iptables newbie

Andrew Keith wrote:

> run netstat -tlp
> you will be able to see the program which opened that port.
> According to my services file, there is no well known service for port 738
> and 877.

famd and rpc.statd, respectively. I suppose these are really no more
suspicious than the ports with names.

So, looking at the output of "netstat -tlp", can you tell
me if I have any service running that could be exploited even
by a holder of the root password? Not that I have any reason
to believe there is any such person other than me; just
a "locked doors inside locked doors" thing.

Output follows (each line breaks at "*:*"):

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 localhost:738 *:*
LISTEN 1410/famd
tcp 0 0 *:printer *:*
LISTEN 1429/lpd
tcp 0 0 *:time *:*
LISTEN 1424/inetd
tcp 0 0 *:discard *:*
LISTEN 1424/inetd
tcp 0 0 *:877 *:*
LISTEN 1543/rpc.statd
tcp 0 0 *:daytime *:*
LISTEN 1424/inetd
tcp 0 0 *:sunrpc *:*
LISTEN 1244/portmap
tcp 0 0 *:auth *:*
LISTEN 1424/inetd
tcp 0 0 localhost:smtp *:*
LISTEN 1405/exim4

according to my services file, rpc.statd runs by default on port 950/tcp.
hmmm..

try killing both those programs. Seems fishy ..

Andrew


"Mike Oliver" <mike_lists@verizon.net> wrote in message
news:2i4vcgFj401pU1@uni-berlin.de...
> Andrew Keith wrote:
>
> > run netstat -tlp
> > you will be able to see the program which opened that port.
> > According to my services file, there is no well known service for port
738
> > and 877.
>
> famd and rpc.statd, respectively. I suppose these are really no more
> suspicious than the ports with names.
>
> So, looking at the output of "netstat -tlp", can you tell
> me if I have any service running that could be exploited even
> by a holder of the root password? Not that I have any reason
> to believe there is any such person other than me; just
> a "locked doors inside locked doors" thing.
>
> Output follows (each line breaks at "*:*"):
>
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 localhost:738 *:*
> LISTEN 1410/famd
> tcp 0 0 *:printer *:*
> LISTEN 1429/lpd
> tcp 0 0 *:time *:*
> LISTEN 1424/inetd
> tcp 0 0 *:discard *:*
> LISTEN 1424/inetd
> tcp 0 0 *:877 *:*
> LISTEN 1543/rpc.statd
> tcp 0 0 *:daytime *:*
> LISTEN 1424/inetd
> tcp 0 0 *:sunrpc *:*
> LISTEN 1244/portmap
> tcp 0 0 *:auth *:*
> LISTEN 1424/inetd
> tcp 0 0 localhost:smtp *:*
> LISTEN 1405/exim4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-06-02, Andrew Keith <andrew@jukenworld.com> wrote:
> according to my services file, rpc.statd runs by default on port 950/tcp.
> hmmm..
>
> try killing both those programs. Seems fishy ..

In what way? From man rpc.statd:

-p, --port port
specify a port for rpc.statd to listen on. By
default, rpc.statd will ask portmap(8) to assign it
a port number. As of this writing, there is not a
standard port number that portmap always or usually
assigns. Specifying a port may be useful when
implementing a firewall.

So just because your /etc/services lists it at 950 (mine don't, BTW)
doesn't mean having it run somewhere else is fishy.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAvXFShVcNCxZ5ID8RApRSAJ9tV6FoiVRnc08jXw4THb v79K6v8wCePs8g
Lz0qvB7jOdB84DAcsUoTD2s=
=5mt6
-----END PGP SIGNATURE-----

On Wed, 2 Jun 2004 12:44:03 +0800,
Andrew Keith <andrew@jukenworld.com> wrote:


> according to my services file, rpc.statd runs by default on port 950/tcp.
> hmmm..
>


All the nfs related services can use any port and the port number will
be registered with the "portmap" program. Use "rpcinfo -p" to see which
ports are registered to which service. There are also other services
which uses the Sun rpc and therefore register port numbers with "portmap".


Villy