LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   don't understand netstat -a (https://www.linuxquestions.org/questions/linux-security-4/dont-understand-netstat-a-696730/)

rbees 01-12-2009 09:16 AM
don't understand netstat -a
 
Ladies & Gents

In the process of setting up a linux firewall the instructions I am following says
Code:
check for running network services by issuing the command netstat -a. Ensure that only required services are running and listening for connections. This helps in preventing security compromises on possibly unknown and unpatched services.
The results of netstat -a
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State     
tcp        0      0 *:51660                *:*                    LISTEN   
tcp        0      0 *:sunrpc                *:*                    LISTEN   
tcp        0      0 192.168.2.104:domain    *:*                    LISTEN   
tcp        0      0 localhost:domain        *:*                    LISTEN   
tcp        0      0 *:ssh                  *:*                    LISTEN   
tcp        0      0 localhost:smtp          *:*                    LISTEN   
tcp        0      0 localhost:953          *:*                    LISTEN   
tcp6      0      0 [::]:domain            [::]:*                  LISTEN   
tcp6      0      0 [::]:ssh                [::]:*                  LISTEN   
tcp6      0      0 localhost:953          [::]:*                  LISTEN   
udp        0      0 192.168.2.104:domain    *:*                               
udp        0      0 localhost:domain        *:*                               
udp        0      0 *:59574                *:*                               
udp        0      0 *:39490                *:*                               
udp        0      0 *:bootpc                *:*                               
udp        0      0 *:bootpc                *:*                               
udp        0      0 *:bootpc                *:*                               
udp        0      0 *:603                  *:*                               
udp        0      0 *:sunrpc                *:*                               
udp6      0      0 [::]:domain            [::]:*                           
udp6      0      0 [::]:43996              [::]:*                           
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags      Type      State        I-Node  Path
unix  2      [ ACC ]    STREAM    LISTENING    5566    /var/run/acpid.socket
unix  2      [ ACC ]    STREAM    LISTENING    5586    /var/run/dbus/system_bus_socket
unix  2      [ ]        DGRAM                    2492    @/org/kernel/udev/udevd
unix  4      [ ]        DGRAM                    34951    /dev/log
unix  2      [ ACC ]    STREAM    LISTENING    5933    @/var/run/hald/dbus-iXco99SGpk
unix  2      [ ]        DGRAM                    5958    @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]    STREAM    LISTENING    5936    @/var/run/hald/dbus-PasUPCOwFq
unix  2      [ ]        DGRAM                    35052   
unix  2      [ ]        DGRAM                    35047   
unix  2      [ ]        DGRAM                    31967   
unix  2      [ ]        DGRAM                    8683   
unix  2      [ ]        DGRAM                    6954   
unix  2      [ ]        DGRAM                    6809   
unix  2      [ ]        DGRAM                    6757   
unix  2      [ ]        DGRAM                    6595   
unix  3      [ ]        STREAM    CONNECTED    6332    @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]        STREAM    CONNECTED    6331   
unix  3      [ ]        STREAM    CONNECTED    6330    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    6329   
unix  3      [ ]        STREAM    CONNECTED    6139    @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]        STREAM    CONNECTED    6138   
unix  3      [ ]        STREAM    CONNECTED    6137    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    6136   
unix  3      [ ]        STREAM    CONNECTED    6126    /var/run/acpid.socket
unix  3      [ ]        STREAM    CONNECTED    6125   
unix  3      [ ]        STREAM    CONNECTED    6120    @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]        STREAM    CONNECTED    6119   
unix  3      [ ]        STREAM    CONNECTED    6045    @/var/run/hald/dbus-iXco99SGpk
unix  3      [ ]        STREAM    CONNECTED    6030   
unix  3      [ ]        STREAM    CONNECTED    5953    @/var/run/hald/dbus-PasUPCOwFq
unix  3      [ ]        STREAM    CONNECTED    5952   
unix  3      [ ]        STREAM    CONNECTED    5935    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    5934   
unix  2      [ ]        DGRAM                    5612   
unix  3      [ ]        STREAM    CONNECTED    5589   
unix  3      [ ]        STREAM    CONNECTED    5588   
unix  2      [ ]        DGRAM                    5568
Most of this I don't understand and google has not helped much. Is there anything hear that I should be concerned about?

