View Single Post
  #1   (View Single Post)  
Old 2nd May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default Learn which services are listening on your box

As a responsible member of the *nix community, it's a good idea to know exactly which services on your box are listening for connections from the outside world. To that end, what follows is a beginner-oriented guide to answer the questions: Which daemons are listening? Who is connecting to them? What networks have access to them?

Note that this is written specifically for FreeBSD versions 6.x and 7.0. Different OSes and different versions may require different approaches.

-----------------------------------------

Which daemons are listening?
This question can be answered simply enough using the sockstat program. Example:
Code:
> sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
www      httpd      1319  3  tcp4   10.0.0.102:80         *:*
www      httpd      1318  3  tcp4   10.0.0.102:80         *:*
www      httpd      1317  3  tcp4   10.0.0.102:80         *:*
www      httpd      1316  3  tcp4   10.0.0.102:80         *:*
www      httpd      1315  3  tcp4   10.0.0.102:80         *:*
root     httpd      1203  3  tcp4   10.0.0.102:80         *:*
root     sendmail   699   4  tcp4   127.0.0.1:25          *:*
root     syslogd    563   6  udp4   10.0.0.62:514         *:*
First, the command options: -4 means I am only interested in IPv4. -l means I only want to see listening sockets. (See the manpages for sockstat(1) for more info.)

In this example, we see plenty of information about listening daemons, including the user the daemon is running as, the daemon name itself, the PID, protocol type (tcp or udp; well beyond the scope of this explanation), and the interface it is actively listening on.

[ For users who are familiar with GNU/Linux, this output contains a lot of the same information that you might get from the command: netstat -ltunp ]

Who is connecting to the listening daemons (real-time)?
To see who currently has active connections (inbound or outbound, actually) to any of the daemons, we'll use a slightly different invocation of sockstat.

Code:
> sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
ryuf     firefox-bi 93662 36 tcp4   10.0.0.62:56582       208.69.32.230:80
...
www      httpd      1315  3  tcp4   10.0.0.102:80         66.14.160.210:61018
...
Again, -4 means I am only interested in IPv4. I omitted the -l option this time so that I can see all active connections (not just listening connections).

In this example, we can see the user 'ryuf' is connected to tcp port 80 on the remote host 208.69.32.230 (which just happens to be google). This is a connection from a local user to a remote web server.

We can also see a connection that is associated with the user 'www'. It appears to be coming from a high-numbered tcp port on a remote IP address to tcp port 80 on our local machine. This is a connection from a remote user to our web server.

Who is connecting to the listening daemons (non real-time)?
Keeping track of this information is important, and it's generally the job of your daemon's connection logging. Additionally, if you are running a packet filtering firewall, you may choose to implement logging at that level as well.

Configuring this is beyond the scope of this explanation. A good place to start would be the documentation for your daemon and/or firewall.

What networks have access to the daemons?
This question is a little trickier to answer, as there are a lot of variables that may be involved, depending on your situation. For example: if your box is behind a packet filtering appliance (firewall or switch) or behind some sort of NAT device (e.g. a SOHO router), that will complicate testing who really has access to your daemons considerably. (This becomes especially complicated if any of those appliances or devices are managed by someone other than you.)

Nonetheless, we have a very effective tool (among several) to test that your daemons are listening to the networks you think they are, and that your host-level firewall rules are working as you'd expect: the popular nmap. It can be installed from the security/nmap port.

Note that for useful results, bear in mind all the gotchas above, and test from another box on a network that is appropriate given your situation. It is virtually useless to run a nmap scan against localhost on your own machine. Doing so tells you nothing that you couldn't glean from sockstat output.

In one of its simplest invocations, we will scan two different tcp ports on a remote host. Example:
Code:
> nmap -P0 web.bunnyland.local -p 80,443

Starting Nmap 4.20 ( http://insecure.org ) at 2008-05-02 12:05 CDT
Interesting ports on web.bunnyland.local (10.0.0.191):
PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap finished: 1 IP address (1 host up) scanned in 11.213 seconds
For the command options, I used -P0 to skip ping, since many hosts unfortunately drop icmp echo requests. And I specified a comma-separated list of tcp (which is the default) ports: 80 and 443.

From the output we see that tcp port 80 is "filtered". This likely means that there is a packet filtering rule that drops tcp packets to port 80 from at least my own box. We also see that tcp port 443 is "open". This means that at the TCP/IP level, I should be able to initiate a connection to port 443 on web.bunnyland.local.

[ nmap has many, many more options. See its manpages at nmap(1) and its project page to learn more. ]

-----------------------------------------

That's it for now; hopefully these tips have given you a slightly clearer view of what is happening with listening daemons on your box. Stay aware and stay safe.
__________________
Kill your t.v.

Last edited by anomie; 2nd May 2008 at 05:24 PM.
Reply With Quote