Ports: Difference between revisions
No edit summary |
No edit summary |
||
(17 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
Ports are identifiers of protocols that work on the transport layer (layer 4) of the [[OSI]] model. [[TCP]] and [[UDP]] are transport layer protocols that have ports. In [[TCP]] and [[UDP]] a port is represented by a 16 bit | Ports are identifiers of protocols that work on the transport layer (layer 4) of the [[OSI]] model. [[TCP]] and [[UDP]] are transport layer protocols that have ports. In [[TCP]] and [[UDP]] a port is represented by a 16 bit unsigned integer. Thus, the possible port range is 0 through 65535. Port 0 is illegal and no service resides on it. | ||
Say you want to know what is running on port 80 of your machine. The first hint would be to look in the file /etc/services as well as [http://www.iana.org/assignments/port-numbers IANAs list] to get an idea of what typically runs on that port. | Say you want to know what is running on port 80 of your machine. The first hint would be to look in the file /etc/services as well as [http://www.iana.org/assignments/port-numbers IANAs list] to get an idea of what typically runs on that port. | ||
Line 9: | Line 9: | ||
not just what should be there. | not just what should be there. | ||
netstat -an | grep LISTEN | # netstat -an | grep LISTEN | ||
httpd 30161 root 17u IPv4 5106 TCP *:http (LISTEN) | |||
however I prefer the flexibility of lsof which I install on all of my machines. | however I prefer the flexibility of lsof which I install on all of my machines. | ||
lsof -i:80 | # lsof -i:80 | ||
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME | |||
httpd 447 root 17u IPv4 0xc15f6534 0t0 TCP www.example.com:http (LISTEN) | |||
httpd 73819 www 17u IPv4 0xc15f6534 0t0 TCP www.example.com:http (LISTEN) | |||
will show you exactly what is listening on this port. | will show you exactly what is listening on this port, in this case "httpd". I will now look up the [[manual]] for httpd which tells me this is Apache on this particular server. | ||
This will give you a unique alphabetical summary listing of the applications currently listening on a port on your system: | |||
# lsof -i | awk '{print $1}' | sort -u | |||
If you want to see ports on your machine are open to the general public, which is often how computers are broken into, you can try Yashy's [http://crypto.yashy.com/nmap.php self port scan]. You don't want to see any ports open, or listening, unless you've intentionally started that process for the public to connect to. | |||
For every open port you find, you must determine if that service actually needs to run. If so, check if it actually needs to be available remotely, instead of only on the local machine. | |||
For example, if you're running mysql, you may see port 3306 listening. If mysql is on the same machine as your webserver, which is what you're using it for, you should configure mysqld to only listen on 127.0.0.1 (localhost), and not on your external IP address. | |||
You might see you have port 143 (imap) enabled which is only for machines on your 192.168.* network. If this is the case, configure your imapd to only listen on your 192.168.* interface, not the public facing one. The only ports you should see open to the public, are applications you intend for the public to access. | |||
See the "Ending a process" part of the [[process]] page for help in ending an unwanted process. | |||
Worse case scenario you have an application listening externally that you don't want the public to access (I can't think of a possible situation for this, but I write this just in case), make sure you have it blocked by your [[firewall]] | |||
== Remote == | |||
To see what ports are open on a remote host, you will want to use software such as [[nmap]]. | |||
$ nmap scanme.nmap.org | |||
would run a port scan against scanme.example.org and show you the open and closed ports on that system. See our [[nmap]] page for more nmap options. | |||
== Solaris 10 == | |||
# lsof -i | |||
to see what you have running. All ports are now controlled out of: | |||
# svcs | |||
which will give you a long list of services running ("online") or not. You may want to [[pipe]] this output through [[less]]. | |||
When I did "lsof -i" I saw that rpcbind was running which I don't want, so I found the svcs name by running: | |||
# svcs | grep rpc | |||
online 23:43:56 svc:/network/rpc/bind:default | |||
uninitialized 23:43:44 svc:/network/rpc/gss:default | |||
and several more uninitialized services. I only want to stop the online one: | |||
# svcadm disable svc:/network/rpc/bind:default | |||
and back to a prompt I go. I run "lsof -i" once more to confirm it's stopped, and it is. Both the svcs and svcadm [[Manual]] are worth reading if you're using them for the first time. | |||
== Linux (Red Hat and spawn) == | |||
# chkconfig --list| grep on | |||
will show a list of all services that are enabled, and at which [[runlevels]]. Workstations by default use of runlevel 5 (multiuser, with networking and X). Servers typically are found in runlevel 3 (multiuser, with networking), but sometimes 5 as well. | |||
Disabling services is simple. For example, to shut down httpd: | |||
# service httpd off | |||
# chkconfig --level 345 httpd off | |||
The first command shuts down the running webserver, while the second alters the boot configuration so it will not start automatically next time the system is rebooted. | |||
== FreeBSD == | |||
To see all listening sockets using TCP/IPv4: | |||
$ sockstat -4l | |||
To see all connected sockets using IPv4 or IPv6: | |||
# sockstat -c |
Latest revision as of 13:07, 17 July 2007
Ports are identifiers of protocols that work on the transport layer (layer 4) of the OSI model. TCP and UDP are transport layer protocols that have ports. In TCP and UDP a port is represented by a 16 bit unsigned integer. Thus, the possible port range is 0 through 65535. Port 0 is illegal and no service resides on it.
