Re: Open Ports

#1 (**permalink**) 07-14-2004

Gary Petersen wrote:

> Let's try to keep it in the newsgroups mostly.
>
> You seem to have a lot of services running!
>
> Try this (as root):
>
> netstat -pnlut

And the results are:

[root@chris chris]# netstat -pnlut
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:645 0.0.0.0:* LISTEN
1312/ypserv
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
11319/perl5.8.0
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
1242/portmap
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
2330/perl
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
1812/X
tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN
1638/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
1638/named
tcp 0 0 0.0.0.0:886 0.0.0.0:* LISTEN
1555/rpc.ypxfrd
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
1789/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
2164/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
1638/named
udp 0 0 0.0.0.0:32768 0.0.0.0:*
1638/named
udp 0 0 0.0.0.0:642 0.0.0.0:*
1312/ypserv
udp 0 0 0.0.0.0:10000 0.0.0.0:*
2330/perl
udp 0 0 0.0.0.0:801 0.0.0.0:*
1896/rpc.yppasswdd
udp 0 0 192.168.1.2:53 0.0.0.0:*
1638/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
1638/named
udp 0 0 0.0.0.0:111 0.0.0.0:*
1242/portmap
udp 0 0 0.0.0.0:884 0.0.0.0:*
1555/rpc.ypxfrd
udp 0 0 0.0.0.0:631 0.0.0.0:*
1789/cupsd
udp 0 0 192.168.1.2:123 0.0.0.0:*
32451/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:*
32451/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:*
32451/ntpd

> Also do this:
>
> ps auxwwwwwww

And the result of that is:

[root@chris chris]# ps auxwwwwwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1288 84 ? S Jun28 0:04 init
root 2 0.0 0.0 0 0 ? SW Jun28 0:01 [keventd]
root 3 0.0 0.0 0 0 ? SW Jun28 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN Jun28 0:00
[ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Jun28 1:11 [kswapd]
root 6 0.0 0.0 0 0 ? SW Jun28 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW Jun28 0:01 [kupdated]
root 8 0.0 0.0 0 0 ? SW< Jun28 0:00 [mdrecoveryd]
root 12 0.0 0.0 0 0 ? SW Jun28 0:16 [kjournald]
root 96 0.0 0.0 1708 204 ? S Jun28 0:00 devfsd /dev
root 183 0.0 0.0 0 0 ? SW Jun28 0:00 [khubd]
root 338 0.0 0.0 0 0 ? SW Jun28 0:05 [kjournald]
root 339 0.0 0.0 0 0 ? SW Jun28 0:02 [kjournald]
root 652 0.0 0.0 0 0 ? SW Jun28 0:00 [eth0]
rpc 1242 0.0 0.0 1420 4 ? S Jun28 0:00 portmap
root 1256 0.0 0.1 1360 360 ? S Jun28 0:09 syslogd -m 0
root 1264 0.0 0.0 2020 156 ? S Jun28 0:00 klogd -2
root 1312 0.0 0.0 1420 4 ? S Jun28 0:00 ypserv
xfs 1486 0.0 1.1 10676 2836 ? S Jun28 1:41 xfs -port -1
-dae
mon -droppriv -user xfs
root 1538 0.0 0.0 1268 4 ? S Jun28 0:00
/usr/sbin/apmd -p
10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmd_proxy
root 1555 0.0 0.0 1468 4 ? S Jun28 0:00 rpc.ypxfrd
root 1571 0.0 0.0 2628 4 ? S Jun28 0:00 /bin/sh
/etc/X11/
prefdm
daemon 1599 0.0 0.0 1312 108 ? S Jun28 0:00 /usr/sbin/atd
root 1603 0.0 0.0 2204 4 ? S Jun28 0:00
/usr/sbin/autolog
in
root 1621 0.0 0.0 1500 4 ? S Jun28 0:00 saslauthd -a
pam
-T
named 1638 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
named
named 1642 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
named
named 1670 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
named
named 1671 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
named
named 1697 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
named
root 1789 0.0 1.2 7828 3188 ? S Jun28 0:06 cupsd
chris 1800 0.0 0.0 2384 4 ? S Jun28 0:00 /bin/sh
/usr/X11R
6/bin/startx
chris 1811 0.0 0.0 2164 4 ? S Jun28 0:00 xinit
/etc/X11/xi
nit/xinitrc -- -deferglyphs 16
root 1812 6.9 17.3 329304 44652 ? S Jun28 1501:37 /etc/X11/X
:0 -d
eferglyphs 16
root 1896 0.0 0.0 1568 4 ? S Jun28 0:00 rpc.yppasswdd
chris 2000 0.0 0.0 2388 4 ? S Jun28 0:00 /bin/sh
/usr/bin/
startkde
root 2164 0.0 0.0 3784 188 ? S Jun28 0:04
/usr/lib/postfix/
master
postfix 2178 0.0 0.1 3976 460 ? S Jun28 0:20 nqmgr -l -n
qmgr
-t fifo -u -c
root 2312 0.0 0.0 1492 124 ? S Jun28 0:00 crond
root 2330 0.0 0.2 8336 712 ? S Jun28 0:01 /usr/bin/perl
/us
r/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
root 2477 0.0 0.0 1248 4 vc/1 S Jun28 0:00
/sbin/mingetty tt
y1
root 2478 0.0 0.0 1248 4 vc/2 S Jun28 0:00
/sbin/mingetty tt
y2
root 2479 0.0 0.0 1248 4 vc/3 S Jun28 0:00
/sbin/mingetty tt
y3
root 2480 0.0 0.0 1248 4 vc/4 S Jun28 0:00
/sbin/mingetty tt
y4
root 2483 0.0 0.0 1248 4 vc/5 S Jun28 0:00
/sbin/mingetty tt
y5
root 2484 0.0 0.0 1248 4 vc/6 S Jun28 0:00
/sbin/mingetty tt
y6
chris 2603 0.0 0.3 23480 996 ? S Jun28 0:03 kdeinit:
Running.
...
chris 2606 0.0 0.3 23460 812 ? S Jun28 0:07 kdeinit:
dcopserv
er --nosid
chris 2609 0.0 0.7 24784 1864 ? S Jun28 0:01 kdeinit:
klaunche
r
chris 2611 0.0 0.4 26748 1240 ? S Jun28 13:19 kdeinit: kded

