Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 55)

tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT

tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT

There are nine total connections here. The first three is our external interface connecting to a remote host on

their port 119, the standard NNTP (News) port. There are three connections here to the same news server.

Apparently the application is multi−threaded, as it is trying to open multiple connections to the news server.

The next two entries are connections to a remote web server as indicated by the port 80 after the colon in the

fifth column. Probably a pretty common looking entry for most of us. But the one just after is reversed and

has the port 80 in the fourth column, so this is someone that has connected to bigcat's web server via its

external, Internet−side interface. The last three entries are all connections from localhost to localhost. So we

are connecting to ourselves here. Remembering from above that port 8000 is bigcat's web proxy, this is a web

browser that is connected to the locally running proxy. The proxy then will open an external connection of its

own, which probably is what is going on with lines four and five.

Since we gave netstat both the −t and −u options, we are getting both the TCP and UDP listening servers.

The last few lines are the UDP ones:

udp 0 0 0.0.0.0:32768 0.0.0.0:*

udp 0 0 192.168.1.1:53 0.0.0.0:*

udp 0 0 127.0.0.1:53 0.0.0.0:*

udp 0 0 0.0.0.0:631 0.0.0.0:*

The last three entries have ports that are familiar from the above discussion. These are servers that are

listening for both TCP and UDP connections. Same servers in this case, just using two different protocols.

The first one on local port 32768 is new, and does not have a service name available to it in

/etc/services. So at first glance this should be suspicious and pique our curiosity. See the next section

for the explanation.

Can we draw any conclusions from this hypothetical situation? For the most part, these look to be pretty

normal looking network services and connections for Linux. There does not seem to be an unduly high

number of servers running here, but that by itself does not mean much since we don't know if all these servers

are really required or not. We know that netstat can not tell us if any of these are effectively firewalled, so

there is no way to say how secure all this might be. We also don't really know if all the listening services are

really required by the owner here. That is something that varies widely from installation to installation. Does

bigcat even have a printer attached for instance? Presumably it does, or this is a completely unnecessary risk.

8.3.2. Port and Process Owners

We've learned a lot about what is going on with bigcat's networking from the above section. But suppose we

see something we don't recognize and want to know what started that particular service? Or we want to stop a

particular server and it is not obvious from the above output?

The −p option should give us the process's PID and the program name that started the process in the last

column. Let's look at the TCP servers again (with first three columns cropped for spacing). We'll have to run

this as root to get all the available information:

Security Quick−Start HOWTO for Red Hat Linux

8.3.2. Port and Process Owners 52

1 2 ... 50 51 52 53 54 55 56 57 58 59 60 ... 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 55