LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-22-2004, 03:29 AM   #1
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Rep: Reputation: 15
unknown ports open?????


Hi all

I've only been using linux for 6 months, so in this time i've been getting my head around the basic. Now i'm moving into securing my box. Being breastfed on windows for years i've tended to ignore the issue beyond installing more patches and security software.

I'm told i shouldn't have ports open i'm not using as these are security vulnerabilities right???? So i run the
#nmap 192.168.0.1
and find i have unknown ports open ie
737/tcp open unknown
956/tcp open unknown

not only that, but can someone tell me what the following are for
111/tcp open sunrpc
199/tcp open smux
32770/tcp open sometimes-rpc3

apart from what they are for, if i can shut them down, how do i go about it???????

regards
GT
 
Old 09-22-2004, 04:00 AM   #2
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,990

Rep: Reputation: 67
First of all, the word “unknown” just means that there isn't an entry in the portmap file for this port, so nmap doesn't know which protocol it's supposed to be assigned to.

A port that isn't being used is not a security vunrability in itself; only if a server is actually listening on the port is it necessarily a problem. However, it is a good way to protect yourself against possible attacks by disallowing connections (blocking) on ports that shouldn't get used.

To do this, you need to look at the firewall software that comes with Red Hat.

If a port is open, it means that something is using it. Find out what before you do anything, by logging in to the server and running “netstat -a”. If it's a service you don't want to be running, shut it down in the runlevel editor or (better) uninstall it.

By the way, ports with numbers above 1024 are unprivilaged ports that tend to be used for things like the client-side of communications, so if you block all packets on these ports, you'll find that your machine only works as a network server and you can't do things like browsing web-sites or establishing FTP connections to download system updates. So be careful about locking down 32770.
 
Old 09-22-2004, 05:27 AM   #3
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
To find out what uses a specific port do a:
Code:
fuser -v -n tcp <port number>
Then check your init scripts usually in /etc/init.d to stop and disable the services you don't want.
Also take a look at /etc/(x)inetd.conf as there are services started from there.
 
Old 09-22-2004, 04:24 PM   #4
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Original Poster
Rep: Reputation: 15
thanks for the replys guys.

i run the fuser command on the ports. on the unknown ports i get no info printed back.. On the rest i get
the following

USER PID ACCESS COMMAND
32770/tcp root 4232 f.... rpc.mountd
199/tcp root 4103 f.... snmpd
111/tcp root 3991 f.... portmap

Do i need these services running???? What is rpc.mountd????

cheers
GT
 
Old 09-22-2004, 09:58 PM   #5
servnov
Member
 
Registered: Sep 2004
Distribution: Slackware 10.2
Posts: 276

Rep: Reputation: 30
you shouldn't need any of those. I have never heard of rpc.mountd but I know it means Remote Procedure Call for Mount Daemon.
 
Old 09-22-2004, 10:13 PM   #6
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,082

Rep: Reputation: 299Reputation: 299Reputation: 299
If you don't run any RPC services, you don't need the portmapper (it's a locator service for RPC), and the mountd service is used with NFS, so if you're not using NFS, you don'r need it. No idea about what smux is, but I doubt it's something you need.
 
Old 09-23-2004, 02:20 AM   #7
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
i run the fuser command on the ports. on the unknown ports i get no info printed back.
Are you sure that those ports are open? If possible scan your box with nmap from another box, or use:
Code:
lsof|grep LISTEN
netstat -tupan
to find the LISTENING ports
As for snmpd: Simple Network Management Protocol (SNMP) agent daemon
 
Old 09-23-2004, 02:57 AM   #8
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Original Poster
Rep: Reputation: 15
hi
thanks for the help guys. just a few points
yeah all the ports are open, i ran nmap from my client computer ( i have a 2 pc LAN) (wow!!!).
As for the print out from either
lsof|grep LISTEN
netstat -tupan

i have no idea what the output, which is a hell of alot means, all pure swahili to me chaps. as i say i'm just a noob at this. This is why i was rather hoping someone could tell me which ports to close, which incidently i still have not a clue. i figure i can close down the unknown ports, but whats the syntax for that????????

is there any security vulnerabilities by leaving all alone???????

cheers
GT
 
Old 09-23-2004, 03:25 AM   #9
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
It's good to close all unwanted ports, so the risk of compromise is lower. I'm not familiar with RH but I guess it has a management tool to assist you on disabling unwanted services. You can also take a look here: http://www.uic.edu/depts/accc/security/os/rhlinux.html
Consider using a firewall also for better security.
 
Old 09-23-2004, 06:18 AM   #10
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
On RH9 (KDE) the menu option is:
System Settings ->Server Settings ->Services
which will give you the Service Config GUI, showing you which services are running at each run-level, and allowing you to turn them off/on.
Don't forget to use 'Save Changes' under the 'File' menu, otherwise a reboot will lose the changes.
If you're using Gnome, the menu should be similar..
 
Old 09-23-2004, 05:22 PM   #11
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Original Poster
Rep: Reputation: 15
thanks that managed to sort some of the stuff out, but how do i close unknown ports????? there must be a configuration file somewhere i can hack, but which one????

cheers
GT
 
Old 09-24-2004, 02:50 AM   #12
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
You have to identify the services using those ports to be able to stop them. If the commands, fuser and lsof didn't return anything you can use:
Code:
nmap -A -T4 -F xx.xx.xx.xx
from another box. Perhaps it's output will tell you what's running on those ports.
But you have to start to worry that there is something wrong with your box since fuser and lsof didn't came up with the services that use those ports.
 
Old 09-25-2004, 03:46 AM   #13
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Original Poster
Rep: Reputation: 15
hi

thanks for that. i'm at uni now and i'm going camping for a few days as it's mid-semester break.

i'll give your command a go when i get back. I'm sure fuser and lsof did return useful info, i just didn't understand it.

give me a few days, i'll be back

cheers
GT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot Open Mail Server Ports 25, 110, and 220. Other Ports will open. Binxter Linux - Newbie 9 11-29-2007 02:03 AM
open ports on linksys, i have ssh open but thats it PlatinumRik Linux - Security 1 07-07-2005 10:38 AM
unknown ports running ddaas Linux - Security 6 02-24-2005 05:41 AM
Daemons running on unknown ports robadawb Linux - Networking 2 11-12-2003 02:11 PM
Unknown Open Port _boris_ Linux - Security 2 12-20-2000 11:27 PM


All times are GMT -5. The time now is 04:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration