System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Stop diagmond from opening port 1508?

SOLVED
Go to solution
Tom Ward_1
Honored Contributor

Stop diagmond from opening port 1508?

The configuration file for diagmond listed in the man page has comments about using
LOCAL_ONLY_ENABLE 1
to stop connections except from the unit under test.

I've made this change, but find that port 1508 is still open.
>netstat -na |grep 1508
tcp 0 0 *.1508 *.* LISTEN

I'm missing something, so what does "LOCAL_ONLY_ENABLE 1" do?

Network scans frequently kill diagmond, and I'm sure like to put a stop to that. Any suggestions?

15 REPLIES
Michael Steele_2
Honored Contributor

Re: Stop diagmond from opening port 1508?

Hi

Well, here's a couple of things:

"...NOTE (July 01): This enhancement was not completely implemented in the June release. The complete implementation appears in the Sept 01 release.
Enhanced diagmond so that it can be configured to only accept connections and requests from the local system -- any requests from a remote system will be rejected. The new configuration parameter is in the /var/stm/config/sys/diagmond.cfg file. It is called LOCAL_ONLY_ENABLE. If it is set to 1, only local connections are allowed. If it is set to 0, local and remote connections are allowed. By default, it is set to 0. ..."

http://docs.hp.com/en/diag/stm/str_0106_11.htm

Question: Are your online diags June 2001 or later?
Support Fatherhood - Stop Family Law
SUDHAKAR_18
Trusted Contributor

Re: Stop diagmond from opening port 1508?

/sbin/init.d/diagnostic stop
/sbin/init.d/diagnostic start
Tom Ward_1
Honored Contributor

Re: Stop diagmond from opening port 1508?

The version of STM we have is Version A.49.30. From swlist
# swlist | grep -i OnlineDiag
OnlineDiag B.11.11.16.09 HPUX 11.11 Support Tools Bundle, Sep 2005


While not listed at
http://docs.hp.com/en/diag/stm/stm_upd.htm
version A.49.10 is and that is from Sept 2005.

I realize this is not that latest, but it is 10 years after the product came out. You'd think a bug, if there is one, with the LOCAL_ONLY_ENABLE feature would have come to light in that time.

I have cycled diagnostics after updating the configuration file. My process is to
1) Edit the configuration file.
2) Restart diagnostics.
3) Verify that remote connections to diagmond fail. I just did a telnet to host on port 1508.

Everything looked good. I was well into my change when I started to suspect something was wrong. It seems that diagmond doesn't open port 1508 right away. I think it scans the hardware first and then opens the port. I was getting connection refused not because diagmond did not open a port, but becuase it had not YET opened a port. Coming back to the updated host a few minutes later showed the port was open.

I don't care if diagmond opens port 1508, but I'd sure like to get it listening only on localhost instead of the network interfaces.
Michael Steele_2
Honored Contributor

Re: Stop diagmond from opening port 1508?

Hi

can you 'lsof the port?
Support Fatherhood - Stop Family Law
Tom Ward_1
Honored Contributor

Re: Stop diagmond from opening port 1508?

# lsof -i |grep diagmond
diagmond 28825 root 4u inet 0xa361ce80 0t0 TCP *:60669 (LISTEN)
diagmond 28825 root 5u inet 0xa3374e80 0t0 TCP *:diagmond (LISTEN)
# grep diagmond /etc/services
diagmond 1508/tcp # Diagnostic System Manager

I didn't realize that 60669 was opened by diagmond as well as 1508.

Tom Ward_1
Honored Contributor

Re: Stop diagmond from opening port 1508?

I can't say is is an easy 10 points, but I'd sure love to give someone points for this.

I have multiple servers with Version A.49.30. I've found one that listens only on localhost.

The config file, /var/stm/config/sys/diagmond.cfg, has nothing but the default, yet the server is listening on 127.0.0.1 port 1508.

