Sep 072011

Article by Dominique Cimafranca first published on his blog regarding Ubuntu, and Linux in general.

A simple but effective procedure for evaluating security on your computer is to check what sites it’s connecting to, or what sites are connecting to it. Most critical malware nowadays turn computers into zombies for botnets — typically zombified hosts will connect to a central server using IRC. Or it could be that you’re inadvertently running a program that’s listening for Internet requests. In any case, it’s good to check these connections.

In TCP/IP, connections happen by way of ports. A port is a number that uniquely identifies a connection. Some ports are well-known and usually identified with a service, e.g. port 80 for HTTP requests.

To see what ports are open, i.e., what connections your computer currently has, use the netstat -a command.

The output will be lengthy, but we’re really only interested in the top section. An example from my own computer:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 aspire.local:49132 TIME_WAIT  
tcp        0      0 aspire.local:60227 ESTABLISHED
udp        0      0 aspire.local:33954     ESTABLISHED
udp        0      0 *:bootpc                *:*                                
udp        0      0 aspire.local:42088     ESTABLISHED
udp        0      0 *:mdns                  *:*                                
udp        0      0 *:38142                 *:*

What does this say? That my computer is currently connected to web servers (the :www entries) and is making DNS requests (:domain). These are the entries which are simpler to understand. But what of the others?

:ipp is the port used by the printer daemon 
:mdns is used for local multicast DNS 
:bootpc is for DHCP client requests.

These are the ports that a default Ubuntu installation listens on. :ipp is opened bycupsd, and :mdns and :bootpc by avahi.

But what of that open port 38142? How come it’s not identified? You can check it by running

sudo lsof -i :38142

You’ll see that it’s also owned by the Avahi daemon. Just what is Avahi?

Avahi is a system which facilitates service discovery on a local network. This means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. This kind of technology is already found in Apple MacOS X (branded Rendezvous, Bonjour and sometimes Zeroconf) and is very convenient. Avahi is mainly based on Lennart Poettering’s flexmdns mDNS implementation for Linux which has been discontinued in favour of Avahi.

So really, in a default Ubuntu installation, you really should have just ports opened by the printer daemon and Avahi. Other usual connections are for HTTP and DNS. Anything else that you’re not sure of is typically suspect.

Popular Posts:

Flattr this!

  5 Responses to “Simple security by evaluating open ports”

  1. Thank you for make it simple and clear

  2. >The output will be lengthy, but we’re really only interested in the top section.

    So, if you are not interested in Unix socket connections, why you are not using the option to hide them in the output?

    It is very simple:
    -t -> TCP
    -u -> UDP
    -w -> RAW
    -x -> Unix socket
    -a -> waiting connections are also shown

    So, in this case you can use simply
    netstat -tuwa

  3. We’ll you could filter the list with:
    netstat -at (only show tcp connections)
    netstat -au (only show udp connections

    You can also see the pid to which the socket belongs with
    netstat -atp (for tcp)
    netstat -aup (for udp)

    And you can disable translation (for ip addr and ports – so mdns should show up as udp/53)
    netstat -aunp (for udp)
    netstat -atnp (for tcp)


  4. Thanks for that, had :17500 on mine? Turned out to be Dropbox.

  5. very simple and clear post

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>