Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: BT4 Listening Ports - Should there be so many?

  1. #1
    Just burned his ISO PyrO_PrOfessOr's Avatar
    Join Date
    Mar 2009
    Posts
    19

    Default BT4 Listening Ports - Should there be so many?

    Hi,

    Great work on the BT4 pre-release. I'm a relatively new user with BT and have some experience with linux. One thing I noticed about this version in comparison to the BT4 BETA is that there seems to be a lot of listening ports when I run

    Code:
    netstat -l
    BT4 BETA didn't seems to have any opened or listening unless you specifically opened ports for SSH or SFTP etc.

    All the ports are "Stream ports" (I have no idea what this means and Google can't seem to shed any light on it) and all seem to be processes in /tmp or /var/run.

    I'm sorry if this is something ridiculously normal and I just haven't realised but any help/explanation of this would be greatly appreciated.

    Thanks!

  2. #2
    Just burned his ISO PyrO_PrOfessOr's Avatar
    Join Date
    Mar 2009
    Posts
    19

    Default

    Just in case this is the output I get:

    Code:
    root@BT-LAB:~# netstat -l
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node   Path
    unix  2      [ ACC ]     STREAM     LISTENING     44263    /tmp/.X11-unix/X0
    unix  2      [ ACC ]     STREAM     LISTENING     44646    /tmp/ssh-YZLIP10633/agent.10633
    unix  2      [ ACC ]     STREAM     LISTENING     45761    /tmp/ksocket-pyro/kdeinit__0
    unix  2      [ ACC ]     STREAM     LISTENING     45763    /tmp/ksocket-pyro/kdeinit-:0
    unix  2      [ ACC ]     STREAM     LISTENING     45770    /tmp/.ICE-unix/dcop10850-1247915436
    unix  2      [ ACC ]     STREAM     LISTENING     45892    /tmp/.ICE-unix/10871
    unix  2      [ ACC ]     STREAM     LISTENING     45793    /tmp/ksocket-pyro/klauncherZhGICb.slave-socket
    unix  2      [ ACC ]     STREAM     LISTENING     15373    @/var/run/hald/dbus-ROmD0DvlT8
    unix  2      [ ACC ]     STREAM     LISTENING     46089    /tmp/ksocket-root/BT-LAB-2a8c-4a61adb2
    unix  2      [ ACC ]     STREAM     LISTENING     58438    /tmp/orbit-root/linc-345e-0-49abad1f6be9f
    unix  2      [ ACC ]     STREAM     LISTENING     44915    @/tmp/dbus-CBGWeZzQkw
    unix  2      [ ACC ]     STREAM     LISTENING     58451    /tmp/orbit-root/linc-345c-0-1ad118837db83
    unix  2      [ ACC ]     STREAM     LISTENING     152773   /tmp/orbit-root/linc-5f4b-0-53b0968cf49c
    unix  2      [ ACC ]     STREAM     LISTENING     44262    @/tmp/.X11-unix/X0
    unix  2      [ ACC ]     STREAM     LISTENING     15391    @/var/run/hald/dbus-jNhXqJW809
    unix  2      [ ACC ]     STREAM     LISTENING     15283    /var/run/dbus/system_bus_socket
    unix  2      [ ACC ]     STREAM     LISTENING     15085    /var/run/acpid.socket

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Don't stress, they're all ok. If you start up, say, sshd, you will see it show up under the internet section at the top - that is the one you are after.

    I could invest a significant amount of time in discussing what STREAM's are as well as a whole swath of IPC and AF_UNIX sockets and more, but I really don't think this is the place so you'll have to take my word for it
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    2

    Default

    maybe it calls some repositories, you know; now its a debian.
    but very suspicious for me, as it didnt do that for the previous distro.

    did it connect to just the local IP (127.0.0.1) or remote ones ?? (i cant see them in the netstat report !

  5. #5
    Just burned his ISO PyrO_PrOfessOr's Avatar
    Join Date
    Mar 2009
    Posts
    19

    Smile

    Heh, thanks.

    Just wanted to make sure i hadn't opened a whole bunch of random ports thus in theory leaving my system vulnerable to a counter attack. Well I doubt the other users of my test network could launch a counter attack but still...

    Thanks again

  6. #6
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by PyrO_PrOfessOr View Post
    Hi,

    Code:
    netstat -l
    Those are internal streams used by the OS. If you really want to see listening ports you should do:

    Code:
    netstat -lnpt
    I doubt you have any open ports unless you have strictly done so. You can also block all incoming connections by placing a simple firewall rule:

    Code:
    iptables -P INPUT -j DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    This will allow only established connections! e.i : http request
    QuadCore AMD Phenon X4 9950, 2600 MHz
    8GB DDR2 800MHz
    Dual Boot System: Windows Server 2008 x64 w/ Hyper-V, Ubuntu 9.10 x64

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by adri_ht_ View Post
    My friend those are internal ports used by the OS.
    And they showed no open network ports. Your next command is a damned bad habit to be in because it lets me sneak a netcat UDP based backdoor through and you'll never see it.

    You also put your firewalls in the wrong order, there is no point permitting ESTABLISHED connections through when you've already DROP'd everything on the incoming interface.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8
    Just burned his ISO PyrO_PrOfessOr's Avatar
    Join Date
    Mar 2009
    Posts
    19

    Default

    Ah Excellent! That makes a lot more sense. And you are right I had no open ports at all.

    Thanks very much for this command - will come in useful.

    Heres hoping that if i post another question It won't be quite so newb-ish.

  9. #9
    Just burned his ISO PyrO_PrOfessOr's Avatar
    Join Date
    Mar 2009
    Posts
    19

    Default

    Quote Originally Posted by Gitsnik View Post
    And they showed no open network ports. Your next command is a damned bad habit to be in because it lets me sneak a netcat UDP based backdoor through and you'll never see it.

    You also put your firewalls in the wrong order, there is no point permitting ESTABLISHED connections through when you've already DROP'd everything on the incoming interface.
    So the -t is only checking the TCP ports out? the -x (which is implied by -l I'm guessing) is listing the ports used by the system?

    So would the best command really be:

    Code:
    netstat -lnptuw
    ?

  10. #10
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by Gitsnik View Post
    And they showed no open network ports. Your next command is a damned bad habit to be in because it lets me sneak a netcat UDP based backdoor through and you'll never see it.

    You also put your firewalls in the wrong order, there is no point permitting ESTABLISHED connections through when you've already DROP'd everything on the incoming interface.
    First of all, if all inbound traffic is blocked (except established), how in gods name can you sneak a listening UDP backdoor. If you say reverse UDP or TCP, then you have a point.

    Code:
    iptables -P INPUT -j DROP
    This line implicitly blocks all inbound traffic (whether it is UDP or TCP). You can add more rule in the chain to make exceptions. In other words, the order doesn't not matter!
    QuadCore AMD Phenon X4 9950, 2600 MHz
    8GB DDR2 800MHz
    Dual Boot System: Windows Server 2008 x64 w/ Hyper-V, Ubuntu 9.10 x64

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •