topic Re: Is the system really secure in Operating System - HP-UX

Is the system really secure

Asad Malik — Mon, 27 Nov 2000 22:18:13 GMT

Hi
We are running a trusted system. If I run netstat -n command, it will show only connection that are in ?Established? shown in ? state? column and socket (IP address.port#) is shown under the column ?Foreign Address?. If I run netstat command with options -an then I see under foreign address *.* and status is LISTEN. Are these the passive sockets and is not a security threat to the system?
Any explanation will be appreciated.

Thanks

Re: Is the system really secure

Kofi ARTHIABAH — Mon, 27 Nov 2000 22:53:33 GMT

Asad:

The system may not necessarily be secure... when you run netstat -an you get a listing telling you what services are running (are listening) any service (look under Local Address) that has a LISTEN against it is a service running.

you can use the lsof tool to determine what process own what sockets.

ESTABLISHED only shows up when there is an actual connection to the port between the localhost and the remote host.

do a man on netstat for more details on what each of the statuses means.

Re: Is the system really secure

Asad Malik — Tue, 28 Nov 2000 01:36:24 GMT

In the column "Local Address" of netstat -an command, if it shows like this *.49263 or *.53341 and these port numbers does not exists in the /etc services file. Will there be a connection?
Does the service has to be mentioned in /etc/services file and configured in /etc/inetd.conf file.

Re: Is the system really secure

Kofi ARTHIABAH — Tue, 28 Nov 2000 05:28:47 GMT

Asad:

Yes, there is a program running that is listening on ports 49263 and 53341- it is not necessary for the port to be listed in /etc/services or listed in inetd.conf before it is used by a program.

The way to confirm what program is listening on the identified ports, download lsof from http://hpux.ee.ualberta.ca/hppd/hpux/Sysadmin/lsof-4.51/
you can use lsof to determine what files and ports are opened but what process.

Re: Is the system really secure

CHRIS_ANORUO — Tue, 28 Nov 2000 12:03:14 GMT

In addition to Kofi's contribution, the ports in use both for local addresses and foreign addresses are the numbers after the addresses. (e.g. w.x.y.z.number). Where w.x.y.z is ip address.

Re: Is the system really secure

Asad Malik — Tue, 28 Nov 2000 13:27:39 GMT

Hi Guys
One last point to clear. if a port is open and state is LISTEN, will a connection only be established on that port for the service that is configured in /etc/inetd.conf file.
Or the said port can be used to access the system in some other way.

Re: Is the system really secure

Kofi ARTHIABAH — Tue, 28 Nov 2000 13:37:50 GMT

Once the port is open, it does not have to be defined in /etc/inetd.conf before it can be connected to remotely.

if you do a
telnet localhost port
(where port is the port number it is listening on) you should get a connection - the results might not mean anything to you if you do not know what program is running on that port... that is why if you use lsof to find out what is running on that port, you can better know what to expect.