HPE Community
Operating System - HP-UX
1836450 Members
2471 Online
110100 Solutions
New Discussion

Re: Non desired connections

 
Roland Piette
Regular Advisor

‎07-18-2006 09:24 PM

‎07-18-2006 09:24 PM

Non desired connections

Hi all,

Here under the output of the netstat command. I would like to understand such kind of lines.
What is the meaning of ESTABLISHED. Is it means that actualy, a connection is operational and used by a client/user ? A would like to understand espacially the last line of this output ... globe.echo ....
Globe is the name of the server, but what is the meaning of the .echo after his name ?
Any information are welcome !!
Thanks in advance.
Roland

$ netstat -f inet
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 globe.1521 globe.60167 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50916 ESTABLISHED
tcp 0 2 globe.telnet 10.45.2.241.2691 ESTABLISHED
tcp 0 0 globe.login anubis.fabricom-gti.corp.local.1016
ESTABLISHED
tcp 0 0 localhost.50916 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50915 ESTABLISHED
tcp 0 0 globe.login kheops.fabricom-gti.corp.local.1018
ESTABLISHED
tcp 0 0 localhost.50912 localhost.50920 ESTABLISHED
tcp 0 0 localhost.50918 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50917 ESTABLISHED
tcp 0 0 localhost.50915 localhost.50912 ESTABLISHED
tcp 0 0 globe.registrar globe.50909 ESTABLISHED
tcp 0 0 localhost.50920 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50918 ESTABLISHED
tcp 0 0 localhost.50919 localhost.50912 ESTABLISHED
tcp 0 0 globe.60167 globe.1521 ESTABLISHED
tcp 0 0 globe.50909 globe.registrar ESTABLISHED
tcp 0 0 localhost.50917 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50919 ESTABLISHED
tcp 0 0 globe.echo 10.46.37.65.1350 ESTABLISHED
0 Kudos
Reply
9 REPLIES 9
Ludovic Derlyn
Esteemed Contributor

‎07-18-2006 10:00 PM

‎07-18-2006 10:00 PM

Re: Non desired connections

hi,

1521 is a listener oracle, it's seems ?

for more informations , look :

www.iana.org/assignments/port-numbers

regards

L-DERLYN
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-18-2006 10:16 PM

‎07-18-2006 10:16 PM

Re: Non desired connections

Shalom,

ESTABLISHED means a connection exists, its active and is currently not in the process of being timed out.

As noted, port 1521 is usually oracle.

Waht is the primary purpose of this machine and why do you believe these connections are undesireable.

To use a system, a process generally connects.

Its part of the process of getting services from a server.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
spex
Honored Contributor

‎07-18-2006 11:28 PM

‎07-18-2006 11:28 PM

Re: Non desired connections

Hi Roland,

This line:

tcp 0 0 globe.echo 10.46.37.65.1350 ESTABLISHED

tells you that there is a connection established from host with IP address 10.46.37.65 on your server's echo port, which is usually 7/tcp and 7/udp. 'globe.echo' is merely a convenience, and is just an alias for 'globe.7' (if you're using the default echo port). Have a look at '/etc/services' for a listing of your other port aliases.

# grep echo /etc/services
echo 7/tcp # Echo
echo 7/udp #

The echo service is a debugging and measurement tool that echos any data it receives back to the sender. Consult RFC 862 for more information.

PCS
0 Kudos
Reply
Roland Piette
Regular Advisor

‎07-18-2006 11:44 PM

‎07-18-2006 11:44 PM

Re: Non desired connections

Hi Ludovic,

Thanks, but I know that 1521 is used by Oracle.

Shalom Steven,

I have a doub about an user on 10.46.37.65, because yesterday I saw in all my syslog files that someone has poll during many hours all my servers to get a connection through telnet & ftp protocols with an interval of +/- 30s.

.... syslog extract .....
Jul 18 10:01:10 kheops telnetd[10376]: getpid: peer died: Error 0
Jul 18 10:01:10 kheops ftpd[10378]: FTP session closed
Jul 18 10:01:40 kheops telnetd[10410]: getpid: peer died: Error 0
Jul 18 10:01:40 kheops ftpd[10411]: FTP session closed
Jul 18 10:02:10 kheops telnetd[10455]: getpid: peer died: Error 0
.....

Now I see on a server that a socket is given to somebody and I cannot identify the process related to this socket. I would like to know what kan this guy do through this socket. How to close this one with an external system command ? Wat is ".echo" suffix on the servername ?