>netstat -na |grep 1508
tcp 0 0 127.0.0.1.1508 *.* LISTEN
tcp 0 0 127.0.0.1.64531 127.0.0.1.1508 TIME_WAIT
tcp 0 0 127.0.0.1.64533 127.0.0.1.1508 TIME_WAIT

Two others listen on their network IP instead. Binaries match. Very strange.
Laurent Menase
Honored Contributor

Re: Stop diagmond from opening port 1508?

>netstat -na |grep 1508
tcp 0 0 127.0.0.1.1508 *.* LISTEN
tcp 0 0 127.0.0.1.64531 127.0.0.1.1508 TIME_WAIT
tcp 0 0 127.0.0.1.64533 127.0.0.1.1508 TIME_WAIT

in fact they are not listening but in timewait
so it means a client process connected to diagmond and both side have been closed.

- ( client closed first then diagmond closed)
So thre is no problem there.

1 socket is in listen state ( the one owned by diagmond on which it accept client connections)
Tom Ward_1
Honored Contributor

Re: Stop diagmond from opening port 1508?

I agree that
tcp 0 0 127.0.0.1.1508 *.* LISTEN

is no problem. This is what I what. Unfortunately what I get on almost every host is
>netstat -na |grep 1508
tcp 0 0 *.1508 *.* LISTEN

I have one host that shows
127.0.0.1 instead of *, so I know it can work that way. I'll be darned if I can figure out how. The configuration file is the same on both hosts are the same.

I am stumped!
Michael Steele_2
Honored Contributor

Re: Stop diagmond from opening port 1508?

Hi

Lets look at the localhost entry in /etc/hosts file. This is a reserved ip addresss 127.0.0.1, and is always configured the same way in every hosts file.
Support Fatherhood - Stop Family Law
2xyo
Frequent Advisor

Re: Stop diagmond from opening port 1508?

Dear,

i have the same problem :
# swlist | grep -i OnlineDiag
OnlineDiag B.11.11.16.09 HPUX 11.11 Support Tools Bundle, Sep 2005

# /sbin/init.d/diagnostic stop
# /sbin/init.d/diagnostic start
# netstat -an|grep 1508
# netstat -an|grep 1508
# netstat -an|grep 1508
tcp 0 0 *.1508 *.* LISTEN

After a short time, the port is open...
There is a solution to listen on localhost only ?
Michael Steele_2
Honored Contributor

Re: Stop diagmond from opening port 1508?

2xyo

You need to open a new posting

a) This is Tom's posting
b) This is from last October
Support Fatherhood - Stop Family Law
Ronald Helzer
Occasional Visitor

Re: Stop diagmond from opening port 1508?

Regardless if the post is from last October, the problem persists with no solution given.

I can verify I see the same issue: despite setting LOCAL_ONLY_ENABLE to 1, diagmond insists on opening TCP port 1508 and another seemingly random TCP port to the world.

Regulatory compliance mandates these ports be closed. I'd rather not have to turn off diagmond to meet the mandate.
Matti_Kurkela
Honored Contributor

Re: Stop diagmond from opening port 1508?

Consider installing IPFilter and using it to block all incoming external connections to non-essential services.

That should fulfill your regulatory requirements, whether or not diagmond can be persuaded to listen to 127.0.0.1 only.

MK
MK
Michael Steele_2
Honored Contributor
Solution

Re: Stop diagmond from opening port 1508?

Hi

Ronald "..Regulatory compliance mandates these ports be closed. I'd rather not have to turn off diagmond to meet the mandate..."

I was wondering what references?

diagmond has been a standard online diagnostics daemon for many, many years. Over a decade I'm sure.

I can't see blocking any port that would interfere with the collection of alarm messages from the server. I am certain that any HP CE would say that diagmond needs to be up and running least it prevent them from diagnosing a problem.

If you are suggesting turning off diagmond then the result would be much prolonged downtime from unexpected outages.
Support Fatherhood - Stop Family Law
Tom Ward_1
Honored Contributor

Re: Stop diagmond from opening port 1508?

I gave up on this. MAYBE, that's a big maybe, having the latest diagnostics will fix this. We have some systems that listen only to localhost, but others that do not.