Sockstat
| Line 1: | Line 1: | ||
| Socket status -- socket in this context meaning a protocol, like [[ftp]] and a port, like 21. | Socket status -- socket in this context meaning a protocol, like [[ftp]] and a port, like 21. | ||
| + | |||
| + | Similar to the linux netstat, but differnet from the FreeBSD [[netstat]]. Consult the manpage for more info on switches, but right away you might want to look into the -4 switch to see any open [[IPv4]] connections (-6 will show you open [[IPv6]] connections but those are less common and you won't get much use out of it.) | ||
| ==Using sockstat to help secure your machine== | ==Using sockstat to help secure your machine== | ||
Revision as of 20:39, 1 October 2004
Socket status -- socket in this context meaning a protocol, like ftp and a port, like 21.
Similar to the linux netstat, but differnet from the FreeBSD netstat. Consult the manpage for more info on switches, but right away you might want to look into the -4 switch to see any open IPv4 connections (-6 will show you open IPv6 connections but those are less common and you won't get much use out of it.)
Using sockstat to help secure your machine
dave@samizdata:~% su - Password: samizdata# sockstat -46 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS dave sshd 12230 5 tcp4 10.10.1.208:22 10.10.1.108:4095 root sshd 12226 5 tcp4 10.10.1.208:22 10.10.1.108:4095 root ssh 95269 3 tcp4 10.10.1.208:49847 10.10.0.251:22 dave sshd 92858 5 tcp4 10.10.1.208:22 10.10.1.108:2716 root sshd 92855 5 tcp4 10.10.1.208:22 10.10.1.108:2716 root inetd 87064 4 tcp4 *:21 *:* root sendmail 59172 3 tcp4 *:25 *:* root ntpd 33328 4 udp4 *:123 *:* root ntpd 33328 5 udp4 10.10.1.208:123 *:* root ntpd 33328 6 udp4 127.0.0.1:123 *:* root sshd 366 3 tcp6 *:22 *:* root sshd 366 4 tcp4 *:22 *:* root amd 309 4 udp4 *:1023 *:* root amd 309 5 tcp4 *:1023 *:* root amd 309 6 udp4 *:1021 *:* root amd 309 7 udp4 *:1020 *:* root rpcbind 228 4 udp6 *:* *:* root rpcbind 228 6 udp6 *:111 *:* root rpcbind 228 7 udp6 *:1023 *:* root rpcbind 228 8 tcp6 *:111 *:* root rpcbind 228 9 udp4 *:111 *:* root rpcbind 228 10 udp4 *:1022 *:* root rpcbind 228 11 tcp4 *:111 *:* root syslogd 213 4 udp6 *:514 *:* root syslogd 213 5 udp4 *:514 *:* samizdata#
Well, that's a lot of stuff. There are a few ways to minimize the ports available; one simple way is to put the machine behind a firewall (or run the built-in ipfw) and block connections you don't want. This is effective, but doesn't stop the real problem: potentially open connections to programs/services that are listening. If your firewall fails for whatever reason, those ports are still open and listening for someone somewhere to please, please, please talk to them. Which is potentially a bad thing. So let's do it right, and stop the services listening and then we can wrap the machine in ipfw love.
The output above is from a server, which I am running headless, so there's no X11 ports showing, since I'm not running X. If I were, you'd also see a bunch of ports in the 6000 range open. Even if you 'want' to run X over the network, there are better ways to do this than by letting X play directly with the network (think about using an ssh tunnel and piping X through 'that'). To stop X from listening to the network, we'll have to edit /usr/X11R6/bin/startx and change the serverargs line to
serverargs="-nolisten tcp"
I don't want to run the automounter daemon, I have no use for NFS stuff on this machine right now and I won't be doing networkable syslog, so I'm going to turn those off. To do that, I'll need to edit /etc/rc.conf and change or add a few lines.
Editing /etc/rc.conf by either changing these entries to these values (or adding entries with these values) will disable NFS (those port 111 entries), portmap (you only really need it if you're doing NFS,) and networked syslog (the -ss flag).
nfs_server_enable="NO" nfs_client_enable="NO" portmap_enable="NO" syslogd_enable="YES" syslogd_flags="-ss"
