This chapter provides information about identifying and securing network services with open communication ports.
Client-server applications open communication ports on the server, allowing the applications to listen to incoming client requests. Because open ports are vulnerable to potential security attacks, identify which applications have open ports and close those ports that are open unnecessarily. This practice is useful because it allows you to understand what systems are being made available to anyone who has access to the Internet.
To determine which ports are open, do the following:
# netstat -af inet
The following is an example of this command output. The last column of the netstat command output indicates the state of each service. Services that are waiting for incoming connections are in the LISTEN state.
| Active Internet connection (including servers) | |||||
|---|---|---|---|---|---|
| Proto | Recv-Q | Send-Q | Local Address | Foreign Address | (state) |
tcp4 |
0 |
0 |
*.echo |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.discard |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.daytime |
*.* |
LISTEN |
tcp |
0 |
0 |
*.chargen |
*.* |
LISTEN |
tcp |
0 |
0 |
*.ftp |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.telnet |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.smtp |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.time |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.www |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.sunrpc |
*.* |
LISTEN |
tcp |
0 |
0 |
*.smux |
*.* |
LISTEN |
tcp |
0 |
0 |
*.exec |
*.* |
LISTEN |
tcp |
0 |
0 |
*.login |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.shell |
*.* |
LISTEN |
tcp4 |
0 |
0 |
*.klogin |
*.* |
LISTEN |
udp4 |
0 |
0 |
*.kshell |
*.* |
LISTEN |
udp4 |
0 |
0 |
*.echo |
*.* |
|
udp4 |
0 |
0 |
*.discard |
*.* |
|
udp4 |
0 |
0 |
*.daytime |
*.* |
|
udp4 |
0 |
0 |
*.chargen |
*.* |
|
udp4 |
0 |
0 |
*.time |
*.* |
|
udp4 |
0 |
0 |
*.bootpc |
*.* |
|
udp4 |
0 |
0 |
*.sunrpc |
*.* |
|
udp4 |
0 |
0 |
255.255.255.255.ntp |
*.* |
|
udp4 |
0 |
0 |
1.23.123.234.ntp |
*.* |
|
udp4 |
0 |
0 |
localhost.domain.ntp |
*.* |
|
udp4 |
0 |
0 |
name.domain..ntp |
*.* |
|
| .................................... | |||||
The following is a sample fragment of the /etc/services file:
tcpmux |
1/tcp |
# TCP Port Service Multiplexer |
tcpmux |
1/tcp |
# TCP Port Service Multiplexer |
Compressnet |
2/tcp |
# Management Utility |
Compressnet |
2/udp |
# Management Utility |
Compressnet |
3/tcp |
# Compression Process |
Compressnet |
3/udp |
Compression Process |
Echo |
7/tcp |
|
Echo |
7/udp |
|
discard |
9/tcp |
sink null |
discard |
9/udp |
sink null |
.............. |
||
rfe |
5002/tcp |
# Radio Free Ethernet |
rfe |
5002/udp |
# Radio Free Ethernet |
rmonitor_secure |
5145/tcp |
|
rmonitor_secure |
5145/udp |
|
pad12sim |
5236/tcp |
|
pad12sim |
5236/udp |
|
sub-process |
6111/tcp |
# HP SoftBench Sub-Process Cntl. |
sub-process |
6111/udp |
# HP SoftBench Sub-Process Cntl. |
xdsxdm |
6558/ucp |
|
xdsxdm |
6558/tcp |
|
afs3-fileserver |
7000/tcp |
# File Server Itself |
afs3-fileserver |
7000/udp |
# File Server Itself |
af3-callback |
7001/tcp |
# Callbacks to Cache Managers |
af3-callback |
7001/udp |
# Callbacks to Cache Managers |
Identify TCP sockets that are in the LISTEN state and idle UDP sockets that are waiting for data to arrive. Use the lsof command, a variant of the netstat -af command. Beginning with AIX 5.1, the lsof command is included on the AIX Toolbox for Linux Applications CD.
For example, to display the TCP sockets in the LISTEN state and the UDP sockets in the IDLE state, run the lsof command as follows:
# lsof -i | egrep "COMMAND|LISTEN|UDP"
The output produced is similar to the following:
| Command | PID | USER | FD | TYPE | DEVICE | SIZE/OFF | NODE | NAME |
|---|---|---|---|---|---|---|---|---|
dtlogin |
2122 |
root |
5u |
IPv4 |
0x70053c00 |
0t0 |
UDP |
*:xdmcp |
dtlogin |
2122 |
root |
6u |
IPv4 |
0x70054adc |
0t0 |
TCP |
*:32768(LISTEN) |
syslogd |
2730 |
root |
4u |
IPv4 |
0x70053600 |
0t0 |
UDP |
*:syslog |
X |
2880 |
root |
6u |
IPv4 |
0x70054adc |
0t0 |
TCP |
*:32768(LISTEN) |
X |
2880 |
root |
8u |
IPv4 |
0x700546dc |
0t0 |
TCP |
*:6000(LISTEN) |
dtlogin |
3882 |
root |
6u |
IPv4 |
0x70054adc |
0t0 |
TCP |
*:32768(LISTEN) |
glbd |
4154 |
root |
4u |
IPv4 |
0x7003f300 |
0t0 |
UDP |
*:32803 |
glbd |
4154 |
root |
9u |
IPv4 |
0x7003f700 |
0t0 |
UDP |
*:32805 |
| dtgreet | 4656 | root | 6u | IPv4 |
0x70054adc |
0t0 | TCP |
*:32768(LISTEN) |
| .......... |
After identifying the process ID, you can obtain more information about the program by running the following command:
" # ps -fp PID#"
The output contains the path to the command name, which you can use to access the program's man page.