Wednesday, January 27, 2010

How to protect your Linux ? netstat and lsof

Netstat

"Netstat" is a tooll we use in defense.It shows existing connexions

netstat -taupe | sort


# netstat -taupe | sort
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
PID/Program name
tcp 0 0 192.168.0.12:36932 ey-in-f191.1e100.n:http ESTABLISHED toto 11436
4490/firefox-bin
tcp 0 0 192.168.0.1:netbios-ssn *:* LISTEN root 6851 3997/smbd
tcp 0 0 192.168.0.:microsoft-ds *:* LISTEN root 6850 3997/smbd
tcp 0 0 localhost:microsoft-ds *:* LISTEN root 6852 3997/smbd
tcp 0 0 localhost:netbios-ssn *:* LISTEN root 6853 3997/smbd
udp 0 0 *:bootpc *:* root 6576 3856/dhcpcd
udp 0 0 *:netbios-dgm *:* root 6875 4007/nmbd
udp 0 0 *:netbios-ns *:* root 6874 4007/nmbd
udp 0 0 192.168.0.12:netbios-ns *:* root 6878 4007/nmbd
udp 0 0 192.168.0.1:netbios-dgm *:* root 6879 4007/nmb


In my case, i saw that firefox is running and also samba and dhcp.I use samba juste a little so i prefer to stop it.It's better to stop process that you don't use and that you use only sometimes :

# rc-update del samba
* 'samba' removed from the following runlevels: default
# /etc/init.d/samba stop
* samba -> stop: smbd
...
[ ok ]
* samba -> stop: nmbd ...


To have a safe system, a good approach it to stop unused process because a hacker will want to check which process is running to hack them.So if the process is stop, it can't do anything.


lsof

This tool will you show which files is open on your linux


emerge sys-process/lsof
lsof -Pi | sort



# lsof -Pi | sort
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhcpcd 3856 root 7u IPv4 6576 0t0 UDP *:68
firefox-b 4490 toto 13u IPv4 11436 0t0 TCP 192.168.0.12:36932->ey-in-f191.1e100.net:80
(ESTABLISHED)
nmbd 4007 root 6u IPv4 6874 0t0 UDP *:137
nmbd 4007 root 7u IPv4 6875 0t0 UDP *:138
nmbd 4007 root 8u IPv4 6878 0t0 UDP 192.168.0.12:137
nmbd 4007 root 9u IPv4 6879 0t0 UDP 192.168.0.12:138
smbd 3997 root 19u IPv4 6850 0t0 TCP 192.168.0.12:445 (LISTEN)
smbd 3997 root 20u IPv4 6851 0t0 TCP 192.168.0.12:139 (LISTEN)
smbd 3997 root 21u IPv4 6852 0t0 TCP localhost:445 (LISTEN)
smbd 3997 root 22u IPv4 6853 0t0 TCP localhost:139 (LISTEN)

netstat wikipedia
netstat command

Publié par à l'adresse

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)