Roland
0 Kudos
Reply
Roland Piette
Regular Advisor

‎07-18-2006 11:48 PM

‎07-18-2006 11:48 PM

Re: Non desired connections

Hi spex,

Thank for this information on the .echo port.
Is a process running on my server wich will answer on this echo request ? What is the charge or resource taken for it ?

Roland
0 Kudos
Reply
Steve Lewis
Honored Contributor

‎07-19-2006 12:34 AM

‎07-19-2006 12:34 AM

Re: Non desired connections

echo is serviced by inetd.
grep 'echo' /etc/inetd.conf

Echo will typically consume very little cpu if used as a debug tool, but your server can be flooded by incoming echo requests, which become a DoS attack. That is what they can do with echo.

If your server is on a public network or the internet then you must install a separate firewall as soon as possible. There are kids or criminals all over the world who run scripted attacks on servers, most commonly trying to guess the passwords for usernames like root and oracle (your telnet connections?), but also trying to exploit known bugs in ssh and webservers. I have seen this evidence myself.

0 Kudos
Reply
Roland Piette
Regular Advisor

‎07-19-2006 01:02 AM

‎07-19-2006 01:02 AM

Re: Non desired connections

Thanks Steve,

This user is in our LAN wich is protected with a firewall. But for internal user ....

I tried to set up the inetd.sec file with deny access for this IP address, restart inetd after setting echo lines in comments and also stopping the inetd daemon, but the connection remains ESTABLISHED. How can I kick this connection out ?

Roland
0 Kudos
Reply
spex
Honored Contributor

‎07-19-2006 02:24 AM

‎07-19-2006 02:24 AM

Re: Non desired connections

Roland,

Install lsof if you don't already have it. It's really an invaluable tool. You can get it here:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.77/

# lsof -i :7

will give you the pid using tcp/udp 7. Then:

# kill

PCS
0 Kudos
Reply
Roland Piette
Regular Advisor

‎07-19-2006 07:57 PM

‎07-19-2006 07:57 PM

Re: Non desired connections

Thanks spex for this link.

For servers wich runs 11.0 I dont find a depot, so for this release I need to compile the package. Isni't it ?

For 11.11, I have install the depot an got an error :

Unknow owner and/or group file "/usr/local/bin/lsof".
SUID and/or SGID bit was not set.

In any way, the command works.

You will find here under the result of the commands lsof -i :7 ; netstat -f inet

I cannot find a relation between the last line of netstat command where the address 10.46.37.65 is displayed and the result of the lsof command. How can it be ? A line is ESTABLISHED and no process is shown by lsof.

My output :
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
netfmt 616 root 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
netfmt 616 root 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
inetd 739 root 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
inetd 739 root 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
rep_serve 2600 root 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
rep_serve 2600 root 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
agdbserve 2601 root 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
java 10777 root 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
java 10777 root 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
oracle 16124 oracle 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
oracle 16124 oracle 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
oracle 16126 oracle 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
oracle 16126 oracle 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
oracle 16128 oracle 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
oracle 16128 oracle 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
oracle 16130 oracle 17u IPv4 0x4292cc40 0t0 TCP *:echo (LISTEN)
oracle 16130 oracle 18u IPv4 0x42d8a380 0t0 UDP *:echo (Idle)
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 globe.1521 globe.60167 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50916 ESTABLISHED
tcp 0 0 globe.login anubis.fabricom-gti.corp.local.1016
ESTABLISHED
tcp 0 0 localhost.50916 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50915 ESTABLISHED
tcp 0 0 globe.login kheops.fabricom-gti.corp.local.1018
ESTABLISHED
tcp 0 0 localhost.50912 localhost.50920 ESTABLISHED
tcp 0 0 localhost.50918 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50917 ESTABLISHED
tcp 0 0 localhost.50915 localhost.50912 ESTABLISHED
tcp 0 0 globe.registrar globe.50909 ESTABLISHED
tcp 0 0 localhost.50920 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50918 ESTABLISHED
tcp 0 0 localhost.50919 localhost.50912 ESTABLISHED
tcp 0 0 globe.60167 globe.1521 ESTABLISHED
tcp 0 0 globe.50909 globe.registrar ESTABLISHED
tcp 0 0 localhost.50917 localhost.50912 ESTABLISHED
tcp 0 0 localhost.50912 localhost.50919 ESTABLISHED
tcp 0 0 globe.echo 10.46.37.65.1350 ESTABLISHED

Thanks,
Roland
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.