2.2.9. Verifying Which Ports Are Listening
Unnecessary open ports should be avoided because it increases the attack surface of your system. If after the system has been in service you find unexpected open ports in listening state, that might be signs of intrusion and it should be investigated.
Issue the following command, as root, from the console to determine which ports are listening for connections from the network:
netstat -tanp | grep LISTENtcp 0 0 0.0.0.0:45876 0.0.0.0:* LISTEN 1193/rpc.statd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1241/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1783/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7696/sendmail tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1167/rpcbind tcp 0 0 127.0.0.1:30003 0.0.0.0:* LISTEN 1118/tcsd tcp 0 0 :::631 :::* LISTEN 1/init tcp 0 0 :::35018 :::* LISTEN 1193/rpc.statd tcp 0 0 :::111 :::* LISTEN 1167/rpcbind
Review the output of the command with the services needed on the system, turn off what is not specifically required or authorized, repeat the check. Proceed then to make external checks using nmap from another system connected via the network to the first system. This can be used verify the rules in iptables. Make a scan for every IP address shown in the netstat output (except for localhost 127.0.0.0 or ::1 range) from an external system. Use the
-6option for scanning an IPv6 address. See
man nmap(1)for more information.
The following is an example of the command to be issued from the console of another system to determine which ports are listening for TCP connections from the network:
nmap -sT -O 192.168.122.1
See the netstat(8), nmap(1), and services(5) manual pages for more information.