Networking / Beginners

Uncommon services

The following services are useful and applicable in certain cirmcumstances. Often these processes only apply to servers, as opposed to workstations. The system administrator should take a hard look at all these processes and if they are not needed, disable them.

  • anacron-This service is an enhanced cron replacement It can run jobs that were scheduled for execution while the computer was turned off.
  • atd-This service runs scheduled batch jobs.
  • autofs-This service auto mounts file systems on demand.
  • arpwatch-This service is used to construct and monitor an ARP table, which keeps track of IP address-to-MAC address pairings.
  • apmd-This is the advanced power management daemon, primarily used on laptops and other battery-backed devices. The apmd daemon senses the hardware and suspends or shuts down the workstation or laptop.
  • crond-This service is used to schedule jobs for later execution. Many system administrator tasks can be run with cron. If this can't be disabled, authorization to run cron jobs should be limited to a few users.
  • gpm-This service is the text-mode cut-and-paste daemon. This service has been a source of security concerns and performance problems in the past. Unless specific text-based applications are being used that require this mouse support, gpm should be disabled.
  • httpd-This service is the Apache web server. Web servers are a high-visability target for attacks. It is unlikely that a user's workstation needs to be running a web server. In the vast majority of cases, this service should be disabled.
  • innd-This service is the INternet News System (INN) news server. Normally this is run on a server and not a workstation.
  • irda-This service is the Infrared TTY manager. Infrared is rarely used on a UNIX workstation, so this should be disabled.
  • mysqld and postgresql-This service provides SQL database services. Usually, SQL databases are run on servers and not workstations.
  • named-This service is the BIND name server used when running a Domain Name Service (DNS). This service will allow the host to resolve domain names into IP addresses. It is unusual for this service to be running on a workstation. DNS has important security concerns and needs to be configured and maintained carefully.
  • nscd-This service provides password and group lookup services for use with network authentication such as that used in Lightweight Directory Access Protocol (LDAP).
  • ntpd-Network Time Protocol (NTP) time synchronization services. If time synchronization is important, the network administrator should set up a local server to reduce the security risk.
  • netfs-This service mounts NFS file systems.
  • RIP-Routers use Route IP Protocol (RIP) to pass routing information. It is unlikely that the UNIX workstation is acting as a router, so this should be disabled.
  • sendmail-This service is a mail transport agent that allows users to send mail from the workstation. Normally, the network administrator will set up one mail server to service many users and workstations. If the workstation must run its own mail server, consider using qmail or postfix, which are more secure.
  • smb-This service runs the smbd and nmbd SAMBA daemons, which allow the sharing of files with Microsoft Windows platforms.
  • snmpd-Runs the supporting daemon for the Simple Network Management Protocol. Unless absolutely needed, this service should be disabled due to past and present security issues.

Detecting services

Because the system administrator should disable unneeded processes, he or she must be able to detect and manage these services. Three good applications for this are ps, netstat, and nmap.

The ps command

This process gives a snapshot of the current processes running. The ps command will need to be run as root to pick up all the processes on the workstation. Following is a shortened output from ps:

# ps -aux
USER PID  %CPU %MEM  VSZ  RSS TTY STAT START TIME COMMAND
root 1    0.2 	0.0  1376  440 ?   S   19:44 0:04 init [3]
root 2    0.0 	0.0  0     0   ?   SW  19:44 0:00 [keventd]
root 9    0.0 	0.0  0     0   ?   SW  19:44 0:00 [bdflush]
root 5    0.0 	0.0  0     0   ?   SW  19:44 0:00 [kswapd]
root 217  0.0 	0.0  0     0   ?   SW  19:45 0:00 [kjournald]
root 278  0.0 	0.0  0     0   ?   SW  19:45 0:00 [knodemgrd]
root 498  0.0 	0.0  1440 508  ?   S   19:45 0:00 syslogd -m 0
root 502  0.0   0.0  1372 424  ?   S   19:45 0:00 klogd -x
root 558  0.0   0.0  1496 480  ?   S   19:45 0:00 /sbin/cardmgr
root 623  0.0   0.1  3508 1132 ?   S   19:45 0:00 /usr/sbin/sshd
root 790  0.0   0.0  2264 440  ?   S   19:46 0:00 login - root
root 791  0.0   0.0  1348 56  tty2 S   19:46 0:00 /sbin/mingetty tty2
root 796  0.0   0.0  4340 352 tty1 S   19:47 0:00 -bash 
root 1637 0.0   0.0  2832 888 pts/2 R  20:18 0:00 ps -aux

The netstat command

The netstat command prints all of the following:

  • Network connections
  • Routing tables
  • Interface statistics
  • Masquerade connections
  • Multicast memberships

netstat can display a list of open sockets identified either by their port number or by the service assigned to that port as listed in /etc/services. If you don't specify any address families, the active sockets of all configured address families will be printed.

