don't understand netstat -a

rbees · 01-12-2009, 09:16 AM

Ladies & Gents

In the process of setting up a linux firewall the instructions I am following says

Code:

 check for running network services by issuing the command netstat -a. Ensure that only required services are running and listening for connections. This helps in preventing security compromises on possibly unknown and unpatched services.

The results of netstat -a

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:51660                 *:*                     LISTEN     
tcp        0      0 *:sunrpc                *:*                     LISTEN     
tcp        0      0 192.168.2.104:domain    *:*                     LISTEN     
tcp        0      0 localhost:domain        *:*                     LISTEN     
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:smtp          *:*                     LISTEN     
tcp        0      0 localhost:953           *:*                     LISTEN     
tcp6       0      0 [::]:domain             [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:953           [::]:*                  LISTEN     
udp        0      0 192.168.2.104:domain    *:*                                
udp        0      0 localhost:domain        *:*                                
udp        0      0 *:59574                 *:*                                
udp        0      0 *:39490                 *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 *:603                   *:*                                
udp        0      0 *:sunrpc                *:*                                
udp6       0      0 [::]:domain             [::]:*                             
udp6       0      0 [::]:43996              [::]:*                             
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     5566     /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     5586     /var/run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    2492     @/org/kernel/udev/udevd
unix  4      [ ]         DGRAM                    34951    /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     5933     @/var/run/hald/dbus-iXco99SGpk
unix  2      [ ]         DGRAM                    5958     @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]     STREAM     LISTENING     5936     @/var/run/hald/dbus-PasUPCOwFq
unix  2      [ ]         DGRAM                    35052    
unix  2      [ ]         DGRAM                    35047    
unix  2      [ ]         DGRAM                    31967    
unix  2      [ ]         DGRAM                    8683     
unix  2      [ ]         DGRAM                    6954     
unix  2      [ ]         DGRAM                    6809     
unix  2      [ ]         DGRAM                    6757     
unix  2      [ ]         DGRAM                    6595     
unix  3      [ ]         STREAM     CONNECTED     6332     @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]         STREAM     CONNECTED     6331     
unix  3      [ ]         STREAM     CONNECTED     6330     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     6329     
unix  3      [ ]         STREAM     CONNECTED     6139     @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]         STREAM     CONNECTED     6138     
unix  3      [ ]         STREAM     CONNECTED     6137     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     6136     
unix  3      [ ]         STREAM     CONNECTED     6126     /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     6125     
unix  3      [ ]         STREAM     CONNECTED     6120     @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]         STREAM     CONNECTED     6119     
unix  3      [ ]         STREAM     CONNECTED     6045     @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]         STREAM     CONNECTED     6030     
unix  3      [ ]         STREAM     CONNECTED     5953     @/var/run/hald/dbus-PasUPCOwFq
unix  3      [ ]         STREAM     CONNECTED     5952     
unix  3      [ ]         STREAM     CONNECTED     5935     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     5934     
unix  2      [ ]         DGRAM                    5612     
unix  3      [ ]         STREAM     CONNECTED     5589     
unix  3      [ ]         STREAM     CONNECTED     5588     
unix  2      [ ]         DGRAM                    5568

Most of this I don't understand and google has not helped much. Is there anything hear that I should be concerned about?

I do understand some of the lines in regards to things like ssh, localhost and my local ip.

Thanks again for all the wonderful advice given on this site.

eco · 01-12-2009, 09:24 AM

I type the following command which I find a bit more clear (although the wording is unfortunate

). You should be looking for all the lines that say "LISTEN" and check if you really need these services running.

Code:

# netstat -putan|grep LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     3203/mysqld
tcp        0      0 0.0.0.0:1807            0.0.0.0:*               LISTEN     2153/rpc.statd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     1713/portmap
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN     2078/inetd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     2058/exim4
tcp6       0      0 :::80                   :::*                    LISTEN     3731/apache2
tcp6       0      0 :::22                   :::*                    LISTEN     2126/sshd

So I have the following ports open to the network I'm connected to.

Hope this helps.

taylor_venable · 01-12-2009, 09:49 PM

man netstat should be elucidating. But the long and the short of it is that:

first column is protocol: tcp, udp, tcp6, udp6, or unix domain for example
Recv-Q is number of bytes waiting to be read by process
Send-Q is number of bytes not yet confirmed received by the other end
local is local (on your machine) address; for listening services this is the interface and port it's bound to, so 127.0.0.1 or ::1 means localhost only, 0.0.0.0 or :: means anybody
foreign is remote (maybe your machine, maybe not) address; for listening services this is kind of not relevant
state indicates what part of the lifetime the connection is in (LISTEN, ESTABLISHED, LAST_ACK, and more)

You can find out about the UNIX domain sockets in man netstat. Also, while the -p option is nice, IIRC it requires root privileges. Use -n to avoid translating service and host names to words (i.e. "numeric").

rbees · 01-13-2009, 08:55 AM

Thanks eco

I have posted below with the command your way but I still don't know which ones I really need and which ones I don't. This firewall will be doing only 3 things. They are iptables, nat and dns. It will take the place of my existing linux firewall and be my primary firewall between my cable modem and my network.

I need to keep ssh open for config and monitoring, at least to my lan. I see that you don't have a local ip open and I suppose that after my setup is complete I wont need one either.

I have to do everything from the shell on this box as it has no gui. My understanding is that I have to disable the services I don't need in /etc/init.d, but beyond uninstalling a package I am not really sure how to do that. I know about changing the 'S' or something in some of the sub-folders. I have looked through most of the files in said folder but most of them make little sense to me. I can see where the scripts call other files, I don't know beyond prefixing the line with a # what else to do. My experience with doing that to scrips has been less than favorable, usually breaking them.

I am also recalling that there is a command that can be run that will turn stuff off services, something like '/etc/init.d update rc. ssh stop' but that is only memory and mine is somewhat faulty.

Still the bigger problem remains that I don't know which ones to turn off. Or why, which is probably more important. I just need this machine to be locked down hard before I start installing the things I need. FYI this machine has only a Debian Lenny base install on it, and I have striped it down a little further at this point.

Code:

tcp        0      0 0.0.0.0:51660           0.0.0.0:*               LISTEN      1699/rpc.statd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1688/portmap
tcp        0      0 192.168.2.104:53        0.0.0.0:*               LISTEN      1967/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1967/named
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2502/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2248/exim4
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1967/named
tcp6       0      0 :::53                   :::*                    LISTEN      1967/named
tcp6       0      0 :::22                   :::*                    LISTEN      2502/sshd
tcp6       0      0 ::1:953                 :::*                    LISTEN      1967/named