chris 2620 0.0 0.1 7872 440 ? S Jun28 0:09
/usr/bin/artsd -F
10 -S 4096 -a alsa -s 60 -m artsmessage -l 3 -f
chris 2630 0.0 0.4 29284 1056 ? S Jun28 0:07 kdeinit:
knotify

chris 2631 0.0 0.0 1324 36 ? S Jun28 0:00 kwrapper
ksmserve
r --restore
chris 2633 0.0 0.4 25212 1172 ? S Jun28 0:06 kdeinit:
ksmserve
r --restore
chris 2634 0.0 1.7 29360 4408 ? S Jun28 4:27 kdeinit: kwin
-se
ssion 11c0a80102000107236349800000024710000
chris 2637 0.0 1.7 32556 4384 ? S Jun28 2:38 kdeinit:
kdesktop

chris 2653 0.0 0.2 26088 648 ? S Jun28 0:04 kdeinit:
kwrited

chris 2654 0.0 0.2 24456 692 ? S Jun28 0:08 kwikdisk
-session
11c0a80102000107236357800000024710010
chris 2659 0.0 1.1 23328 2972 ? S Jun28 10:51 kpager
-session 1
1c0a80102000107236351400000024710005
chris 2660 0.0 0.2 25492 660 ? S Jun28 0:07 korgac
--miniicon
korganizer
chris 2662 0.0 0.2 25392 652 ? S Jun28 0:07 kalarmd
--login
chris 2689 0.0 0.1 18008 320 ? S Jun28 0:00
/usr/bin/kdesud
root 3218 0.0 0.0 1336 60 ? S Jun28 0:01 gpm -t ps/2
-m /d
ev/psaux
chris 3337 0.3 1.4 18292 3812 ? S Jun28 74:58 gkrellm -c
stack1
chris 3338 2.7 1.4 18816 3704 ? S Jun28 581:20 gkrellm -c
stack2
chris 3339 1.0 1.1 17092 3028 ? S Jun28 229:41 gkrellm -c
stack3
chris 3347 0.1 0.0 1644 176 ? S Jun28 40:07 /usr/bin/esd
-ter
minate -nobeeps -as 2 -spawnfd 9
chris 3348 0.0 1.4 18816 3704 ? S Jun28 0:11 gkrellm -c
stack2
chris 3349 0.0 1.1 17092 3028 ? S Jun28 0:12 gkrellm -c
stack3
chris 3350 0.0 1.4 18292 3812 ? S Jun28 0:31 gkrellm -c
stack1
chris 4012 0.0 3.6 38424 9452 ? S Jun28 8:45 kdeinit:
kicker

