Here's something I've never experienced before and just cropped up on one of our new servers.

For some reason I cannot bind any listening process to any port between 59872 and 60001.

I'll use nc for an example:

# nc -l 59872
.. works and listens ...

# nc -l 59873
nc: Address already in use

... < all ports in between> ...

# nc -l 60000
nc: Address already in use

So the obvious thing to check is netstat -nap.. Nothing on any of those ports listed. Next.. lsof.. also shows nothing on those ports listed.

So I thought maybe some trojan has taken over half my ports.. so I ran multiple trojan checkers from write protected media and no results. This box is not even on the net so trojaning is unlikely.

SeLinux is disabled also.

Now I'm at a loss.. does anyone have any ideas? Is it some kernel thing holding onto some high ports for outgoing use?

BOX is: Red Hat Enterprise Linux Server release 5.1 (Tikanga)
Kernel: 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

Any help would be greatly appreciated.

--
Jeremy

$ bc
60001-59873
128

That's a very conspicuous number.

cat /proc/sys/net/ipv4/ip_local_port_range

Yea, that's not right and I would definitely be worried. Use tcpdump and see what traffic is passing on those ports.

But honestly, I would take that machine off the network, review the logs, check system binaries, etc...

-twantrd

# cat /proc/sys/net/ipv4/ip_local_port_range
32768 61000

This seems to be what RedHat is setting by defult these days.

I still haven't made any headway on this.. what a crazy problem.

Running a clean version of tcpdump shows no traffic on any of those high ports either.

--
J

Yup, those are the ephemeral ports I see too.

My thinking has been that the kernel is reserving those ports for certain use. I'm not up to speed on the candidates for this though. Perhaps post your quick question on the linux kernel mailing list. You're almost sure to get an answer there.