a particular port open.

# netstat -lpn

Regards
Darryl

More information about the Voyage-linux mailing list