The netstat Command
The netstat command is one of the most powerful utilities available to you in your quest for a secure network configuration. While the process table shows you which daemons have been started from the command line, and the /etc/inetd.conf file shows you the ones that are inetd-controlled, the netstat command is the ultimate authority on diagnosing which ports your Linux server is listening on.
The netstat command is very broad in function, but it is the --inet and -a options that show you the current state of your network configuration. Consider the sample output in Listing 4.11.
Listing 4.11 Output of the netstat --inet -a command
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address
State
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address
State
|
tcp |
0 |
0 buggs:ssh |
e1mer:1186 |
ESTABLISHED | ||||||||||||||||||||||||||||||
|
tcp |
0 |
0 *:te1net |
LISTEN | |||||||||||||||||||||||||||||||
|
tcp |
0 |
0 *:ftp |
LISTEN | |||||||||||||||||||||||||||||||
|
tcp |
1 |
0 buggs:2148 |
226.146.218.1:www |
CLOSE_WAIT | ||||||||||||||||||||||||||||||
|
tcp |
1 |
0 buggs:2146 |
226.148.218.1:www |
CLOSE_WAIT | ||||||||||||||||||||||||||||||
|
tcp |
0 |
0 *:www |
LISTEN | |||||||||||||||||||||||||||||||
|
tcp |
0 |
0 buggs:1335 |
e1mer:6000 |
ESTABLISHED | ||||||||||||||||||||||||||||||
|
tcp |
0 |
0 buggs:ssh |
e1mer:39470 |
ESTABLISHED | ||||||||||||||||||||||||||||||
|
tcp |
0 |
0 *:smtp |
The netstat --inet -a command in Listing 4.11 shows the connections that are currently active (ESTABLISHED) or in the process of being torn down (CLOSE_WAIT), as well as those services that are currently awaiting new connections (LISTEN). You need to focus on this latter category and look for those services that appear after the host name (and the period) under the Local Address column. In fact, I often create a script that e-mails me the output of the following netstat command periodically:
The previous output from the netstat command is the most accurate picture of what your Linux server looks like to a potential intruder. There are a total of six services active, and there are service names for all of them. (I had to add the service name socks to /etc /services by hand; otherwise I would simply see port 1080.) The challenge is to make sure that the services listed by this command are those that your security policy currently allows, and to make sure that you have TCP Wrappers configurations for all these services. Also, make sure to update the daemons that serve these ports with the latest security fixes and monitor their log files several times daily. If you follow these basic guidelines, you'll have a very close grip on the network configuration of your server. |
Continue reading here: Network Based Auditing Tools
Was this article helpful?