Operating systems

List open ports and listening services

You should turn off any services you don't actually need so that they will not become avenues of attack for security threats. Different systems will have different services running by default, even between different service pack versions of MS Windows XP, and if you're coming into a situation where you must assume responsibility for the security of computers that were already set up before you got there, there are certain to be different services running than on a default install of the system. What's needed is a tool for listing active services and open ports. I'll explain how such tools can be used on three types of systems: Linux distributions, FreeBSD, and MS Windows.

As mentioned in the article, "10 security tips for all general-purpose OSes," you should turn off any services you don't actually need so that they will not become avenues of attack for security threats. Ten specific services for Microsoft Windows were mentioned in my later article, "10 services to turn off in MS Windows XP." While ten is a good number for a quick list in an article, it's hardly comprehensive.

There's essentially no way to provide a comprehensive list, of course. Different systems will have different services running by default, even between different service pack versions of MS Windows XP, and if you're coming into a situation where you must assume responsibility for the security of computers that were already set up before you got there, there are certain to be different services running than on a default install of the system. Worse, there are new services being invented from time to time, expanding the number of services that may possibly be running on a given computer.

What's needed is a tool for listing active services and open ports. I'll explain how such tools can be used on three types of systems, in alphabetical order -- Linux distributions, FreeBSD, and MS Windows -- plus how to use an additional tool for commercial UNIX systems where the other tools may not be available.

FreeBSD

On a FreeBSD Unix system, as with other BSD Unix systems, you have a number of utilities with a base system install that can be used for listing open files, running processes, and network connections. The netstat utility is maintained as a part of the FreeBSD base system by the FreeBSD core developers, and offers exactly the sort of functionality you need to list open ports on your system.

netstat

To list open network ports and the processes that own them on FreeBSD with netstat, you can use this command:

  netstat -a | egrep 'Proto|LISTEN'

The output for this on my laptop running FreeBSD is:

Proto Recv-Q Send-Q  Local Address      Foreign Address    (state)

tcp4 0 0 localhost.ipp *.* LISTEN

tcp6 0 0 localhost.ipp *.* LISTEN

tcp4 0 0 *.2200 *.* LISTEN

tcp6 0 0 *.2200 *.* LISTEN

tcp4 0 0 *.x11 *.* LISTEN

tcp6 0 0 *.x11 *.* LISTEN

The localhost.ipp entry refers to the Internet Printing Protocol, used by CUPS to talk to the network printer. The *.2200 entry refers to SSH, which I have set to a nonstandard port -- so it's not recognized by netstat's port-to-service association capabilities. *.x11, meanwhile, refers to the X Window System protocol.

You can add the -n option to netstat to get port numbers instead of having the utility try to provide names for services:

  netstat -an | egrep 'Proto|LISTEN'

The output would then look somewhat different:

Proto Recv-Q Send-Q  Local Address      Foreign Address    (state)

tcp4 0 0 127.0.0.1.631 *.* LISTEN

tcp6 0 0 ::1.631 *.* LISTEN

tcp4 0 0 *.2200 *.* LISTEN

tcp6 0 0 *.2200 *.* LISTEN

tcp4 0 0 *.6000 *.* LISTEN

tcp6 0 0 *.6000 *.* LISTEN

This information can be used to determine what services are running, in cases where services are using standard ports. On a FreeBSD system, you can get a listing of standard port associations by searching through the contents of /etc/services. For instance, if you wanted to find out what was up with port 631, you might use this command:

  grep -w 631 /etc/services

The output:

ipp     631/tcp    #IPP (Internet Printing Protocol)

ipp 631/udp #IPP (Internet Printing Protocol)

sockstat

In addition to netstat, the more limited command sockstat is effectively tailor-made for this kind of information gathering. To get a listing of listening ports and their associated processes, you can use this command:

  sockstat -4l

The output may even be more useful than that of netstat above:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

root cupsd 1701 4 tcp4 127.0.0.1:631 *:*

root cupsd 1701 6 udp4 *:631 *:*

root sshd 1685 4 tcp4 *:2200 *:*

root Xorg 1154 3 tcp4 *:6000 *:*

root syslogd 907 7 udp4 *:514 *:*

Linux distributions

As with FreeBSD, the obvious choice of tool to use for listing open ports is netstat. Most Linux distributions use a different version of the utility, however -- maintained separately from the Linux distribution, as an independent software development project.

One consequence of that fact is that the command line options used to achieve the same results may be different with FreeBSD than with Debian, Ubuntu, or Fedora Core Linux systems. On a typical Linux system, this command will list open network ports and the processes that own them:

  netstat -lnptu

The output should look something like this:

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2458/cupsd

tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2353/postgres

tcp6 0 0 :::22 :::* LISTEN 2335/sshd

udp 0 0 0.0.0.0:631 0.0.0.0:* 2458/cupsd

As you can see from this output, the Debian GNU/Linux system on which I ran that command has only four open ports -- two for CUPS, so that the computer can communicate with the network printer; one for PostgreSQL so that it can be contacted by applications in development; SSH, so that I can access it remotely, from my laptop.

Microsoft Windows XP

Microsoft Windows also offers a netstat command that can be executed from the command line to get a list of open ports. The standard MS Windows version of netstat is slightly more limited than its Unix-like system counterparts, but still suffices to get a listing of listening services:

  netstat -a | find "LISTENING"

The output of this command should look something like this:

TCP    hostname:epmap           hostname:0               LISTENING

TCP hostname:microsoft-ds hostname:0 LISTENING

TCP hostname:10110 hostname:0 LISTENING

TCP hostname:netbios-ssn hostname:0 LISTENING

. . . with "hostname" replaced by the system's hostname, of course.

Commercial UNIX Systems

For most commercial UNIX systems, even if there is not a version of netstat or sockstat available, you should be able to install lsof -- which is short for "list open files". Most Linux distributions and BSD Unix systems will provide lsof with a default install or through their respective software management systems. Some commercial UNIX systems do so as well, and for many others you can download it. The following command will limit the output of the utility to network ports:

  lsof -i -n | egrep 'COMMAND|LISTEN'

The output should look something like this (as run on my laptop, again):

COMMAND   PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME

Xorg 1154 root 1u IPv6 0xc6042000 0t0 TCP *:x11 (LISTEN)

Xorg 1154 root 3u IPv4 0xc6041cb0 0t0 TCP *:x11 (LISTEN)

sshd 1685 root 3u IPv6 0xc6041ae0 0t0 TCP *:2200 (LISTEN)

sshd 1685 root 4u IPv4 0xc6041910 0t0 TCP *:2200 (LISTEN)

cupsd 1701 root 3u IPv6 0xc6041740 0t0 TCP [::1]:ipp (LISTEN)

cupsd 1701 root 4u IPv4 0xc6041570 0t0 TCP 127.0.0.1:ipp (LISTEN)

Now you know

. . . and knowing is half the battle. The other half involves using your knowledge, of course.

Now that you know how to list open ports on your system and can collect the information needed to find out what services are running that should not be active, you can make sure you turn off those services and close those ports. Because that process varies so greatly from one system to the next, and tends to be somewhat more complex than listing open ports, any instruction on that task from me will have to wait for another day.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

2 comments
jackhard
jackhard

It has a different syntax for the Linux version, and is much more limited, but it is definitely a part of the operating system. hitechito

Imprecator
Imprecator

It has different syntax than the Linux version, and it's more limited, but it's definitely part of the OS.

Editor's Picks