chris 5227 0.0 0.2 26572 684 ? S Jun28 0:13 kdeinit:
kio_uise
rver
chris 13814 0.0 0.2 25492 636 ? S Jun29 0:05 kdeinit:
kcookiej
ar
root 32451 0.0 0.6 1712 1704 ? SL Jul11 0:00 ntpd -A
root 10304 0.0 0.0 2688 4 ? SN Jul11 0:00
/usr/bin/prelude_
report -qd -P /var/run/prelude_report.pid
root 10315 0.0 0.2 12408 536 ? SN Jul11 0:40
/usr/bin/prelude
-qd -P /var/run/prelude.pid -i eth0
root 10316 0.0 0.2 12408 536 ? SN Jul11 0:00
/usr/bin/prelude
-qd -P /var/run/prelude.pid -i eth0
root 10317 0.0 0.1 2692 308 ? SN Jul11 0:00
/usr/bin/prelude_
report -qd -P /var/run/prelude_report.pid
root 10318 0.0 0.2 12408 536 ? SN Jul11 0:00
/usr/bin/prelude
-qd -P /var/run/prelude.pid -i eth0
chris 5120 0.0 0.2 4228 756 ? S Jul11 0:06 xscreensaver
-nos
plash
chris 27820 0.0 0.5 6100 1416 ? S Jul11 0:01
/usr/bin/Eterm
chris 27823 0.0 0.0 2792 4 pts/3 S Jul11 0:00 -bash
root 27865 0.0 0.0 2264 4 pts/3 S Jul11 0:00 su
root 27868 0.0 0.3 2760 816 pts/3 S Jul11 0:00 bash
chris 16818 0.8 6.6 36664 17136 ? S Jul12 10:06 kmail
-caption KM
ail -icon kmail.png -miniicon kmail.png
chris 17023 0.0 0.6 23812 1624 ? S Jul12 0:02 kdeinit:
kio_pop3
pop3 /tmp/ksocket-chris/klauncherkTsghc.slave-socket
/tmp/ksocket-chris/kmailhL
tjQa.slave-socket
root 11319 0.4 15.4 41972 39808 ? S 17:19 0:04
/usr/bin/perl5.8.
0 -T -w /usr/bin/spamd -d -c -a -H -m 1
postfix 11401 0.0 0.4 3888 1284 ? S 17:20 0:00 pickup -l -t
fifo
-u -c
chris 11927 1.1 7.7 47296 19936 ? S 17:30 0:02 knode
-caption KN
ode -icon knode.png -miniicon knode.png
chris 11929 0.0 7.7 47296 19936 ? S 17:30 0:00 knode
-caption KN
ode -icon knode.png -miniicon knode.png
chris 11930 0.0 7.7 47296 19936 ? S 17:30 0:00 knode
-caption KN
ode -icon knode.png -miniicon knode.png
chris 11931 0.0 7.7 47296 19936 ? S 17:30 0:00 knode
-caption KN
ode -icon knode.png -miniicon knode.png
root 12091 0.0 0.3 2604 792 pts/3 R 17:34 0:00 ps auxwwwwwww
[root@chris chris]#

> I crossposted this to comp.os.linux.security because they are likely to
> know what is normal for a Fedora/Redhat system.
>
> Your system is probably not compromised, but I would freak out if I had
> so many listening ports.
>
> (Follups are set to comp.os.linux.security.)

Also, below are the results of me trying to enter my system from a friends
house:

[allen@localhost allen]$ telnet
telnet> open
(to) XX.XX.XXX.XX
Trying XX.XX.XXX.XX...
Connected to tx-XX-XX-XXX-XX.dyn.sprint-hsd.net (XX.XX.XXX.XX).
Escape character is '^]'.
Connection closed by foreign host.
[allen@localhost allen]$ ftp XX.XX.XXX.XX
Connected to XX.XX.XXX.XX.
421 Service not available, remote server has closed connection
ftp>
[2]+ Stopped ftp XX.XX.XXX.XX
[allen@localhost allen]$

Failure To Connect To Web Server
Failure To Connect To Web Server

--
Chris
Registered Linux User 283774 http://counter.li.org
5:32pm up 14 days, 22:52, 2 users, load average: 0.10, 0.11, 0.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~
Ignorance is bliss.
-- Thomas Gray

Fortune updates the great quotes, #42:
BLISS is ignorance.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~

#2 (**permalink**) 07-16-2004

Brad Olin wrote:

> On Tue, 13 Jul 2004 22:42:57 GMT, Chris
>
> Chris,
>
> You have to give me a valid email address if you want an answer to your
> email. Doh... I'm replying here this time.
>
> I've never used the firestarter script/package to build my iptables rule
> set, but what you sent me seems easy enough to figure this out.
>
> By looking at this script it reads some data files and adjusts itself
> according to the contents found in the data files (that's good). The
> data files are all located in the /etc/firestarter directory and all
> seem to have strait forward names... Edit the
> /etc/firestarter/open-ports file and add the required entries to open
> the ports needed. The entries you need to make may be in the file as a
> comment, or you may have to create the entries based on a provided
> example.
>
> Hope that helps. Maybe somebody else here, who uses that package, can
> jump in and correct me if I'm wrong. What I've seen looks pretty strait
> forward.
>
>
>
> Brad

I remembered that after I sent the attachments/reply direct. I've changed
it back to the real address, SA grabs all the spam anyway. Its odd because
the friend who tried to access the system just got his Sprint DSL setup
with the same modem, but I think he's running Mandrake's firewall and his
scan shows all ports closed. I've edited the open ports, blocked ports,
stealthed ports, trusted hosts with the GUI. The files are just plain txt
files.

I'll do some more messing around with it and see what happens.

Thanks for the help Brad.

--
Chris
Registered Linux User 283774 http://counter.li.org
5:55pm up 16 days, 23:15, 2 users, load average: 0.41, 0.21, 0.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~
My experience with government is when things are non-controversial,
beautifully
co-ordinated and all the rest, it must be that not much is going on.
-- J.F. Kennedy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode