From FreeBSDwiki
Revision as of 01:07, 17 August 2007 by Jimbo (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Socket status -- socket in this context meaning a protocol, like ftp and a port, like 21.

Similar to the linux netstat, but different from the FreeBSD netstat. Consult the manpage for more info on switches, but right away you might want to look into the -4 switch to see any open IPv4 connections (-6 will show you open IPv6 connections but those are less common and you won't get much use out of it.)

Using sockstat to help secure your machine

dave@samizdata:~% su -
samizdata# sockstat -46
dave     sshd       12230 5  tcp4
root     sshd       12226 5  tcp4
root     ssh        95269 3  tcp4
dave     sshd       92858 5  tcp4
root     sshd       92855 5  tcp4
root     inetd      87064 4  tcp4   *:21                  *:*
root     sendmail   59172 3  tcp4   *:25                  *:*
root     ntpd       33328 4  udp4   *:123                 *:*
root     ntpd       33328 5  udp4       *:*
root     ntpd       33328 6  udp4         *:*
root     sshd       366   3  tcp6   *:22                  *:*
root     sshd       366   4  tcp4   *:22                  *:*
root     amd        309   4  udp4   *:1023                *:*
root     amd        309   5  tcp4   *:1023                *:*
root     amd        309   6  udp4   *:1021                *:*
root     amd        309   7  udp4   *:1020                *:*
root     rpcbind    228   4  udp6   *:*                   *:*
root     rpcbind    228   6  udp6   *:111                 *:*
root     rpcbind    228   7  udp6   *:1023                *:*
root     rpcbind    228   8  tcp6   *:111                 *:*
root     rpcbind    228   9  udp4   *:111                 *:*
root     rpcbind    228   10 udp4   *:1022                *:*
root     rpcbind    228   11 tcp4   *:111                 *:*
root     syslogd    213   4  udp6   *:514                 *:*
root     syslogd    213   5  udp4   *:514                 *:*

Well, that's a lot of stuff. There are a few ways to minimize the ports available; one simple way is to put the machine behind a firewall (or run the built-in ipfw) and block connections you don't want. This is effective, but doesn't stop the real problem: potentially open connections to programs/services that are listening. If your firewall fails for whatever reason, those ports are still open and listening for someone somewhere to please, please, please talk to them. Which is potentially a bad thing. So let's do it right, and stop the services listening and then we can wrap the machine in ipfw love.

The output above is from a server, which I am running headless, so there's no X11 ports showing, since I'm not running X. If I were, you'd also see a bunch of ports in the 6000 range open. Even if you want to run X over the network, there are better ways to do this than by letting X play directly with the network (think about using an ssh tunnel and piping X through that). To stop X from listening to the network, we'll have to edit /usr/X11R6/bin/startx and change the serverargs line to

serverargs="-nolisten tcp"

I don't want to run the automounter daemon, I have no use for NFS stuff on this machine right now and I won't be doing networkable syslog, so I'm going to turn those off. To do that, I'll need to edit /etc/rc.conf and change or add a few lines.

Editing /etc/rc.conf by either changing these entries to these values (or adding entries with these values) will disable NFS (those port 111 entries), portmap (you only really need it if you're doing NFS,) and networked syslog (the -ss flag).

Personal tools