Article by Dominique Cimafranca first published on his blog regarding Ubuntu, and Linux in general.
A simple but effective procedure for evaluating security on your computer is to check what sites it’s connecting to, or what sites are connecting to it. Most critical malware nowadays turn computers into zombies for botnets — typically zombified hosts will connect to a central server using IRC. Or it could be that you’re inadvertently running a program that’s listening for Internet requests. In any case, it’s good to check these connections.
In TCP/IP, connections happen by way of ports. A port is a number that uniquely identifies a connection. Some ports are well-known and usually identified with a service, e.g. port 80 for HTTP requests.
To see what ports are open, i.e., what connections your computer currently has, use the netstat -a command.
The output will be lengthy, but we’re really only interested in the top section. An example from my own computer:
Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 aspire.local:49132 tc-in-f19.google.co:www TIME_WAIT tcp 0 0 aspire.local:60227 tx-in-f103.google.c:www ESTABLISHED udp 0 0 aspire.local:33954 58.69.254.67:domain ESTABLISHED udp 0 0 *:bootpc *:* udp 0 0 aspire.local:42088 58.69.254.68:domain ESTABLISHED udp 0 0 *:mdns *:* udp 0 0 *:38142 *:* |
What does this say? That my computer is currently connected to web servers (the :www entries) and is making DNS requests (:domain). These are the entries which are simpler to understand. But what of the others?
:ipp is the port used by the printer daemon
:mdns is used for local multicast DNS
:bootpc is for DHCP client requests.
These are the ports that a default Ubuntu installation listens on. :ipp is opened bycupsd, and :mdns and :bootpc by avahi.
But what of that open port 38142? How come it’s not identified? You can check it by running
sudo lsof -i :38142
You’ll see that it’s also owned by the Avahi daemon. Just what is Avahi?
Avahi is a system which facilitates service discovery on a local network. This means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. This kind of technology is already found in Apple MacOS X (branded Rendezvous, Bonjour and sometimes Zeroconf) and is very convenient. Avahi is mainly based on Lennart Poettering’s flexmdns mDNS implementation for Linux which has been discontinued in favour of Avahi.
So really, in a default Ubuntu installation, you really should have just ports opened by the printer daemon and Avahi. Other usual connections are for HTTP and DNS. Anything else that you’re not sure of is typically suspect.
Popular Posts:
- None Found
Thank you for make it simple and clear
>The output will be lengthy, but we’re really only interested in the top section.
So, if you are not interested in Unix socket connections, why you are not using the option to hide them in the output?
It is very simple:
-t -> TCP
-u -> UDP
-w -> RAW
-x -> Unix socket
-a -> waiting connections are also shown
So, in this case you can use simply
netstat -tuwa
We’ll you could filter the list with:
netstat -at (only show tcp connections)
netstat -au (only show udp connections
You can also see the pid to which the socket belongs with
netstat -atp (for tcp)
netstat -aup (for udp)
And you can disable translation (for ip addr and ports – so mdns should show up as udp/53)
netstat -aunp (for udp)
netstat -atnp (for tcp)
Regards
Thanks for that, had :17500 on mine? Turned out to be Dropbox.
very simple and clear post