Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 56)

# netstat −tap

Active Internet connections (servers and established)

Local Address Foreign Address State PID/Program name

*:printer *:* LISTEN 988/inetd

bigcat:8000 *:* LISTEN 1064/junkbuster

*:time *:* LISTEN 988/inetd

*:x11 *:* LISTEN 1462/X

*:http *:* LISTEN 1078/httpd

bigcat:domain *:* LISTEN 956/named

*:ssh *:* LISTEN 972/sshd

*:631 *:* LISTEN 1315/cupsd

*:smtp *:* LISTEN 1051/master

Some of these we already know about. But we see now that the printer daemon on port 515 is being started

via inetd with a PID of "988". inetd is a special situation. inetd is often called the "super server", since it's

main role is to spawn sub−services. xinetd replaces inetd as of Red Hat 7.0. If we look at the first line,

inetd is listening on port 515 for printer services. If a connection comes for this port, inetd intercepts it, and

then will spawn the appropriate daemon, i.e. the print daemon in this case. The configuration of how

inetd handles this is typically done in /etc/inetd.conf. This should tell us that if we want to stop an

inetd controlled server on a permanent basis, then we will have to dig into the inetd (or perhaps xinetd)

configuration. Also the time service above is started via inetd as well. This should also tell us that these two

services can be further protected by tcpwrappers (discussed in Step 3 above). This is one benefit of using

inetd to control certain system services.

We weren't sure about the service on port 631 above since it did not have a standard service name, which

means it is something maybe unusual or off the beaten path. Now we see it is owned by cupsd (not included

with Red Hat by the way), which is one of several print daemons available under Linux. This happens to be

the web interface for controlling the printer service. Something cupsd does that is indeed a little different

than other print servers.

The last entry above is the SMTP mail server on bigcat. Often, this is sendmail. But not in this case. The

command is "master", which may not ring any bells. Armed with the program name we could go searching

the filesystem with tools like the locate or find commands. After we found it, we could then probably discern

what package it belonged to. But with the PID available now, we can look at ps output, and see if that helps

us any:

$ /bin/ps ax |grep 1051 |grep −v grep

1051 ? S 0:24 /usr/libexec/postfix/master

We took a shortcut here by combining ps with grep. It looks like that this file belongs to postfix, which is

indeed a mail server package comparable to sendmail ( and is included with Powertools, not the base

distribution).

Running ps with the −−forest flag (−f for short) can be helpful in determining what processes are parent

or child process or another process. An edited example:

$ /bin/ps −axf

956 ? S 0:00 named −u named

957 ? S 0:00 \_ named −u named

Security Quick−Start HOWTO for Red Hat Linux

8.3.2. Port and Process Owners 53

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 56