As mentioned in the article, “10 security tips for all general-purpose OSes,” you should turn off any services you don’t actually need so that they will not become avenues of attack for security threats. Ten specific services for Microsoft Windows were mentioned in my later article, “10 services to turn off in MS Windows XP.” While ten is a good number for a quick list in an article, it’s hardly comprehensive.
There’s essentially no way to provide a comprehensive list, of course. Different systems will have different services running by default, even between different service pack versions of MS Windows XP, and if you’re coming into a situation where you must assume responsibility for the security of computers that were already set up before you got there, there are certain to be different services running than on a default install of the system. Worse, there are new services being invented from time to time, expanding the number of services that may possibly be running on a given computer.
What’s needed is a tool for listing active services and open ports. I’ll explain how such tools can be used on three types of systems, in alphabetical order — Linux distributions, FreeBSD, and MS Windows — plus how to use an additional tool for commercial UNIX systems where the other tools may not be available.
On a FreeBSD Unix system, as with other BSD Unix systems, you have a number of utilities with a base system install that can be used for listing open files, running processes, and network connections. The
netstat utility is maintained as a part of the FreeBSD base system by the FreeBSD core developers, and offers exactly the sort of functionality you need to list open ports on your system.
To list open network ports and the processes that own them on FreeBSD with
netstat, you can use this command:
netstat -a | egrep 'Proto|LISTEN'
The output for this on my laptop running FreeBSD is:
Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 localhost.ipp *.* LISTEN tcp6 0 0 localhost.ipp *.* LISTEN tcp4 0 0 *.2200 *.* LISTEN tcp6 0 0 *.2200 *.* LISTEN tcp4 0 0 *.x11 *.* LISTEN tcp6 0 0 *.x11 *.* LISTEN
localhost.ipp entry refers to the Internet Printing Protocol, used by CUPS to talk to the network printer. The
*.2200 entry refers to SSH, which I have set to a nonstandard port — so it’s not recognized by
netstat’s port-to-service association capabilities.
*.x11, meanwhile, refers to the X Window System protocol.
You can add the
-n option to
netstat to get port numbers instead of having the utility try to provide names for services:
netstat -an | egrep 'Proto|LISTEN'
The output would then look somewhat different:
Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 127.0.0.1.631 *.* LISTEN tcp6 0 0 ::1.631 *.* LISTEN tcp4 0 0 *.2200 *.* LISTEN tcp6 0 0 *.2200 *.* LISTEN tcp4 0 0 *.6000 *.* LISTEN tcp6 0 0 *.6000 *.* LISTEN
This information can be used to determine what services are running, in cases where services are using standard ports. On a FreeBSD system, you can get a listing of standard port associations by searching through the contents of
/etc/services. For instance, if you wanted to find out what was up with port 631, you might use this command:
grep -w 631 /etc/services
ipp 631/tcp #IPP (Internet Printing Protocol) ipp 631/udp #IPP (Internet Printing Protocol)
In addition to
netstat, the more limited command
sockstat is effectively tailor-made for this kind of information gathering. To get a listing of listening ports and their associated processes, you can use this command:
The output may even be more useful than that of
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root cupsd 1701 4 tcp4 127.0.0.1:631 *:* root cupsd 1701 6 udp4 *:631 *:* root sshd 1685 4 tcp4 *:2200 *:* root Xorg 1154 3 tcp4 *:6000 *:* root syslogd 907 7 udp4 *:514 *:*
As with FreeBSD, the obvious choice of tool to use for listing open ports is
netstat. Most Linux distributions use a different version of the utility, however — maintained separately from the Linux distribution, as an independent software development project.
One consequence of that fact is that the command line options used to achieve the same results may be different with FreeBSD than with Debian, Ubuntu, or Fedora Core Linux systems. On a typical Linux system, this command will list open network ports and the processes that own them:
The output should look something like this:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2458/cupsd tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2353/postgres tcp6 0 0 :::22 :::* LISTEN 2335/sshd udp 0 0 0.0.0.0:631 0.0.0.0:* 2458/cupsd
As you can see from this output, the Debian GNU/Linux system on which I ran that command has only four open ports — two for CUPS, so that the computer can communicate with the network printer; one for PostgreSQL so that it can be contacted by applications in development; SSH, so that I can access it remotely, from my laptop.
Microsoft Windows XP
Microsoft Windows also offers a
netstat command that can be executed from the command line to get a list of open ports. The standard MS Windows version of
netstat is slightly more limited than its Unix-like system counterparts, but still suffices to get a listing of listening services:
netstat -a | find "LISTENING"
The output of this command should look something like this:
TCP hostname:epmap hostname:0 LISTENING TCP hostname:microsoft-ds hostname:0 LISTENING TCP hostname:10110 hostname:0 LISTENING TCP hostname:netbios-ssn hostname:0 LISTENING
. . . with “hostname” replaced by the system’s hostname, of course.
Commercial UNIX Systems
For most commercial UNIX systems, even if there is not a version of
sockstat available, you should be able to install
lsof — which is short for “list open files”. Most Linux distributions and BSD Unix systems will provide
lsof with a default install or through their respective software management systems. Some commercial UNIX systems do so as well, and for many others you can download it. The following command will limit the output of the utility to network ports:
lsof -i -n | egrep 'COMMAND|LISTEN'
The output should look something like this (as run on my laptop, again):
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME Xorg 1154 root 1u IPv6 0xc6042000 0t0 TCP *:x11 (LISTEN) Xorg 1154 root 3u IPv4 0xc6041cb0 0t0 TCP *:x11 (LISTEN) sshd 1685 root 3u IPv6 0xc6041ae0 0t0 TCP *:2200 (LISTEN) sshd 1685 root 4u IPv4 0xc6041910 0t0 TCP *:2200 (LISTEN) cupsd 1701 root 3u IPv6 0xc6041740 0t0 TCP [::1]:ipp (LISTEN) cupsd 1701 root 4u IPv4 0xc6041570 0t0 TCP 127.0.0.1:ipp (LISTEN)
Now you know
. . . and knowing is half the battle. The other half involves using your knowledge, of course.
Now that you know how to list open ports on your system and can collect the information needed to find out what services are running that should not be active, you can make sure you turn off those services and close those ports. Because that process varies so greatly from one system to the next, and tends to be somewhat more complex than listing open ports, any instruction on that task from me will have to wait for another day.