Guide to Server Security

Step 2 Double Checking the open ports on your system: Next lets look at what the networking is doing and see what ports on the machine are actually open.
You should run "netstat -pla" and examine the results to examine the ports on your machine.
The following is an example: 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:mysql                 *:*                     LISTEN      7893/mysqld
tcp        0      0 *:webcache              *:*                     LISTEN      3650/httpd          
tcp        0      0 *:http                  *:*                     LISTEN      1363/httpd          
tcp        0      0 *:tproxy                *:*                     LISTEN      3650/httpd          
tcp        0      0 whitestar.red-dr:domain *:*                     LISTEN      7970/named          
tcp        0      0 *:ftp                   *:*                     LISTEN      678/xinetd          
tcp        0      0 *:ssh                   *:*                     LISTEN      626/sshd            
tcp        0    144 whitestar.red-drago:ssh kosh.red-dragon.co:1956 ESTABLISHED 7800/sshd           
udp        0      0 *:1026                  *:*                                 7970/named          
udp        0      0 whitestar.red-dr:domain *:*                                 7970/named
I will break down a line and show you what it means.
tcp        0      0 *:mysql                 *:*                     LISTEN      7893/mysqld
  • Proto is the protocol used, in this example it is tcp protocol,
  • Recv-Q is the recieved buffer q count,
  • Send-Q is the send buffer q count,
  • Local Address is the local address connected to or listening to the port. In this case it is listening to * (or 0.0.0.0) meaning incoming information from any address and mysql is the port associated to mysql. The actual port number is 3306. The name associated to this port number is derived from the file /etc/services. If you wish to have netstat report numbers instead of names do netstat -plan so you can determine the actual ips and port numbers such as: 
    tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      7893/mysqld
    This is the same as the previously shown line only using netstat -plan instead of netstat -pla.
  • Foreign Address is the remote address connected to or listening from. In this example it is listening to any ip address on the net and any port. This means the process will accept a connection on any port from any machine. State is the state of the connection, in this example it is LISTEN or listening for incoming connection. Farther down the example from to you see ESTABLISHED which means there is an established connection to another machine. In that case the machine whitestare.red-dragon.com is connected on port 22 (ssh) to kosh.red-dragon.com on port 1956.
  • Last is the PID/Program that is holding the port open. In the example it is PID 7893/program mysqld.
You should know all of the ports that are open on your machine and only have those open that you require. If you see something that you dont recognize you should investigate it and determine if it is needed and handle it appropriately as circumstances dictate.
Should you find something there that shouldn't be running or open you should eliminate it.
Previous Page Next Page

Created by Red Dragon for Red Dragon Enterprises™.
Red Dragon Enterprises™ © Dec 2001. All rights reserved.