[Gllug] netstat -pan --inet

John Edwards john_ed at cornerstonelinux.co.uk
Fri Feb 8 01:24:26 UTC 2002 

On Thu, Feb 07, 2002 at 08:15:56PM -0000, Harry wrote:
> Hi all
> 
> In my quest to tighten this box I have been busy hunting man pages to find
> the various options to close the listeners to the internet. The following is
> the output from netstat -pan --inet. From what I can see they should all be
> closed now but I do not understand the bottom udp options with local address
> set to anything but no state. Can someone enlighten me.
> 
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> PID/Program name
> tcp        0      0 192.168.10.1:139        0.0.0.0:*
> LISTEN      2059/smbd
> tcp        0      0 192.168.10.1:53         0.0.0.0:*
> LISTEN      2244/pdnsd
> tcp        0      0 192.168.10.1:22         0.0.0.0:*
> LISTEN      2219/sshd
> tcp        0      0 192.168.10.1:3128       0.0.0.0:*
> LISTEN      2328/(squid)
> tcp        0      0 192.168.10.1:22         192.168.10.2:1047
> ESTABLISHED 1877/sshd
> udp        0      0 192.168.10.1:137        0.0.0.0:*
> 2056/nmbd
> udp        0      0 0.0.0.0:137             0.0.0.0:*
> 2056/nmbd
> udp        0      0 192.168.10.1:138        0.0.0.0:*
> 2056/nmbd
> udp        0      0 0.0.0.0:138             0.0.0.0:*
> 2056/nmbd

nmbd = Samba's NetBios naming daemon, which resolves the names for Windows 
files sharing. Needed on one machine on each subnet, preferably a Samba box.

> udp        0      0 192.168.10.1:53         0.0.0.0:*
> 2244/pdnsd

Some kind of DNS server. Useful

> udp        0      0 0.0.0.0:3130            0.0.0.0:*
> 2328/(squid)

Squid web cache/proxy.

> raw        0      0 0.0.0.0:1               0.0.0.0:*               7
> 2244/pdnsd

"TCP port service multiplexer", why 

> raw        0      0 0.0.0.0:6               0.0.0.0:*               7
> 256/scanlogd
> raw        0      0 0.0.0.0:6               0.0.0.0:*               7
> 253/scandetd
> raw        0      0 0.0.0.0:17              0.0.0.0:*               7
> 253/scandetd

Are these some kind of port scanning detection stuff you have installed ?

> I have built a firewall and now closed the various listeners is tcp wrappers
> next or chrooting stuff. I know this is not in the correct order but I
> decided I would do the most interesting first.
> 
> Harry

TCP wrappers generally only effect things run from inetd, or which are 
compiled with it enabled (SSH can do this). This should not be used 
instead of proper firewall controls.

Candidate for chroot may include Squid and your DNS server, but I don't 
think Samba can be easily chrooted as it's a file server (nor can SSH).

ps. If you are looking for security hardening scripts, look at Bastille 
for RedHat and Debian has something similar (in testing I think).


-- 
#------------------------------------------------------------#
|      John Edwards    Email: John.Edwards at uk.com            |
|                                                            |
|     "Security vulnerabilities are here to stay."           |
|   Scott Culp, Manager, Microsoft Security Response Center  |
#------------------------------------------------------------#

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list