-   AIX (
-   -   how to block unused/needed ports in AIX (

unix1adm 07-27-2010 08:31 AM

how to block unused/needed ports in AIX
We have a system and we have modified the /etc/ind.conf and the
/etc/services and the /etc/rc.tcpip file to turn off specific applications.

I need to know what is the correct procedure for locking down unused
ports that still appear to be in a listen mode even if they are not in
/etc/services file.

If we run a netstat we can see port 65000 is listening but don't need
it or know what process is holding it open.

We have several such ports.
Please advise the correct method of locking down such ports.
I know we also have to block it with the FW rules but thats not good enough. We need to block the server from even allowing them to be used.

AlucardZero 07-27-2010 09:36 AM

Get LSOF from the IBM AIX Toolbox and use it to find what is listening on port 65000. Then stop/kill the process.

I was going to suggest just firewalling it. You can't prevent a port from being used, you can only stop things that are using a port, or firewall it.

hujer 07-27-2010 09:37 AM

Try to install lsof-4.61-4.rpm (Linux Toolbox CD or other source) and run 'lsof -i'.

unix1adm 07-27-2010 02:01 PM

yes i have lsof i was more concerned with fw rules if not able to block on the system. IBM did tell me i can use iptables but that will make for a non standard system.

unix1adm 07-28-2010 08:45 AM

this is interesting. I looked in /etc/init.d and do not see anything for rlogin there. So I did a man on rlogin and it bring up the man for ssh.

When i do an rlogin without any options I get this....
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-w local_tun[:remote_tun]] [user@]hostname [command]
So I am assuming that rlogin is an alias back to ssh at the system level.
As the alias command returns nothing back. And I know I have not set up any aliases.

Is this a safe assumption to say that rlogin is the same a ssh now? I dont want to have an open system with these ports etc.

When I try to rlogin i get this message:

Warning: Permanently added 'myltt' (RSA) to the list of known hosts.
root@mylt's password:
Linux cj454lt 2.6.32-24-generic #38-Ubuntu SMP Mon Jul 5 09:22:14 UTC 2010 i686 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to Ubuntu!
* Documentation:

1 package can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Any way to verify this? I htink its using ssh from what I am seeing.

unix1adm 07-29-2010 07:47 AM

well what i figured out so far is that unless you use iptables this cannot be done and you have to rely on the firewall not the server.

You can stop the applications but something else could (if written to) talk on an unused port.

IP tables can be very difficult when updating an os and can cause other issues from what i was reading. At this time Ill leave it that we turn off the application/process talking on the port and leave the port blocking up to the FW rules.

born4linux 08-23-2010 04:38 AM


Originally Posted by unix1adm (Post 4047143)
yes i have lsof i was more concerned with fw rules if not able to block on the system. IBM did tell me i can use iptables but that will make for a non standard system.

use ipsec:

smitty ipsec4

All times are GMT -5. The time now is 10:35 PM.