Ports and Related Topics

 < Day Day Up > 

Now that some of the background of networking and TCP/IP has been covered, let's go over ports and some related topics. Ports have an impact on the security of your system, so be sure to see the security chapter for an introduction to some security topics and recommendations.

Every Linux system on an IP network has a minimum of one IP address through which systems and their processes communicate. With many processes running on every system and a lot of data exchanged between systems, there is the potential for much confusion. If a process on one system, for instance, needs to communicate with a process on another system, there needs to be a way for the second system to identify where to deliver the data. This problem is solved by TCP/IP identifying a TCP or UDP port. Ports are a connection that one host has to another host. I use host here because it's easier to understand host-to-host connections, but you should bear in mind that TCP/IP connections can be between processes on the same host (for example, between a Web browser on your desktop and a Web server running on your own machine). In any event, ports are identified by integers on your system and can be controlled. For security purposes, you might want to close some ports that you don't plan on using and restrict others.

The operating system keeps track of many pieces of information for every connection. This information facilitates the communication between the processes. Of this vast amount of information, there are four pieces that make the connection unique. These are the source IP address, the source port number, the destination IP address, and the destination port number.

When a system wants to make a connection to another system, it specifies the destination IP address and port number. Internet services running on systems listen on a particular port. The file /etc/services lists all the possible ports and their corresponding numbers. This is a long file, so the following listing shows a small subset of it:

 ftp-data        20/tcp ftp-data        20/udp # 21 is registered to ftp, but also used by fsp ftp             21/tcp ftp             21/udp          fsp fspd ssh             22/tcp                           # SSH Remote Login Protocol ssh             22/udp                           # SSH Remote Login Protocol telnet          23/tcp telnet          23/udp # 24 - private mail system smtp            25/tcp          mail smtp            25/udp          mail time            37/tcp          timserver time            37/udp          timserver rlp             39/tcp          resource         # resource location rlp             39/udp          resource         # resource location 

As you can see in this example, telnet runs on port 23. This is the standard port number for telnet. This is a well-known service for which there is a standard port number as is the case for any well-known service.

You have a lot of control over which ports and services you'll enable and disable on your Linux system. To begin with, let's use netstat to view all of ports with -a, not to resolve hostnames with -n, and to show both UDP with -u and TCP with -t, as shown in the following example:

 # netstat -antu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address           Foreign Address       State tcp        0      0 0.0.0.0:1024            0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:901             0.0.0.0:*             LISTEN tcp        0      0 127.0.0.1:1448          0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:139             0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:111             0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:6000            0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:10000           0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:21              0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:22              0.0.0.0:*             LISTEN tcp        0      0 0.0.0.0:23              0.0.0.0:*             LISTEN tcp        0    138 192.168.1.102:23        192.168.1.100:2706    ESTABLISHED tcp        1      0 192.168.1.102:1406      216.239.51.101:80     CLOSE_WAIT tcp        0      0 192.168.1.102:1571      64.12.29.103:5190     ESTABLISHED tcp        1      0 192.168.1.102:1405      66.70.73.150:80       CLOSE_WAIT tcp        1      0 192.168.1.102:1404      66.70.73.150:80       CLOSE_WAIT udp        0      0 0.0.0.0:1024            0.0.0.0:* udp        0      0 192.168.1.102:137       0.0.0.0:* udp        0      0 0.0.0.0:137             0.0.0.0:* udp        0      0 192.168.1.102:138       0.0.0.0:* udp        0      0 0.0.0.0:138             0.0.0.0:* udp        0      0 0.0.0.0:10000           0.0.0.0:* udp        0      0 0.0.0.0:111             0.0.0.0:* # 

You can see that many ports are LISTEN, some are ESTABLISHED, and others are CLOSE_WAIT at this time. One of the ESTABLISHED connections is on port 23, with IP address 192.168.1.100, which means that it's a telnet session as determined earlier by viewing the /etc/services file.

Notice also that 21, 22, and 23 are all listening. These were in our earlier /etc/services listing and are ftp, ssh, and telnet, respectively. Many other ports are also listening, which provides the potential to access to the system. Turning off these ports would increase the level of security of our system but potentially remove the ability to connect through that port and use a useful service.

You've now seen a lot of useful information by viewing /etc/services to see the list of services that we can enable and disable and using netstat -antu to view the status of the ports. There is an interesting nuance to the port number scheme.

Many services based on Remote Procedure Call do not listen for requests on a well-known port, such as telnet on 23, but rather pick an arbitrary port when initialized. They then register this port with a Portmapper service running on the same machine. Only the portmapper needs to run on a well-known port; when clients want access to the service, they first contact the portmapper, and it tells them which port they should then contact in order to reach the service. This second port may be for TCP or UDP access. The following two lines are from our /etc/services file showing portmapper:

 sunrpc          111/tcp         portmapper      # RPC 4.0 portmapper TCP sunrpc          111/udp         portmapper      # RPC 4.0 portmapper UDP 

The earlier netstat -antu output did indeed show that port 111 is listening. You have to be careful with this port because, in most cases, you can't disable the port; however, it is a port to which someone could connect and potentially gain access to your system. The netstat -p command shows which processes are connected to which ports, as shown in the following example searching for telnet:

 #  netstat -p | grep tel tcp        0      2 linuxdev:telnet         F4457MXP:2706                               ESTABLISHED 27269/in.telnetd: F # 

I issued the netstat command and piped it to grep so you could see the telnet connection only. Shown in this output are both the destination and source host and the status of ESTABLISHED.

The next chapter covers ways of controlling the services. There are a few different ways to enable and disable services and some examples are provided. Before you permanantly enable and disable network services, please be sure to see the security chapter for an introduction to some security topics and recommendations.

     < Day Day Up > 


    Linux on HP Integrity Servers. A System Administrator's Guide
    Linux on HP Integrity Servers: A System Administrators Guide
    ISBN: 0131400002
    EAN: 2147483647
    Year: 2004
    Pages: 100

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net