Verification of listening ports in linux systems
The Internet has not been a safe place for a long time, it is worth seeing for whom we leave the door open and what it leads to. Ports are such an equivalent of doors in computer networks.
When we know what applications we use, we'll then know what to add to our own iptables firewall rules or UDP whitelist:
How to do it?
On most systems, the command is sufficient:
1 2 | netstat -l |
How to read it?
At first it seems like an Italian pasta dish, but it is enough to take a closer look that the result of this command is a mine of knowledge
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:40833 *:* LISTEN tcp 0 0 localhost:27017 *:* LISTEN tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:46834 *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:43937 [::]:* LISTEN tcp6 0 0 [::]:57793 [::]:* LISTEN tcp6 0 0 [::]:sunrpc [::]:* LISTEN udp 0 0 localhost:608 *:* udp 0 0 *:674 *:* udp 0 0 *:59774 *:* udp 0 0 *:bootpc *:* udp 0 0 *:sunrpc *:* udp 0 0 *:41251 *:* udp6 0 0 [::]:674 [::]:* udp6 0 0 [::]:43086 [::]:* udp6 0 0 [::]:40189 [::]:* udp6 0 0 [::]:sunrpc [::]:* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 7424585 /tmp/mongodb-27017.sock unix 2 [ ACC ] STREAM LISTENING 24344048 /run/user/1000/systemd/private unix 2 [ ACC ] STREAM LISTENING 7467947 /run/user/1002/systemd/private unix 2 [ ACC ] STREAM LISTENING 7459911 /run/user/1001/systemd/private unix 2 [ ACC ] SEQPACKET LISTENING 7951 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 7885 /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 7931 /run/lvm/lvmetad.socket unix 2 [ ACC ] STREAM LISTENING 7952 /run/lvm/lvmpolld.socket unix 2 [ ACC ] STREAM LISTENING 13305 /var/lib/lxd/unix.socket unix 2 [ ACC ] STREAM LISTENING 13303 /run/uuidd/request unix 2 [ ACC ] STREAM LISTENING 13304 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 13306 /run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 13307 /run/snapd.socket unix 2 [ ACC ] STREAM LISTENING 13308 /run/snapd-snap.socket unix 2 [ ACC ] STREAM LISTENING 14766 @ISCSIADM_ABSTRACT_NAMESPACE unix 2 [ ACC ] STREAM LISTENING 24019 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 42459 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 45141 /run/rpcbind.sock |
After this result, we can conclude that this system is running MySQL and MongoDB.
You have MySQL:
1 2 | tcp 0 0 localhost:mysql *:* LISTEN |
MySQL uses the port by default 3306 and it is quite a known application for many years, so the application immediately tells us that it is the port used by MySQL instead of the port number
Do you have MongoDB:
1 2 | tcp 0 0 localhost:27017 *:* LISTEN |
Mongo is less known and much younger, this is where the port is displayed to us 27017
.
We can also use netstat -ln
, then we will get a list of all ports without detecting what is what.
Both apps have localhost:
in front of the port so they only listen locally, that is, they cannot be accessed from outside via the network. It is a safe solution because it is better not to give strangers access to our database, even if it is password-protected.
For example, if we allow access from outside, it may turn out in the future that there is a loophole that allows you to log in without a password and we will forget about the update and the problem is ready.
Here we can see an SSH server listening on a standard port:
1 2 | tcp 0 0 *:ssh *:* LISTEN |
It is exposed outside, but SSH is a proven application and somehow we also have to get to the server, so do not worry too much as long as we have a long and randomly generated password or log in with a pair of keys (public and private).
We also have a curiosity at the bottom:
1 2 | unix 2 [ ACC ] STREAM LISTENING 42459 /var/run/mysqld/mysqld.sock |
It is a port, but not really. It is a socket (plug) which allows the application to connect not via a standard network address but via a file. Some applications support connecting through UNIX sockets, and here's an example of that. These files are not exposed to the world in any way, they are a good solution to connect services on one server with different users because you can change user permissions to this resource like any other file on the disk.
It does not work!
If we do not have such a command in the system as netstat
, you need to install the package net-tools
.
In the case of Debian and derivatives e.g.. Ubuntu just execute these commands to install it:
1 2 3 | apt-get update apt-get install net-tools |
Sufficient for CentOS and other RHEL derivatives:
1 2 | yum install net-tools |