3.12 Configuring Access to Network Services

As networks are usually the primary point of entry point into IT systems, you can use network intrusion prevention and detection tools to help avert or uncover a security breach. You can then take steps such as disabling unused network services and configure a packet-filtering firewall and TCP wrappers.

There are several open-source tools for performing packet logging and analysis. For example, tcpdump and Snort capture TCP traffic and analyze it for suspicious usage patterns, such as those that typically occur with port scans or network DoS attacks. Sguil incorporates tcpdump, Snort, and the Wireshark protocol analyzer to provide a network intrusion and detection system that simplifies log analysis and reporting.

You can check what services are running on a system by using port scanning utilities. The following examples show the information that the netstat, lsof, and nmap commands return about open TCP ports and the associated services:

# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address             Foreign Address   State    PID/Program name
tcp        0      0 localhost:ipp             *:*               LISTEN   1657/cupsd       
tcp        0      0 localhost:smtp            *:*               LISTEN   1987/master      
tcp        0      0 localhost:29754           *:*               LISTEN   2072/vpnagentd   
tcp        0      0 *:amqp                    *:*               LISTEN   2030/qpidd       
tcp        0      0 *:56652                   *:*               LISTEN   1605/rpc.statd   
tcp        0      0 *:sunrpc                  *:*               LISTEN   1542/rpcbind     
tcp        0      0 *:ssh                     *:*               LISTEN   1887/sshd        
tcp        0      0 localhost:ipp             *:*               LISTEN   1657/cupsd       
tcp        0      0 localhost:smtp            *:*               LISTEN   1987/master      
tcp        0      0 *:45534                   *:*               LISTEN   1605/rpc.statd   
tcp        0      0 *:amqp                    *:*               LISTEN   2030/qpidd       
tcp        0      0 *:sunrpc                  *:*               LISTEN   1542/rpcbind     
tcp        0      0 localhost:47314           *:*               LISTEN   2873/java        
tcp        0      0 *:ssh                     *:*               LISTEN   1887/sshd        
udp        0      0 *:bootpc                  *:*                        1584/dhclient    
udp        0      0 *:44127                   *:*                        1605/rpc.statd   
udp        0      0 *:sunrpc                  *:*                        1542/rpcbind     
udp        0      0 10.0.2.15:ntp             *:*                        1895/ntpd        
udp        0      0 localhost:ntp             *:*                        1895/ntpd        
udp        0      0 *:ntp                     *:*                        1895/ntpd        
udp        0      0 *:mdns                    *:*                        1580/avahi-daemon
udp        0      0 *:ipp                     *:*                        1657/cupsd       
udp        0      0 *:869                     *:*                        1542/rpcbind     
udp        0      0 *:33669                   *:*                        1580/avahi-daemon
udp        0      0 *:933                     *:*                        1605/rpc.statd   
udp        0      0 *:sunrpc                  *:*                        1542/rpcbind     
udp        0      0 localhost:ntp             *:*                        1895/ntpd        
udp        0      0 fe80::a00:27ff:fe16:c333:ntp *:*                     1895/ntpd        
udp        0      0 *:ntp                     *:*                        1895/ntpd        
udp        0      0 *:44822                   *:*                        1605/rpc.statd   
udp        0      0 *:869                     *:*                        1542/rpcbind     

# lsof -iTCP -sTCP:LISTEN
COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind   1542     rpc    8u  IPv4  11032      0t0  TCP *:sunrpc (LISTEN)
rpcbind   1542     rpc   11u  IPv6  11037      0t0  TCP *:sunrpc (LISTEN)
rpc.statd 1605 rpcuser    9u  IPv4  11201      0t0  TCP *:56652 (LISTEN)
rpc.statd 1605 rpcuser   11u  IPv6  11207      0t0  TCP *:45534 (LISTEN)
cupsd     1657    root    6u  IPv6  12375      0t0  TCP localhost:ipp (LISTEN)
cupsd     1657    root    7u  IPv4  12376      0t0  TCP localhost:ipp (LISTEN)
sshd      1887    root    3u  IPv4  13541      0t0  TCP *:ssh (LISTEN)
sshd      1887    root    4u  IPv6  13543      0t0  TCP *:ssh (LISTEN)
master    1987    root   12u  IPv4  13081      0t0  TCP localhost:smtp (LISTEN)
master    1987    root   13u  IPv6  13083      0t0  TCP localhost:smtp (LISTEN)
qpidd     2030   qpidd   10u  IPv4  13257      0t0  TCP *:amqp (LISTEN)
qpidd     2030   qpidd   11u  IPv6  13258      0t0  TCP *:amqp (LISTEN)
vpnagentd 2072    root   15u  IPv4  13823      0t0  TCP localhost:29754 (LISTEN)
java      2873   guest    7u  IPv6  20694      0t0  TCP localhost:47314 (LISTEN)

# nmap -sTU 10.0.2.15

Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-10 09:37 GMT
Nmap scan report for 10.0.2.15
Host is up (0.0017s latency).
Not shown: 1993 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
111/tcp  open          rpcbind
68/udp   open|filtered dhcpc
111/udp  open          rpcbind
123/udp  open          ntp
631/udp  open|filtered ipp
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds

For more information, see the lsof(8), netstat(8), and nmap(1) manual pages.

Caution

Before installing or using the nmap command, check the local legislation relating to port scanning software. In some jurisdictions, the possession or use of port scanning software is considered as unlawful criminal activity. Some ISPs might also have acceptable use policies that forbid using such software outside of your private networks.