Getting to know your network services By V. Navratilova Special to the Tribune March 23, 2000 Not knowing what network services are open on your Linux machine is like not knowing which doors and windows in your house don't have locks. Like a ground-floor window, every network service is a potential portal for burglars or crackers to crawl through, so you should at least know where your ground floor windows are located, even if you only have a screen on them with no lock. Network services attach themselves to virtual entities called ports. They are conceptually similar to the serial and printer ports in the back of your machine because they allow data to pass through, but these ports reside in the networking software. There are 65,535 network ports. Ports 1 through 1024 are called privileged ports because only processes running as the superuser are allowed to connect to them. Another distinguishing characteristic of these ports is each is assigned to a specific protocol, such as ftp or telnet. A list of the services mapped to each port usually is found in the /etc/services file in Linux (see Figure 1). The Internet "super-server" inetd is a daemon started at boot time that will begin most of your garden-variety network processes. When a network request comes in on a port, inetd will decide which service corresponds to that port and it will start a service to take care of the request. Pruning the list of network services started at this point is a big step in making your machine more secure because many unnecessary services often are turned on by default. Start pruning by looking in /etc/inetd.conf, the file inetd reads to determine the ports to which it should listen for incoming traffic. Comment out any service you don't use by putting a # at the beginning of its line to prevent inetd from starting it at boot time. (Hint: If you can't tell what a service does, look at its man page. In general turn off everything that you don't recognize.) The network resources you need to keep running will depend on your network situation, but a typical configuration is to take out everything other than ssh, telnet, ftp and auth (identd). Of course, if you don't telnet, ssh or ftp into your own machine, you should comment out those as well. There are some network services that are not launched by inetd but still begin at boot time, such as portmapd or rpc.portmap, mountd, quotad, nfsd, rpc.bind and sendmail. Check if these processes are running by looking through your process listing (ps ax) or by using netstat for a list of the ports to which Linux is listening at the present time. netstat -a will give you a listing of all your open ports (see Figure 2). Pay attention to the first section of the output for ports that are listed as LISTENing. These ports have network services actively running. Again, if you don't need those services, you should shut them down. To shut down services that start at boot outside of inetd, look through the rc scripts and comment out the ones you don't need. Since each Linux distribution sets up its rc scripts differently, I can't give you specific instructions on how to find where these services are started. Generally you can go to your /etc/rc.d directory, and grep through the directory tree. Comment out the services you don't want started at boot time. Another way to assess your network openings is to look at your Linux installation from the outside -- in other words, from the network. Do this by using a port scanner such as nmap to scan your own machine. A port scanner usually will connect to every privileged port and record any response it receives, but it can also be configured to scan all ports, or just udp or tcp ports. The responses it gets from the connections are then analyzed and presented as a short report on what's running. You'll want to rely on netstat for your regular network services view because a thorough port scan, including udp ports, sometimes can take up to 10 minutes. However, the average port scan of privileged ports will take only a few seconds. nmap is a great port scanner because it has algorithms for different kinds of scans, and it will even try to guess which operating system the scanned computer is running. nmap was written to scan large networks, and it is superior to the previous generation of Linux network scanners because of its scanning flexibility. Figure 3 shows a sample nmap output. (Warning: Do not take the liberty of scanning your friends' machines without their permission. In many circles doing an uninvited portscan is considered a precursor to a hacking attempt.) Now that you've given your system a good scrub-down, reboot your machine and look through your process listing and netstat output again to see if there are any stubborn network services running that you don't need. Track down where the processes were intitiated and comment them out, then reboot and check again. Locking down your network services is a prerequisite to good site security, so do it regularly between upgrades and after every fresh Linux install. V. Navratilova, a network security analyst for Tribune Information Systems and a long-time Linux user, can be reached at vnaratilova@tribune.com.