Knowing what ports are open on the workstation and accessible from the network is important to operating UNIX safely. The administrator should recognize every open port and understand the need for the application that is using that port. If the administrator does not recognize the port or service, he or she must track down the service and understand why that service needs to be running on that particular workstation.

Following is a sample listing of open ports and sockets used as reported by netstat. Note that the -p option provides the application that is responsible for the open port. Knowing the application is important in tracking down and closing ports.

# netstat -ap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address     Foreign Address     State     PID
/Program name
tcp        0 	  0 *:ssh 		*:* 		  LISTEN    559
/sshd
tcp  	   0 	  0 localhost.localdoma:ipp *:* 	  LISTEN    584
/cupsd
udp 	   0 	  0 *:bootpc 		*:* 			    474
/dhclient
udp 	   0 	  0 *:631 		*:* 			    584
/cupsd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags 	Type 	State 		I-Node Path
unix  2      [ ACC ] STREAM LISTENING 	1209 	/tmp/.font-unix/fs7100
unix  2      [ ACC ] STREAM LISTENING 	1343 	/tmp/.X11-unix/X0
unix  2      [ ACC ] STREAM LISTENING 	1368 	/tmp/ssh-XXobUrxB/agent.808
unix  2      [ ACC ] STREAM LISTENING   1835 	/tmp/.ICE-unix/dcop877-1086703459
unix  2      [ ACC ] STREAM LISTENING   1960 	/tmp/mcop-root/m_r_tmp-037e
unix  7      [ ]     DGRAM 	        956 	/dev/log
unix  2      [ ACC ] STREAM LISTENING   2005 	/tmp/.ICE-unix/906

Note that this powerful tool will also provide the current routing table. Following is router table information provided by netstat:

# netstat -r
Kernel IP routing table
Destination 	Gateway   Genmask       Flags 	MSS Window     irtt Iface
192.168.123.0 	* 	  255.255.255.0  U 	0 0 		0   eth0
169.254.0.0 	* 	  255.255.0.0    U 	0 0 		0   eth0
127.0.0.0 	* 	  255.0.0.0 	 U 	0 0 		0   lo
default 	pix 	  0.0.0.0 	 UG 	0 0 		0   eth0

The nmap command

nmap is a very good port scanner that ships with many UNIX distributions and is available for all. nmap is designed to allow system administrators to scan hosts to determine what services are running. nmap supports a large number of scanning techniques, such as the following:

  • UDP
  • TCP connect()
  • TCP SYN (half open)
  • ftp proxy (bounce attack)
  • Reverse-ident
  • ICMP (ping sweep)
  • FIN
  • ACK sweep
  • Xmas Tree
  • SYN sweep
  • IP Protocol
  • Null scan

The following shows the output of two nmap scans of a Linux host. nmap can be run over the network or against the host that it resides on, as in these scans. The -sT option tells nmap to run a TCP Connect scan, therefore, nmap will attempt to connect to every port to determine the service running on that port. The first scan is against the host's external interface. The second scan of the localhost interface avoids the iptables (firewall) filtering that protects the host. Notice that port 631 is being blocked by iptables. iptables is discussed in detail in the "Hardening UNIX" section of this tutorial.

[Previous] [Contents] [Next]

In this tutorial:

  1. UNIX and Linux Security
  2. Network and development tools
  3. UNIX/Linux as a poor target
  4. Open source issues
  5. Detecting hardware changes
  6. Disk partitioning
  7. Prepare for the eventual attack
  8. Controlling the Configuration
  9. Kernel configurations
  10. Kernel modules
  11. proc file system
  12. Operating UNIX Safely
  13. Uncommon services
  14. Processes controlling processes
  15. The chkconfig command
  16. Controlling users
  17. Chroot
  18. Encryption and certificates
  19. Hardening UNIX
  20. Packet filtering with iptables