3) Open Ports, Services and nmap: nmap is a very important tool in managing your own security. It is a port scanner that can also tell which all ports are open on your system i.e. doors to your lovely home.
Pass the following command in a console window
Code:
root@darkstar:/home/abhay# nmap -P0 -O localhost
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-08-18 20:28 IST
Interesting ports on localhost (127.0.0.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
110/tcp open pop3
6000/tcp open X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 0.058 days (since Wed Aug 18 19:04:33 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 5.371 seconds
root@darkstar:/home/abhay#
As you can see that I have three ports open. Two are for smtp and pop3 servers I run, (25 and 110 respectively) and 6000 is of X Server. You will have different results depending on open ports and running services on your system.
If you suspect something fishy and don't want a particular port to be opened on your PC then it is time to take action.
I Part: This part will involve finding out whether a port has been opened by a cracker or by a valid service on your system. To check whether the port has been opened by an official service, pass the following command.
Code:
cat /etc/services | grep <port>
If no output comes out then it means that the port is not associated with any known service. Next issue this command
Code:
netstat -anp | grep <port>
This command will tell you which process has opened the port and whether it is connecting to an IP or not. Usually a cracker will not allow an opened port to be reported in netstat so if you get an output from the above command then most probably it is a service separately installed from all the known services of the system.
II Part: This part deals with all the unwanted ports that has been reported by nmap. Now here comes the difficult part for me. There are various distros in market today and they use two different ways to handle services i.e. inetd and xinetd. I have more experience with inetd as Slackware Linux uses inetd to handle services but I will still try to throw some light on xinetd. For this part I would recommend using your distro specific control centre for dealing with services.
inetd part: To establish whether inetd demon is running or not pass the following command in a console window
Code:
root@darkstar:/home/abhay# ps aux | grep inetd
root 2289 0.0 0.1 1380 524 ? Ss 22:25 0:00 /usr/sbin/inetd
root 2898 0.0 0.1 1676 584 pts/2 R+ 22:47 0:00 grep inetd
The command and output is written above and it shows that inetd demon is running. Next step is to know which all services are being run by inetd.
Code:
root@darkstar:/home/abhay# grep -v "^#" /etc/inetd.conf
pop3 stream tcp nowait root /usr/sbin/tcpd <system specific entry>
smtp stream tcp nowait root /usr/sbin/tcpd <system spefici entry>
The command entered above shows that I have two services running for my pop3 and smtp servers (I have edited the part that shows which servers I am running).
Stopping services run by inetd is extremely easy. You need to edit the /etc/inetd.conf file and comment out the unwanted services by adding a hash (#) before each entry. For example: finger, ntalk and telnet etc.
Then restart the inetd demon or restart the PC. Run nmap and the whole process mentioned above to find more open ports and services related to them.
xinetd part: If you have xinetd managing your system services then you should pass the following commands to establish whether xinetd is running or not.
Code:
ps aux | grep xinetd
Now to check which all services xinetd is running on your PC, you need to pass the following command.
Code:
ls -l /etc/xinetd.d/*
This will give you a list of all the services installed and monitored by xinted on your PC. Each service has a different file. I am giving sample structure of a xinetd service file.
Code:
# default: off
# description: The talk server accepts talk requests for chatting with
# users on other systems.
service talk
{
disable = no
socket_type = dgram
wait = yes
user = nobody
group = tty
server = /usr/bin/in.talkd
}
Now, to switch the talk service off, change the disable value to yes instead of no. disable all the services you do not need and restart xinetd demon or restart the PC. Run nmap and the whole process mentioned above to find more open ports and services related to them.
Miscellaneous Part: Not all services are and should be managed by inetd or xinetd as the demon itself might have problems thus network services are slowly but surely moving out of the control of these two demons. If after following the above mentioned steps, you still find some opened ports then they must be because of the network services that are not being controlled by inetd or xinetd. To deal with them, you need to look into /etc/rc.d directory by passing following command.
Code:
# cd /etc/rc.d
# ls -l
There you will find various directories that might look like rc0.d, rc1.d and so on. The numbers in these directories represent the run-levels on which the scripts in these directories are executed. For example: If your system starts with X-windows then it is most probably starting at run-level 5 which will lead to the scripts in rc5.d directory being executed on start up (you can know more about runlevels by reading man inittab).
To disable services in these directories I highly recommend using GUI tools like Mandrake Control Center, linuxconf and YaST etc. but if you want to be playful then go ahead and delete the un-needed files in the runlevel directory. These are just softlinks to original files so you will not cause major damage to your system but you must know how to solve a boo-boo.
Go through the nmap procedure once again so that you are absolutely sure of which ports are open and whether you need them or not. Phew...a really long quest is over ;-)
Bookmarks