I do understand some of the lines in regards to things like ssh, localhost and my local ip.

Thanks again for all the wonderful advice given on this site.

eco 01-12-2009 09:24 AM
I type the following command which I find a bit more clear (although the wording is unfortunate ;) ). You should be looking for all the lines that say "LISTEN" and check if you really need these services running.

Code:
# netstat -putan|grep LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*              LISTEN    3203/mysqld
tcp        0      0 0.0.0.0:1807            0.0.0.0:*              LISTEN    2153/rpc.statd
tcp        0      0 0.0.0.0:111            0.0.0.0:*              LISTEN    1713/portmap
tcp        0      0 0.0.0.0:113            0.0.0.0:*              LISTEN    2078/inetd
tcp        0      0 127.0.0.1:25            0.0.0.0:*              LISTEN    2058/exim4
tcp6      0      0 :::80                  :::*                    LISTEN    3731/apache2
tcp6      0      0 :::22                  :::*                    LISTEN    2126/sshd
So I have the following ports open to the network I'm connected to.

Hope this helps.

taylor_venable 01-12-2009 09:49 PM
man netstat should be elucidating. But the long and the short of it is that:
  • first column is protocol: tcp, udp, tcp6, udp6, or unix domain for example
  • Recv-Q is number of bytes waiting to be read by process
  • Send-Q is number of bytes not yet confirmed received by the other end
  • local is local (on your machine) address; for listening services this is the interface and port it's bound to, so 127.0.0.1 or ::1 means localhost only, 0.0.0.0 or :: means anybody
  • foreign is remote (maybe your machine, maybe not) address; for listening services this is kind of not relevant
  • state indicates what part of the lifetime the connection is in (LISTEN, ESTABLISHED, LAST_ACK, and more)

You can find out about the UNIX domain sockets in man netstat. Also, while the -p option is nice, IIRC it requires root privileges. Use -n to avoid translating service and host names to words (i.e. "numeric").

rbees 01-13-2009 08:55 AM
Thanks eco

I have posted below with the command your way but I still don't know which ones I really need and which ones I don't. This firewall will be doing only 3 things. They are iptables, nat and dns. It will take the place of my existing linux firewall and be my primary firewall between my cable modem and my network.

I need to keep ssh open for config and monitoring, at least to my lan. I see that you don't have a local ip open and I suppose that after my setup is complete I wont need one either.

I have to do everything from the shell on this box as it has no gui. My understanding is that I have to disable the services I don't need in /etc/init.d, but beyond uninstalling a package I am not really sure how to do that. I know about changing the 'S' or something in some of the sub-folders. I have looked through most of the files in said folder but most of them make little sense to me. I can see where the scripts call other files, I don't know beyond prefixing the line with a # what else to do. My experience with doing that to scrips has been less than favorable, usually breaking them.

I am also recalling that there is a command that can be run that will turn stuff off services, something like '/etc/init.d update rc. ssh stop' but that is only memory and mine is somewhat faulty.:scratch:

Still the bigger problem remains that I don't know which ones to turn off. Or why, which is probably more important. I just need this machine to be locked down hard before I start installing the things I need. FYI this machine has only a Debian Lenny base install on it, and I have striped it down a little further at this point.

Code:
tcp        0      0 0.0.0.0:51660          0.0.0.0:*              LISTEN      1699/rpc.statd
tcp        0      0 0.0.0.0:111            0.0.0.0:*              LISTEN      1688/portmap
tcp        0      0 192.168.2.104:53        0.0.0.0:*              LISTEN      1967/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*              LISTEN      1967/named
tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN      2502/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*              LISTEN      2248/exim4
tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN      1967/named
tcp6      0      0 :::53                  :::*                    LISTEN      1967/named
tcp6      0      0 :::22                  :::*                    LISTEN      2502/sshd
tcp6      0      0 ::1:953                :::*                    LISTEN      1967/named


All times are GMT -5. The time now is 11:22 AM.