The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
As networks are usually the primary point of entry point into IT systems, you can use network intrusion prevention and detection tools to help avert or uncover a security breach. You can then take steps such as disabling unused network services and configure a packet-filtering firewall and TCP wrappers.
There are several open-source tools for performing packet logging and analysis. For example, tcpdump and Snort capture TCP traffic and analyze it for suspicious usage patterns, such as those that typically occur with port scans or network DoS attacks. Sguil incorporates tcpdump, Snort, and the Wireshark protocol analyzer to provide a network intrusion and detection system that simplifies log analysis and reporting.
You can check what services are running on a system by using port scanning utilities. The following examples show the information that the netstat, lsof, and nmap commands return about open TCP ports and the associated services:
#netstat -tulp
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost:ipp *:* LISTEN 1657/cupsd tcp 0 0 localhost:29754 *:* LISTEN 2072/vpnagentd tcp 0 0 *:amqp *:* LISTEN 2030/qpidd tcp 0 0 *:56652 *:* LISTEN 1605/rpc.statd . . . udp 0 0 fe80::a00:27ff:fe16:c333:ntp *:* 1895/ntpd udp 0 0 *:ntp *:* 1895/ntpd udp 0 0 *:44822 *:* 1605/rpc.statd udp 0 0 *:869 *:* 1542/rpcbind #lsof -iTCP -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1542 rpc 8u IPv4 11032 0t0 TCP *:sunrpc (LISTEN) rpcbind 1542 rpc 11u IPv6 11037 0t0 TCP *:sunrpc (LISTEN) rpc.statd 1605 rpcuser 9u IPv4 11201 0t0 TCP *:56652 (LISTEN) rpc.statd 1605 rpcuser 11u IPv6 11207 0t0 TCP *:45534 (LISTEN) cupsd 1657 root 6u IPv6 12375 0t0 TCP localhost:ipp (LISTEN) cupsd 1657 root 7u IPv4 12376 0t0 TCP localhost:ipp (LISTEN) sshd 1887 root 3u IPv4 13541 0t0 TCP *:ssh (LISTEN) sshd 1887 root 4u IPv6 13543 0t0 TCP *:ssh (LISTEN) master 1987 root 12u IPv4 13081 0t0 TCP localhost:smtp (LISTEN) master 1987 root 13u IPv6 13083 0t0 TCP localhost:smtp (LISTEN) qpidd 2030 qpidd 10u IPv4 13257 0t0 TCP *:amqp (LISTEN) qpidd 2030 qpidd 11u IPv6 13258 0t0 TCP *:amqp (LISTEN) vpnagentd 2072 root 15u IPv4 13823 0t0 TCP localhost:29754 (LISTEN) java 2873 guest 7u IPv6 20694 0t0 TCP localhost:47314 (LISTEN) #nmap -sTU 10.0.2.15
Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-10 09:37 GMT Nmap scan report for 10.0.2.15 Host is up (0.0017s latency). Not shown: 1993 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 68/udp open|filtered dhcpc 111/udp open rpcbind 123/udp open ntp 631/udp open|filtered ipp 5353/udp open|filtered zeroconf Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds
For more information, see the lsof(8)
,
netstat(8)
, and nmap(1)
manual pages.
Before installing or using the nmap command, check the local legislation relating to port scanning software. In some jurisdictions, the possession or use of port scanning software is considered as unlawful criminal activity. Some ISPs might also have acceptable use policies that forbid using such software outside of your private networks.