Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-10-2006, 06:22 PM
|
#1
|
|
Member
Registered: Nov 2005
Distribution: slack
Posts: 188
Rep: 
|
unknown service??
i try netstat - npl - and it dislpays :
unix 2 [ ACC ] STREAM LISTENING 662 - /tmp/.X11-unix/X0
it looks like X server - what is it listening for?
this remote login? can i stop it?
|
|
|
|
|
01-10-2006, 06:32 PM
|
#2
|
|
Member
Registered: Nov 2005
Distribution: slack
Posts: 188
Original Poster
Rep:
|
and i run nmap -sT -sU -p 1-65535 localhost
and it displays a unknown service which is using different port every time...
how can see which service is that?? can it be X11?
and there is dhcp service which is filtered
and unknown service is not....
|
|
|
|
|
01-10-2006, 06:41 PM
|
#3
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
It's a local UNIX stream socket. Usually these are used by the Xserver for local connections. The standard for naming these is /tmp/.X11-unix/Xn where n is the X11 display number, in this case X:0. These sockets are only used for local connections with the Xserver and are not the same thing as remote services in the sense that you could not remotely connect to them. Instead in netstat output, look at the "Active Internet connections" section rather than the "Active Unix Domain sockets".
|
|
|
|
|
01-10-2006, 06:55 PM
|
#4
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
|
Originally Posted by pingvina
and i run nmap -sT -sU -p 1-65535 localhost
and it displays a unknown service which is using different port every time...
how can see which service is that?? can it be X11?
and there is dhcp service which is filtered
and unknown service is not....
|
Since you are scanning localhost, the UDP scan will detect the port that the scan is originating from, so you're likely "seeing" the scan itself which is why the port port number changes with each scan. Try scanning with a remote system instead.
Last edited by Capt_Caveman; 01-10-2006 at 06:57 PM.
|
|
|
|
|
01-11-2006, 03:41 AM
|
#5
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
A little precision
Scanning UDP is not reliable.
If the UDP port is closed, then the stack has to reply by an ICMP unreachable.
But if you don't receive an ICMP unreachable you can not differentiate between:
port open
port filtered
If the box is firewalled, then your ports may look as opened. 
It was how nmap worked a few years ago, I don't know for now. |
|
|
|
|
01-11-2006, 08:58 AM
|
#6
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
|
Originally Posted by nx5000
A little precision
Scanning UDP is not reliable.
If the UDP port is closed, then the stack has to reply by an ICMP unreachable.
But if you don't receive an ICMP unreachable you can not differentiate between:
port open
port filtered
If the box is firewalled, then your ports may look as opened.
|
Open and firewalled ports (using the DROP target) are reported by the nmap udp scan as "opened|filtered" which is not the same thing as an "open" report. You're explanation is correct when scanning remote systems (both firewalled and open ports come back as "open|filtered"). However scanning localhost produces some odd results. The source port used for the nmap scan will always come back as "open" instead. Try scanning using the --source_port option and you notice the "random port" disappears and the source port you use comes back as "open" while daemons and firewalled ports are reported as "open|filtered". |
|
|
|
|
01-11-2006, 09:22 AM
|
#7
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
|
Originally Posted by Capt_Caveman
"opened|filtered"
|
Ok so now nmap does not confuse anymore users for udp scans. good.
Scanning localhost is not very helpfull thats right |
|
|
|
|
01-13-2006, 07:15 AM
|
#8
|
|
Member
Registered: Nov 2005
Distribution: slack
Posts: 188
Original Poster
Rep:
|
i run:
"nmap -sT -sU --source_port 1-65535 localhost
it says 3100 ports checked?
and that random open port really disappers...
there is:
1/udp open tcpmux - what is that? -nmap?
68/udp open|filtered dhcpclient
|
|
|
|
|
01-13-2006, 09:18 AM
|
#9
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
It seems you can only put
--source_port <one_number>
I think 1/udp is nmap yes (1-65535 , the -65535 is ignored)
and dhcp because your machine is a dhcpclient.
A bit off topic but a new thing in the kernel 2.6.15:
Quote:
|
Randomize the port selected on bind() for connections to help with possible security attacks. It should also be faster in most cases because there's no need for a global lock.
|
|
|
|
|
|
01-13-2006, 09:23 AM
|
#10
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
You used the wrong syntax. The --source_port option allows you to set the source port to whatever you want. If you then scan localhost the "random" other port you keep seeing will disappear (this is nmap using some random source port above 1023) and the source port you selected will appear open. For example:
Code:
First run, let nmap use a random source port:
[root@tux ~]# nmap -sU -p 1-65535 localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-01-13 11:10 EST
Interesting ports on tux (127.0.0.1):
(The 65531 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/udp open|filtered rpcbind
631/udp open|filtered unknown
62715/udp open unknown <--Random port
Nmap run completed -- 1 IP address (1 host up) scanned in 13.322 seconds
Run 2, this time set the source port:
[root@tux ~]# nmap -sU --source_port 10000 -p 1-65535 localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-01-13 11:12 EST
Interesting ports on tux (127.0.0.1):
(The 65531 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/udp open|filtered rpcbind
631/udp open|filtered unknown
10000/udp open unknown <-- Our source port
Nmap run completed -- 1 IP address (1 host up) scanned in 13.128 seconds
Note how the state reported by nmap is different for the nmap source port compared to the two ports that actually are open (udp ports 111 and 631). |
|
|
|
|
01-13-2006, 10:11 AM
|
#11
|
|
Member
Registered: Nov 2005
Distribution: slack
Posts: 188
Original Poster
Rep:
|
yes , it is like you say - i feel more secure now...
tnx
|
|
|
|
All times are GMT -5. The time now is 09:38 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