Say you want to know what is running on port 80 of your machine. The first hint would be to look in the file /etc/services as well as IANAs list to get an idea of what typically runs on that port.
http 80/tcp www www-http #World Wide Web HTTP http 80/udp www www-http #World Wide Web HTTP
looks like it's the port typically used for the www. Now we can try netstat to actually see what is listening, not just what should be there.
# netstat -an | grep LISTEN httpd 30161 root 17u IPv4 5106 TCP *:http (LISTEN)
however I prefer the flexibility of lsof which I install on all of my machines.
# lsof -i:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 447 root 17u IPv4 0xc15f6534 0t0 TCP www.example.com:http (LISTEN) httpd 73819 www 17u IPv4 0xc15f6534 0t0 TCP www.example.com:http (LISTEN)
will show you exactly what is listening on this port, in this case "httpd". I will now look up the manual for httpd which tells me this is Apache on this particular server.
This will give you a unique alphabetical summary listing of the applications currently listening on a port on your system:
# lsof -i | awk '{print $1}' | sort -u
If you want to see ports on your machine are open to the general public, which is often how computers are broken into, you can try Yashy's self port scan. You don't want to see any ports open, or listening, unless you've intentionally started that process for the public to connect to.
For every open port you find, you must determine if that service actually needs to run. If so, check if it actually needs to be available remotely, instead of only on the local machine.
For example, if you're running mysql, you may see port 3306 listening. If mysql is on the same machine as your webserver, which is what you're using it for, you should configure mysqld to only listen on 127.0.0.1 (localhost), and not on your external IP address. You might see you have port 143 (imap) enabled which is only for machines on your 192.168.* network. If this is the case, configure your imapd to only listen on your 192.168.* interface, not the public facing one. The only ports you should see open to the public, are applications you intend for the public to access.
See the "Ending a process" part of the process page for help in ending an unwanted process.
Worse case scenario you have an application listening externally that you don't want the public to access (I can't think of a possible situation for this, but I write this just in case), make sure you have it blocked by your firewall
Remote
To see what ports are open on a remote host, you will want to use software such as nmap.
$ nmap scanme.nmap.org
would run a port scan against scanme.example.org and show you the open and closed ports on that system. See our nmap page for more nmap options.
Solaris 10
# lsof -i
to see what you have running. All ports are now controlled out of:
# svcs
which will give you a long list of services running ("online") or not. You may want to pipe this output through less.
When I did "lsof -i" I saw that rpcbind was running which I don't want, so I found the svcs name by running:
# svcs | grep rpc online 23:43:56 svc:/network/rpc/bind:default uninitialized 23:43:44 svc:/network/rpc/gss:default
and several more uninitialized services. I only want to stop the online one:
# svcadm disable svc:/network/rpc/bind:default
and back to a prompt I go. I run "lsof -i" once more to confirm it's stopped, and it is. Both the svcs and svcadm Manual are worth reading if you're using them for the first time.
Linux (Red Hat and spawn)
# chkconfig --list| grep on
will show a list of all services that are enabled, and at which runlevels. Workstations by default use of runlevel 5 (multiuser, with networking and X). Servers typically are found in runlevel 3 (multiuser, with networking), but sometimes 5 as well.
Disabling services is simple. For example, to shut down httpd:
# service httpd off # chkconfig --level 345 httpd off
The first command shuts down the running webserver, while the second alters the boot configuration so it will not start automatically next time the system is rebooted.
FreeBSD
To see all listening sockets using TCP/IPv4:
$ sockstat -4l
To see all connected sockets using IPv4 or IPv6:
# sockstat -c