< Day Day Up > |
Now that some of the background of networking and TCP/IP has been covered, let's go over ports and some related topics. Ports have an impact on the security of your system, so be sure to see the security chapter for an introduction to some security topics and recommendations. Every Linux system on an IP network has a minimum of one IP address through which systems and their processes communicate. With many processes running on every system and a lot of data exchanged between systems, there is the potential for much confusion. If a process on one system, for instance, needs to communicate with a process on another system, there needs to be a way for the second system to identify where to deliver the data. This problem is solved by TCP/IP identifying a TCP or UDP port. Ports are a connection that one host has to another host. I use host here because it's easier to understand host-to-host connections, but you should bear in mind that TCP/IP connections can be between processes on the same host (for example, between a Web browser on your desktop and a Web server running on your own machine). In any event, ports are identified by integers on your system and can be controlled. For security purposes, you might want to close some ports that you don't plan on using and restrict others. The operating system keeps track of many pieces of information for every connection. This information facilitates the communication between the processes. Of this vast amount of information, there are four pieces that make the connection unique. These are the source IP address, the source port number, the destination IP address, and the destination port number. When a system wants to make a connection to another system, it specifies the destination IP address and port number. Internet services running on systems listen on a particular port. The file /etc/services lists all the possible ports and their corresponding numbers. This is a long file, so the following listing shows a small subset of it: ftp-data 20/tcp ftp-data 20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp # SSH Remote Login Protocol telnet 23/tcp telnet 23/udp # 24 - private mail system smtp 25/tcp mail smtp 25/udp mail time 37/tcp timserver time 37/udp timserver rlp 39/tcp resource # resource location rlp 39/udp resource # resource location As you can see in this example, telnet runs on port 23. This is the standard port number for telnet. This is a well-known service for which there is a standard port number as is the case for any well-known service. You have a lot of control over which ports and services you'll enable and disable on your Linux system. To begin with, let's use netstat to view all of ports with -a, not to resolve hostnames with -n, and to show both UDP with -u and TCP with -t, as shown in the following example: # netstat -antu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:1448 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN tcp 0 138 192.168.1.102:23 192.168.1.100:2706 ESTABLISHED tcp 1 0 192.168.1.102:1406 216.239.51.101:80 CLOSE_WAIT tcp 0 0 192.168.1.102:1571 64.12.29.103:5190 ESTABLISHED tcp 1 0 192.168.1.102:1405 66.70.73.150:80 CLOSE_WAIT tcp 1 0 192.168.1.102:1404 66.70.73.150:80 CLOSE_WAIT udp 0 0 0.0.0.0:1024 0.0.0.0:* udp 0 0 192.168.1.102:137 0.0.0.0:* udp 0 0 0.0.0.0:137 0.0.0.0:* udp 0 0 192.168.1.102:138 0.0.0.0:* udp 0 0 0.0.0.0:138 0.0.0.0:* udp 0 0 0.0.0.0:10000 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* # You can see that many ports are LISTEN, some are ESTABLISHED, and others are CLOSE_WAIT at this time. One of the ESTABLISHED connections is on port 23, with IP address 192.168.1.100, which means that it's a telnet session as determined earlier by viewing the /etc/services file. Notice also that 21, 22, and 23 are all listening. These were in our earlier /etc/services listing and are ftp, ssh, and telnet, respectively. Many other ports are also listening, which provides the potential to access to the system. Turning off these ports would increase the level of security of our system but potentially remove the ability to connect through that port and use a useful service. You've now seen a lot of useful information by viewing /etc/services to see the list of services that we can enable and disable and using netstat -antu to view the status of the ports. There is an interesting nuance to the port number scheme. Many services based on Remote Procedure Call do not listen for requests on a well-known port, such as telnet on 23, but rather pick an arbitrary port when initialized. They then register this port with a Portmapper service running on the same machine. Only the portmapper needs to run on a well-known port; when clients want access to the service, they first contact the portmapper, and it tells them which port they should then contact in order to reach the service. This second port may be for TCP or UDP access. The following two lines are from our /etc/services file showing portmapper: sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP The earlier netstat -antu output did indeed show that port 111 is listening. You have to be careful with this port because, in most cases, you can't disable the port; however, it is a port to which someone could connect and potentially gain access to your system. The netstat -p command shows which processes are connected to which ports, as shown in the following example searching for telnet: # netstat -p | grep tel tcp 0 2 linuxdev:telnet F4457MXP:2706 ESTABLISHED 27269/in.telnetd: F # I issued the netstat command and piped it to grep so you could see the telnet connection only. Shown in this output are both the destination and source host and the status of ESTABLISHED. The next chapter covers ways of controlling the services. There are a few different ways to enable and disable services and some examples are provided. Before you permanantly enable and disable network services, please be sure to see the security chapter for an introduction to some security topics and recommendations. |
< Day Day Up > |