pavement

Sockstat

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
 
Line 1: Line 1:
 
Socket status -- socket in this context meaning a protocol, like [[ftp]] and a port, like 21.
 
Socket status -- socket in this context meaning a protocol, like [[ftp]] and a port, like 21.
 +
 +
Similar to the linux netstat, but differnet from the FreeBSD [[netstat]]. Consult the manpage for more info on switches, but right away you might want to look into the -4 switch to see any open [[IPv4]] connections (-6 will show you open [[IPv6]] connections but those are less common and you won't get much use out of it.)
  
 
==Using sockstat to help secure your machine==
 
==Using sockstat to help secure your machine==

Revision as of 20:39, 1 October 2004

Socket status -- socket in this context meaning a protocol, like ftp and a port, like 21.

Similar to the linux netstat, but differnet from the FreeBSD netstat. Consult the manpage for more info on switches, but right away you might want to look into the -4 switch to see any open IPv4 connections (-6 will show you open IPv6 connections but those are less common and you won't get much use out of it.)

Using sockstat to help secure your machine

dave@samizdata:~% su -
Password:
samizdata# sockstat -46
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
dave     sshd       12230 5  tcp4   10.10.1.208:22        10.10.1.108:4095
root     sshd       12226 5  tcp4   10.10.1.208:22        10.10.1.108:4095
root     ssh        95269 3  tcp4   10.10.1.208:49847     10.10.0.251:22
dave     sshd       92858 5  tcp4   10.10.1.208:22        10.10.1.108:2716
root     sshd       92855 5  tcp4   10.10.1.208:22        10.10.1.108:2716
root     inetd      87064 4  tcp4   *:21                  *:*
root     sendmail   59172 3  tcp4   *:25                  *:*
root     ntpd       33328 4  udp4   *:123                 *:*
root     ntpd       33328 5  udp4   10.10.1.208:123       *:*
root     ntpd       33328 6  udp4   127.0.0.1:123         *:*
root     sshd       366   3  tcp6   *:22                  *:*
root     sshd       366   4  tcp4   *:22                  *:*
root     amd        309   4  udp4   *:1023                *:*
root     amd        309   5  tcp4   *:1023                *:*
root     amd        309   6  udp4   *:1021                *:*
root     amd        309   7  udp4   *:1020                *:*
root     rpcbind    228   4  udp6   *:*                   *:*
root     rpcbind    228   6  udp6   *:111                 *:*
root     rpcbind    228   7  udp6   *:1023                *:*
root     rpcbind    228   8  tcp6   *:111                 *:*
root     rpcbind    228   9  udp4   *:111                 *:*
root     rpcbind    228   10 udp4   *:1022                *:*
root     rpcbind    228   11 tcp4   *:111                 *:*
root     syslogd    213   4  udp6   *:514                 *:*
root     syslogd    213   5  udp4   *:514                 *:*
samizdata#

Well, that's a lot of stuff. There are a few ways to minimize the ports available; one simple way is to put the machine behind a firewall (or run the built-in ipfw) and block connections you don't want. This is effective, but doesn't stop the real problem: potentially open connections to programs/services that are listening. If your firewall fails for whatever reason, those ports are still open and listening for someone somewhere to please, please, please talk to them. Which is potentially a bad thing. So let's do it right, and stop the services listening and then we can wrap the machine in ipfw love.

The output above is from a server, which I am running headless, so there's no X11 ports showing, since I'm not running X. If I were, you'd also see a bunch of ports in the 6000 range open. Even if you 'want' to run X over the network, there are better ways to do this than by letting X play directly with the network (think about using an ssh tunnel and piping X through 'that'). To stop X from listening to the network, we'll have to edit /usr/X11R6/bin/startx and change the serverargs line to

serverargs="-nolisten tcp"

I don't want to run the automounter daemon, I have no use for NFS stuff on this machine right now and I won't be doing networkable syslog, so I'm going to turn those off. To do that, I'll need to edit /etc/rc.conf and change or add a few lines.

Editing /etc/rc.conf by either changing these entries to these values (or adding entries with these values) will disable NFS (those port 111 entries), portmap (you only really need it if you're doing NFS,) and networked syslog (the -ss flag).

nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"
syslogd_enable="YES"
syslogd_flags="-ss"
Personal tools