Ports: Difference between revisions

From Hackepedia
Jump to navigationJump to search
Frankk (talk | contribs)
No edit summary
No edit summary
Line 13: Line 13:
however I prefer the flexibility of lsof which I install on all of my machines.  
however I prefer the flexibility of lsof which I install on all of my machines.  


  lsof -i:80
  # lsof -i:80
COMMAND  PID USER  FD  TYPE    DEVICE SIZE/OFF NODE NAME
httpd    447 root  17u  IPv4 0xc15f6534      0t0  TCP www.example.com:http (LISTEN)
httpd  73819  www  17u  IPv4 0xc15f6534      0t0  TCP www.example.com:http (LISTEN)


will show you exactly what is listening on this port. If you want to see ports on your machine are open to the general public, which is often how computers are broken into, you can try Yashy's [http://crypto.yashy.com/nmap.php self port scan]. You don't want to see any ports open, or listening, unless you've intentionally started that process for the public to connect to.
will show you exactly what is listening on this port, in this case "httpd". I will now look up the [[manual]] for httpd which tells me this is Apache on this particular server.
 
If you want to see ports on your machine are open to the general public, which is often how computers are broken into, you can try Yashy's [http://crypto.yashy.com/nmap.php self port scan]. You don't want to see any ports open, or listening, unless you've intentionally started that process for the public to connect to.


Ideally if you see any ports open, you will close down the application that has that port open. Alternatively you can install and use a [[firewall]].
Ideally if you see any ports open, you will close down the application that has that port open. Alternatively you can install and use a [[firewall]].

Revision as of 00:33, 30 November 2005

Ports are identifiers of protocols that work on the transport layer (layer 4) of the OSI model. TCP and UDP are transport layer protocols that have ports. In TCP and UDP a port is represented by a 16 bit short integer which is unsigned meaning that the possible port range is 0 through 65535. Port 0 is illegal and no service resides on it.

Say you want to know what is running on port 80 of your machine. The first hint would be to look in the file /etc/services as well as IANAs list to get an idea of what typically runs on that port.

http             80/tcp    www www-http #World Wide Web HTTP
http             80/udp    www www-http #World Wide Web HTTP

looks like it's the port typically used for the www. Now we can try netstat to actually see what is listening, not just what should be there.

netstat -an | grep LISTEN

however I prefer the flexibility of lsof which I install on all of my machines.

# lsof -i:80
COMMAND   PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
httpd     447 root   17u  IPv4 0xc15f6534      0t0  TCP www.example.com:http (LISTEN)
httpd   73819  www   17u  IPv4 0xc15f6534      0t0  TCP www.example.com:http (LISTEN)

will show you exactly what is listening on this port, in this case "httpd". I will now look up the manual for httpd which tells me this is Apache on this particular server.

If you want to see ports on your machine are open to the general public, which is often how computers are broken into, you can try Yashy's self port scan. You don't want to see any ports open, or listening, unless you've intentionally started that process for the public to connect to.

Ideally if you see any ports open, you will close down the application that has that port open. Alternatively you can install and use a firewall.


Solaris 10

# lsof -i

to see what you have running. All ports are now controlled out of:

# svcs

which will give you a long list of services running ("online") or not. You may want to pipe this output through less.

When I did "lsof -i" I saw that rpcbind was running which I don't want, so I found the svcs name by running:

# svcs | grep rpc
online          23:43:56   svc:/network/rpc/bind:default
uninitialized   23:43:44   svc:/network/rpc/gss:default

and several more uninitialized services. I only want to stop the online one:

# svcadm disable svc:/network/rpc/bind:default

and back to a prompt I go. I run "lsof -i" once more to confirm it's stopped, and it is. Both the svcs and svcadm Manual are worth reading if you're using them for the first time.