Sunday, October 30, 2005

Investigating all open ports on Linux web server - Programming One Liner 18 - 21

Unneeded open ports can be costly for your business!

If you have unneeded and unexplained ports open on your server, you are calling for trouble.

nmap -p 1-65535 localhost

This programming one liner allows you to look for all open ports (ports that are currently listening) on your Linux server.

Programming "One Liner" lookup terms:
nmap fuser

Output of running the above command will produce something similar to:

Starting nmap V. 3.00 ( )
Interesting ports on localhost.localdomain (
(The 65517 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
199/tcp open smux
443/tcp open https
631/tcp open ipp
783/tcp open hp-alarm-mgr
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
5981/tcp open unknown
6001/tcp open X11:1

Nmap run completed -- 1 IP address (1 host up) scanned in 155 seconds

Investigating a port

Which process is using the port? Programming One Liner 19

If you are interested in looking up which process is using the port, use the following fuser command. We are investigating port 783 which is currently open for the service named hp-alarm-mgr.

fuser -n tcp 783

The output of fuser is as follows

783/tcp: 2385

Finding the process owner

Who owns the process? Programming One Liner 20

Now that we know the process id (pid), we can find out details about the process.

cat /proc/2385/status

The status information will include a lot of details about the process.

Name: spamd
State: S (sleeping)
Tgid: 2385
Pid: 2385
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 32
VmSize: 22920 kB
VmLck: 0 kB
VmRSS: 716 kB
VmData: 16664 kB
VmStk: 72 kB
VmExe: 12 kB
VmLib: 3944 kB
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000010080
SigCgt: 0000000080005002
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff

We can see the software package running the process is spamd and its owned by uid 0 (super user).

What command was used to run the process? Programming One Liner 21

The status information will include a lot of details about the process.

To find further details, such as the command used to invoke the process:

ps 2385

We can see the following details:

2385 ? S 0:00 /usr/bin/spamd -d -c -a

Programming "One Liner" lookup terms:
nmap fuser cat

If you would like more information on any of the commands, please feel free to contact me with your . You can also read other posts on programming code, lookup the programming terms displayed above or visit my network security blog. Other external programming blogs on Technorati and programming blogs on Google.

No comments: