sunrpc & finger ports.

Greetings,

I have spent some time today going over logs & checking out my ports and the
like. I perform a netstat -tea | grep "LIST" (I have a vague idea what this
does; it shows open ports, correct?) and get the following:

Now a several of these I am quite okay with. Since I have no desire to have
finger running I want to get rid of it. I ps -aux | grep finger and find no
such thing. I greped through my rc files and nada as well. How do I shut
down the finger port?

Next, how about sunrpc? I have read there to be security problems with
certain versions of sunrpc. I am not doing anything too fancy with this
system, the usual web surfing, e-mail, newsreading, some ssh'ing to other
sites, and some local web-serving. Seems to me sunrpc serves some network
processes that I do not have or need. How to close that port?

Anything else look fishy?

Thanks

================================================== =========================
tcp 0 0 *:printer *:* LISTEN
root 86
tcp 0 0 *:time *:* LISTEN
root 67
tcp 0 0 *:3306 *:* LISTEN
root 41701
tcp 0 0 *:finger *:* LISTEN
root 70
tcp 0 0 *:sunrpc *:* LISTEN
root 54
tcp 0 0 *:x11 *:* LISTEN
root 272719
tcp 0 0 *:http *:* LISTEN
root 260516
tcp 0 0 *:auth *:* LISTEN
root 71
tcp 0 0 *:ssh *:* LISTEN
root 73
tcp 0 0 localhost:5180 *:* LISTEN
mark 273164
================================================== =========================

--
From: Mark A Framness <farmer@netnet.net>
http: http://netnet.net/~farmer/index.html

With all of thy getting, get understanding!
Proverbs 4:7

On Thu, 29 Jan 2004, Mark A Framness wrote:

> Greetings,
>
> I have spent some time today going over logs & checking out my ports and the
> like. I perform a netstat -tea | grep "LIST" (I have a vague idea what this
> does; it shows open ports, correct?)

correct (it can do and it does more, but anyway...)


> Now a several of these I am quite okay with. Since I have no desire to have
> finger running I want to get rid of it. I ps -aux | grep finger and find no
> such thing. I greped through my rc files and nada as well. How do I shut
> down the finger port?

The word finger there means, that this is the port, normally used for
finger (the mapping of portnumbers and services is often done by the file
/etc/services, so grep thi for finger). You better add the -n (for
numerical output) to your netstat-command (and the -u for UDP too). Now
you can see the numerical portnumbers. But this tells you nothing about,
which process uses this socket. There are a few ways to figure this out.
One is the program fuser. If you got root privileges do i.e.
fuser -4 -uv 79/tcp
and you'll gett something like:
79/tcp root 621 f.... xinetd
what in that case means that the port is used by xinetd.

> Next, how about sunrpc? I have read there to be security problems with
> certain versions of sunrpc.

the sunrpc-port (afair 111) is used by the portmap-demon. Mostly the
problem is not the demon itself but the services using the RPC mechanism
(and the principle of the mechanism itself). Check the web for RPC and
you'll find a lot about it.

> I am not doing anything too fancy with this
> system, the usual web surfing, e-mail, newsreading, some ssh'ing to other
> sites, and some local web-serving. Seems to me sunrpc serves some network
> processes that I do not have or need. How to close that port?
>

If you have figuered out that you do not use any rpc-service (sometimes
there are some system-internal services using the loopback) , shut
down the portmap-demon.


regards

Stephan Knabe

Brad Olin wrote:

> On Thu, 29 Jan 2004 10:19:19 -0600, Mark A Framness <farmer@netnet.net>
> wrote:
>
>>Now a several of these I am quite okay with. Since I have no desire to
>>have finger running I want to get rid of it. I ps -aux | grep finger and
>>find no such thing. I greped through my rc files and nada as well. How do
>>I shut down the finger port?
>>
> The answer depends on what distro you are running. Most likely the
> finger service is started via inetd/xinetd. You can check that with a
> command like...
>
> netstat -apn --inet | grep LISTEN | grep :79

Yeap! I went into my inetd config file and no more finger daemon!


>
>>Next, how about sunrpc? I have read there to be security problems with
>>certain versions of sunrpc. I am not doing anything too fancy with this
>>system, the usual web surfing, e-mail, newsreading, some ssh'ing to other
>>sites, and some local web-serving. Seems to me sunrpc serves some network
>>processes that I do not have or need. How to close that port?
>>
> It is always a good idea to shut down services that you are not using.
> It could be it is started because xinetd is running. Again, how to shut
> this down depends on what distro you are running.

Yes, this is what I have heard repeatedly. I run Slackware and will post a
question &&/|| search that NG.



>
>>Anything else look fishy?
>>
>
> Do you really have a printer on this box and is it open to all NICs?
> That may not be such a good idea if this a dual use gateway box that is
> exposed to the Internet.

Right now until I can financially recover from some car repairs I have no
functional printer. I would like to shut that port as well. Any guesses?

Thanks for your help!

--
From: Mark A Framness <farmer@netnet.net>
http: http://netnet.net/~farmer/index.html

With all of thy getting, get understanding!
Proverbs 4:7

In article <q6ri10h1pramibmnnk1ii8k77088v0rbrq@4ax.com>,
Brad Olin wrote:
> I'm not a slackware guy, so I don't know the exact commands. That being
> said, look in the /etc/init.d directory. There should be a script per

We don't have any of this. BTW, most of this is addressed to Mark. By
now he may have gotten his answer in alt.os.linux.slackware, but I'm too
far behind there to check.

> service that is installed on your box. Note that installed and running
> are two diff things. On redhat and debian I think the printer daemon is
> called lpd, if that is the name then you can run the script with the
> desired action as a argument... i.e. `/etc/init.d/lpd stop` That will
> stop it until next you boot. To make the changes persistent through a

"killall lpd" should stop it, either CUPS or lprng. To prevent it from
starting again, make both /etc/rc.d/rc.cups and rc.lprng non-executable.
There's a "GUI" interface to do this which can be called from pkgtool,
but hey, chmod works for me. :)

> The tool, whatever it's called on slackware, will change some symlinks
> from the rc?.d directories/symlinks. There is a standard convention of

And Slackware does not adhere to that standard, thank goodness. :)

Lastly for Mark, "/etc/rc.d/rc.portmap stop" will get rid of it, and
similarly make that file non-executable to prevent it restarting.

I recommend the a.o.l.s. FAQ and www.slackware.com/book to help you get
up to speed on the Slackware way of doing things.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply