Title: Determining which network services are running

KBTAG: kben10000038
URL: http://www.securityportal.com/lskb/10000000/kben10000038.html
Date created: 17/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: How to determine which network services are enabled on your machine
Keywords: Network

Summary:

Network services in Linux can be run through a number of facilities (inetd, as daemons, etc.), and with the proliferation of Linux distributions, the number of strange daemons installed has increased.

More information:

Finding out which daemons you have installed and enabled can be a chore. Running queries of installed packages such as "rpm -qa" doesn't help unless you know what each of those packages does. For finding out what is actually running ps, netstat and lsof are invaluable; ps will tell you what is currently running (httpd, inetd, etc) netstat will tell you what the status of ports are (at this point we’re interested in ports that are open and listening, that is waiting for connections) and lsof will show open files and ports. You might have additional server software installed, but if it is not running it is a lot less dangerous then enabled software.

inetd.conf

You can check inetd.conf for services, this is covered in knowledge base article kben10000037.

ps

The program ps shows us process status (information available in the /proc virtual filesystem). The options most commonly used are “ps -xau”, which show pretty much all the information you’d ever want to know. Please note: these options vary across UNIX systems, Solaris, SCO, etc all behave differently (which is incredibly annoying). The following is typical output from a machine (using “ps –xau”).

USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
bin 320 0.0 0.6 760 380 ? S Feb 12 0:00 portmap
daemon 377 0.0 0.6 784 404 ? S Feb 12 0:00 /usr/sbin/atd
named 2865 0.0 2.1 2120 1368 ? S 01:14 0:01 /usr/sbin/named -u named -g named -t /home/named
nobody 346 0.0 18.6 12728 11796 ? S Feb 12 3:12 squid
nobody 379 0.0 0.8 1012 544 ? S Feb 12 0:00 (dnsserver)
nobody 380 0.0 0.8 1012 540 ? S Feb 12 0:00 (dnsserver)
nobody 383 0.0 0.6 916 416 ? S Feb 12 0:00 (dnsserver)
nobody 385 0.0 0.8 1192 568 ? S Feb 12 0:00 /usr/bin/ftpget -S 1030
nobody 392 0.0 0.3 716 240 ? S Feb 12 0:00 (unlinkd)
nobody 1553 0.0 1.8 1932 1200 ? S Feb 14 0:00 httpd
nobody 1703 0.0 1.8 1932 1200 ? S Feb 14 0:00 httpd
root 1 0.0 0.6 776 404 ? S Feb 12 0:04 init [3]
root 2 0.0 0.0 0 0 ? SW Feb 12 0:00 (kflushd)
root 3 0.0 0.0 0 0 ? SW Feb 12 0:00 (kswapd)
root 4 0.0 0.0 0 0 ? SW Feb 12 0:00 (md_thread)
root 64 0.0 0.5 736 348 ? S Feb 12 0:00 kerneld
root 357 0.0 0.6 800 432 ? S Feb 12 0:05 syslogd
root 366 0.0 1.0 1056 684 ? S Feb 12 0:01 klogd
root 393 0.0 0.7 852 472 ? S Feb 12 0:00 crond
root 427 0.0 0.9 1272 592 ? S Feb 12 0:19 /usr/sbin/sshd
root 438 0.0 1.0 1184 672 ? S Feb 12 0:00 rpc.mountd
root 447 0.0 1.0 1180 644 ? S Feb 12 0:00 rpc.nfsd
root 458 0.0 1.0 1072 680 ? S Feb 12 0:00 /usr/sbin/dhcpd
root 489 0.0 1.7 1884 1096 ? S Feb 12 0:00 httpd
root 503 0.0 0.4 724 296 2 S Feb 12 0:00 /sbin/mingetty tty2
root 505 0.0 0.3 720 228 ? S Feb 12 0:02 update (bdflush)
root 541 0.0 0.4 724 296 1 S Feb 12 0:00 /sbin/mingetty tty1
root 1372 0.0 0.6 772 396 ? S Feb 13 0:00 inetd
root 1473 0.0 1.5 1492 1000 ? S Feb 13 0:00 sendmail: accepting connections on port 25
root 2862 0.0 0.0 188 44 ? S 01:14 0:00 /usr/sbin/holelogd.named /home/named/dev/log
root 3090 0.0 1.9 1864 1232 ? S 12:16 0:02 /usr/sbin/sshd
root 3103 0.0 1.1 1448 728 p1 S 12:16 0:00 su -root 3104 0.0 1.3 1268 864 p1 S 12:16 0:00 -bash
root 3136 0.0 1.9 1836 1212 ? S 12:21 0:04 /usr/sbin/sshd

The interesting ones are: portmap, named, Squid (and it’s dnsserver, unlinkd and ftpget children processes), httpd, syslogd, sshd, rpc.mountd, rpc.nfsd, dhcpd, inetd, and sendmail (this server appears to be providing gateway services, email and NFS file sharing). The easiest way to learn how to read ps output is go over the ps man page and learn what the various fields are (most are self explanatory, such as %CPU, while some like SIZE are a bit obscure: SIZE is the number of 4k memory ‘pages’ a program is using). To figure out what the running programs are a safe bet is ‘man <command_name>’; which almost always gives you the manual page pertaining to that service (such as httpd). You will notice that services like telnet, ftpd, identd and several others do not show up even though they are on. This is because they are run from inetd, the ‘superserver’. To find these services look at /etc/inetd.conf or your “netstat –vat” output.

netstat

netstat tells us pretty much anything network-related that you can imagine. It is especially good at listing active connections and sockets. Using netstat we can find which ports on which interfaces are active. The following output is from a typical server using "netstat –vatn".

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 24.108.11.200:80 205.253.183.122:3661 ESTABLISHED 
tcp 0 0 0.0.0.0:1036 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 
tcp 0 0 10.0.0.10:53 0.0.0.0:* LISTEN 
tcp 0 0 28.208.55.254:53 0.0.0.0:* LISTEN 
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 
udp 0 0 127.0.0.1:1031 0.0.0.0:* 
udp 0 0 0.0.0.0:1029 0.0.0.0:* 
udp 0 0 0.0.0.0:800 0.0.0.0:* 
udp 0 0 0.0.0.0:1028 0.0.0.0:* 
udp 0 0 10.0.0.10:53 0.0.0.0:* 
udp 0 0 28.208.55.254:53 0.0.0.0:* 
udp 0 0 127.0.0.1:53 0.0.0.0:* 
udp 0 0 10.1.0.1:138 0.0.0.0:* 
udp 0 0 10.1.0.1:137 0.0.0.0:* 
udp 0 0 10.0.0.10:138 0.0.0.0:* 
udp 0 0 10.0.0.10:137 0.0.0.0:* 
udp 0 0 0.0.0.0:138 0.0.0.0:* 
udp 0 0 0.0.0.0:137 0.0.0.0:* 
udp 0 0 0.0.0.0:2049 0.0.0.0:* 
udp 0 0 0.0.0.0:635 0.0.0.0:* 
udp 0 0 0.0.0.0:514 0.0.0.0:* 
udp 0 0 0.0.0.0:111 0.0.0.0:* 
raw 0 0 0.0.0.0:1 0.0.0.0:* 
raw 0 0 0.0.0.0:6 0.0.0.0:*

Numeric output is in my opinion easier to read (once you memorize /etc/services). The interesting fields for us are the first field, type of service, the fourth field which is the IP address of the interface and the port, the foreign address (if not 0.0.0.0.* means someone is actively talking to it), and the port state. The first line is a remote client talking to the web server on this machine (port 80). We then see the www server listening on 0.0.0.0:80 which means all interfaces, port 80, followed by the DNS server running on all 3 interfaces, a samba server (139), a mail server (25), an NFS server (2049) and so on. You will notice the ftp server (21) listed, even though it is run out of inetd, and not currently in use (i.e. no one is actively ftping in), it is listed in the netstat output. This makes netstat especially useful for finding out what is active on a machine, making an inventory of active and inactive network related software on the server much easier.

lsof

lsof is a handy program similar in idea to ps, except that it prints out what files/etc are open, which can include network sockets. Unfortunately your average lsof puts out a lot of information, so you will need to use grep or redirect it through less (“lsof | less”) to make it easier to read.

squid 9726 root 4u inet 78774 TCP localhost:2074->localhost:2073 (ESTABLISHED)
squid 9726 root 5u inet 78777 TCP localhost:2076->localhost:2075 (ESTABLISHED)
squid 9726 root 6u inet 78780 TCP localhost:2078->localhost:2077 (ESTABLISHED)
squid 9726 root 7w CHR 1,3 6205 /dev/null
squid 9726 root 14u inet 78789 TCP host1:3128 (LISTEN)
squid 9726 root 15u inet 78790 UDP host1:3130 
squid 9726 root 16u inet 78791 UDP host1:3130
squid 9726 root 12u inet 167524 TCP host1:3128->host2:3630 (ESTABLISHED)
squid 9726 root 17u inet 167528 TCP host1:3424->www.example.org:http (SYN_SENT)

This example shows that we have Squid running, listening on ports 3128 and 3130, the last two lines show an open connection from an internal host to the Squid server and the resulting action Squid has taken to fulfill the request (going to www.example.org). host1 is the Squid server and host2 is the client machine making the request. This is an invaluable tool for getting a precise image of what is going on network wise with your server. You can get lsof with some distributions. Please note that versions of lsof compiled for kernel version 2.0.x will not work with kernel 2.2.x and vice versa, as there were too many changes.

Downloads:

ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ - lsof (also available as binary packages for most distributions)