Some port questions...

drigz · 06-17-2004, 09:07 AM

Here are some ports that I have open that I'm not sure about (the names are copied from nmap):

37/tcp open time
Is this necessary? Dangerous?

111/tcp open rpcbind
Again, necessary? Dangerous?

113/tcp open auth
Apparently this can be used to take down a SuSE box. Any risk on Slackware? And the previous questions as well.

705/tcp open unknown
What is this? Do I have a Linux trojan or something? There was a similar line to this last time I checked (i have restarted since then) except the port was 651. I am worried.

EDIT: I can telnet to it, but saying anything seems to make it disconnect:
drigz@ayro:~$ telnet localhost 705
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
help
Connection closed by foreign host.

EDIT: Apparently port 705 is for something called AgentX, but this may be coincidence, as I have no idea what that is.
http://www.networksorcery.com/enp/protocol/agentx.htm

EDIT: Perhaps it's something to do with VMware? That uses network connections... It's the only thing that I know I'm running that could be doing it...

SBing · 06-17-2004, 09:42 AM

You could find out what is bound to the port by running (as root)

su
netstat -anp (all, numeric, programs)

As a rule, don't run daemons that you don't use yourself or don't want to server other people (obviously if you are behind a router it doesn't matter since I _assume_ you don't forward these ports)

So I advise you kill the stuff you don't use, I have no use for the ones you mention but you may do.

Start by editing rc scripts etc to stop stuff being run on startup etc

Good luck :)

Steve

drigz · 06-17-2004, 09:47 AM

Well, I know that time and authand rpcbind are common programs. However, I'm not sure if they're necessary.

The 705 (the one I'm really worried about):
root@ayro:/home/drigz# netstat -anp | grep 705
tcp 0 0 0.0.0.0:705 0.0.0.0:* LISTEN 529/inetd

what does that mean?

SBing · 06-17-2004, 10:17 AM

I'm not at all familiar with inetd, have you looked at inetd.conf (or something like that) too see what programs it is set up to run?

I don't have inetd installed on the servers here so I can't really help you with that, hope someone else can

Steve

drigz · 06-17-2004, 10:28 AM

root@ayro:/home/drigz# netstat -anp | grep 705
tcp 0 0 0.0.0.0:705 0.0.0.0:* LISTEN 529/inetd
tcp 0 0 127.0.0.1:35157 127.0.0.1:705 ESTABLISHED 5070/telnet
tcp 0 0 127.0.0.1:705 127.0.0.1:35157 ESTABLISHED 892/famd

got it - this is netstat with telnet connected to 705. so what is famd?

EDIT: here is it:
http://oss.sgi.com/projects/fam/
this looks like something i want - i just want to know why it need to keep a port open...

id still like info on the time, auth and rpcbind ports...

here is my progress on them:
auth is for something like identd - apparently generally used for mail. since i dont use mail on this, do i need it running?

rpcbind is the rpc portmapper. what does this do? do i need it? i can probably stop it with chmod -x /etc/rc.d/rc.portmap
i can stop auth and time by commenting them out in inetd.conf probably.