Uiler Posted April 25, 2003 Report Share Posted April 25, 2003 Hi! I was wondering if anyone could help me with something. I'm running mandrake 9.1. I used Nmap to do a portscan of my machine and the only open ports are sunrpc and the X-server listening to the network. I don't have any servers running, not even ssh. Do these open ports constitute a security hazard? Thanks! Uiler Quote Link to comment Share on other sites More sharing options...
MottS Posted April 25, 2003 Report Share Posted April 25, 2003 The X window system work in a server/client manner. So if you can read that, then the port is open. The security risk is when others can connect to your X window system. To know if others can connect to you, search Google about 'security test' and run one of those port scan. This way you'll know if those ports are opened, closed or stealth. Good luck ! MOttS Quote Link to comment Share on other sites More sharing options...
aru Posted April 25, 2003 Report Share Posted April 25, 2003 Never trust nmap when you run it in the same machine you are auditing. Because nmap will tell you all the info of your localhost through your loopback interface (skiping any firewall you have). If you have the chance, run nmap against your mancine from a computer in the outside world. In the case of the port 6000 (X), I read somewhere that is secure, though if you want to disable it, follow this instructions: How-to Close Port 6000 --X-- (Open by default) **From the very old board!!!** :shock: I'll quote it, just to prevent another board desapearence: Close Port 6000 --X-- (Open by default) Error scenario: X is accepting connections by default (MDK 8.1 and previous releases). The port that is open by default is 6000/tcp. Indeed this is not an error, is just a feature of X, but for those of us that doesn't want to accept external connections is a bit annoying. Solution: TCP/IP connections can be disabled with the option -nolisten tcp passed to the server. (ie "startx -- -nolisten tcp") How to fix it if you login using XDM or derivates (KDM or GDM), runlevel 5: Add the string -nolisten tcp to the command line in '/etc/X11/xdm/Xservers' and restart X. Having restarted X, run netstat -lnA inet as 'root' and you will see that port 6000 is not listed anymore. Notice that this option is set by default in Mandrake Linux 8.2. More info in Closing Port 6000 (X) In Mandrake Linux 8.1 Mandrake Forum, by tom [http://www.mandrakeforum.com/article.php?sid=1912?=en] I post this here, because a couple of months ago, I answer this question (in Desktop) pointing to the use of iptables since some other fixes could avoid su (root) to launch applications on a normal user display... This fix is easier For those that use GDM instead of XDM (like me), you'll need to add that string to the server section in /etc/X11/gdm/gdm.conf _________________ Imagination is a quality given a man to compensate him for what he is not, and a sense of humor was provided to console him for what he is. O. Wilde (of course) [ This Message was edited by: arusabal on 2002-03-05 10:01 ] Quote Link to comment Share on other sites More sharing options...
Uiler Posted April 28, 2003 Author Report Share Posted April 28, 2003 Thanks very much arusabal! That worked wonders! Of course now unfortunately, running the netstat -lnA inet command, I see that port 32768 is running (though it doesn't show up in nmap...) Any ideas? tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN Quote Link to comment Share on other sites More sharing options...
aru Posted April 28, 2003 Report Share Posted April 28, 2003 Thanks very much arusabal! That worked wonders! Of course now unfortunately, running the netstat -lnA inet command, I see that port 32768 is running (though it doesn't show up in nmap...) Any ideas? tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN if you add the -p flag to your netstat command you'll get the pid and the program name of the proccess that opened that port. In the case that netstat only shows the pid number, you can use that number to quickly know which program has that pid number (using ps). For example (step by step :P): After issuing your command I've noticed that I have the port 3306 listening something, and I wonder why, so I can do something like this: ~# netstat -lnpA inet | egrep "PID|3306" Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 8418/ ~# ps aux | grep "[8]418" mysql 8418 0.0 1.9 27048 4992 ? S Apr26 0:00 [mysqld] ~# See, it was opened by mysqld Quote Link to comment Share on other sites More sharing options...
Uiler Posted April 29, 2003 Author Report Share Posted April 29, 2003 Hi! Thanks! I tried it and now it seems that it has disappeared though now there is a "new" unexplained "service": Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:852 0.0.0.0:* 1524/xinetd it seems that "xinetd" is listening at that port. From the man file, "xinetd" is something which handles network connections (which doesn't provide much enlightenment...). The specific xinetd command it is running (from the pid) is xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid which as far as I can work out from the man file just means that xinetd is running. It doesn't really tell much about what specific service xinetd is controlling that is listening at that port. I've been doing a google search on 32768 and I really can't come up with much. People seem to use it for different things (I've seen ssh, kde amongst other candidates). One suggestion I saw is that it may actually be listening to localhost. Quote Link to comment Share on other sites More sharing options...
Relic2K Posted April 30, 2003 Report Share Posted April 30, 2003 Hi! I was wondering if anyone could help me with something. I'm running mandrake 9.1. I used Nmap to do a portscan of my machine and the only open ports are sunrpc and the X-server listening to the network. I don't have any servers running, not even ssh. Do these open ports constitute a security hazard? Thanks! Uiler An open port is only a security risk, if there is a known vulerability and the services are not properly patched against a possible exploit in the service. Yes there has been a few against both X and RPC. General rule of thumb is that is you don't require the service to be running, then disable the ports, and use a firewall to control the incoming requests to these services. Cheers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.