HPE Community
Operating System - HP-UX
1819804 Members
2888 Online
109607 Solutions
New Discussion юеВ

What are TCP small services

 
SOLVED
Go to solution
Gord Moore
Frequent Advisor

тАО12-19-2002 08:25 AM

тАО12-19-2002 08:25 AM

What are TCP small services

For a Security review, I have to disallow TCP small services if I am not using them.

What are they (I can't seem to find a complete list) ?
How do I tell if they are being used, as opposed to just being turned on?
How do I turn them off so I am sure that they won't get turned back on?



0 Kudos
Reply
10 REPLIES 10
James R. Ferguson
Acclaimed Contributor

тАО12-19-2002 08:19 AM

тАО12-19-2002 08:19 AM

Re: What are TCP small services

Hi:

I suspect you mean services like 'daytime', 'echo', 'chargen'. You can comment out these in '/etc/inetd.conf'.

Regards!

...JRF...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО12-19-2002 08:30 AM

тАО12-19-2002 08:30 AM

Re: What are TCP small services

I am not entirely sure what you mean by "TCP small services".

Any TCP or UDP services that you do not want to use can be turned off via /etc/services and /etc/inetd.conf files. Just comment out the appropriate lines in the files and do an 'inetd -c' to have inetd re-read the config files.
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

тАО12-19-2002 08:36 AM

тАО12-19-2002 08:36 AM

Re: What are TCP small services

TCP small services are echo, chargen, daytime, time and discard; the Berkeley r* services, talk, etc. You can configure them in inetd.conf. Start by removing all services from inetd.conf and then restart inetd daemon.

Check for netstat command for more information .
Good Luck,
-USA..
Good Luck..
Reply
Gord Moore
Frequent Advisor

тАО12-19-2002 08:56 AM

тАО12-19-2002 08:56 AM

Re: What are TCP small services

I'm glad to see others are confused too. I am not sure what TCP small services exactly are - that's why I was asking.

From what I see so far, the way to find out if people are using it is to turn it off and see what breaks.

I believe the netstat command just tells me what ports/services are open. Is there a way to monitor the usage?
0 Kudos
Reply
Volker Borowski
Honored Contributor

тАО12-19-2002 09:17 AM

тАО12-19-2002 09:17 AM

Re: What are TCP small services

Hi,

tcp small servers
or
no tcp small servers

is a config line from cisco IOS, which enables the previous named services on a cisco router or switch.
I am not sure, if this gives some kind of "copyright" for this phrase to cisco.
I never heard this phrase in other context than cisco.

May be the audit guy is a cisco-fan :-)

Volker
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО12-19-2002 09:24 AM

тАО12-19-2002 09:24 AM

Re: What are TCP small services

Never heard of small services.

Someone misspoke to you....
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ron Kinner
Honored Contributor

тАО12-19-2002 09:37 AM

тАО12-19-2002 09:37 AM

Re: What are TCP small services

http://www.rhyshaden.com/ip_small.htm

lists IP small services though some souces consider small services to be anything under port 20 plus port 37.

inetd -l
will turn on logging of connection attempts.

http://people.hp.se/stevesk/bastion.html

is a good reference to how to secure your system.

snort (www.snort.org) will do a good job of telling you who is doing things you might want to know about.

Ron
Reply
Uday_S_Ankolekar
Honored Contributor

тАО12-19-2002 09:44 AM

тАО12-19-2002 09:44 AM

Re: What are TCP small services

Use netstat -af or if you have lsof use lsof -i .You get more detailed info by using lsof command.

Good Luck..
Reply
A. Daniel King_1
Super Advisor

тАО12-20-2002 08:51 AM

тАО12-20-2002 08:51 AM

Solution

Re: What are TCP small services

I've seen one other place where "little" services are mentioned:

http://netsecurity.ualr.edu/Tips/UNIX-1.htm

This is Solaris mainly, but the concepts apply.

Some services cannot be shut off in inetd.conf, and there are ports which can be shut off outside of the "small" or "little" range. All open ports which are visible to the outside world have their exploits.

Some services are started in the /sbin/rc hierarchy (sendmail, NFS, rpc, etc.) and some services are not mentioned in inetd.conf (xfs and X come to mind) at all.

echo is shut down in an entirely different manner from these above. See:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x432b36e69499d611abdb0090277a778c,00.html

I'd try this ndd command, but I'm not tinkering with my production HP today!

Ping (echo) is used by many monitoring programs, so be aware that disabling this may generate a "down server" response from your monitoring software.

I like nmap for port scanning my hosts just to see what is running, then coordinating this information back to lsof output to get additional information.

http://www.insecure.org/nmap/nmap_download.html

Even an old version of nmap would be useful, if you don't want to compile your own.

Let us know how it goes.
Command-Line Junkie
Reply
Bill Hassell
Honored Contributor

тАО12-21-2002 08:04 AM

тАО12-21-2002 08:04 AM

Re: What are TCP small services

Here is a list of the most common services that should be turned off. Virtually no modern system uses these ports so they should be disabled:

# uucp stream tcp nowait root /usr/sbin/uucpd uucpd
# ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd
# daytime stream tcp nowait root internal
# daytime dgram udp nowait root internal
# time stream tcp nowait root internal
# time dgram udp nowait root internal
# echo stream tcp nowait root internal
# echo dgram udp nowait root internal
# discard stream tcp nowait root internal
# discard dgram udp nowait root internal
# chargen stream tcp nowait root internal
# chargen dgram udp nowait root internal

A few systems may need these services:

# tftp dgram udp wait root /usr/lbin/tftpd tftpd
# bootps dgram udp wait root /usr/lbin/bootpd bootpd
# finger stream tcp nowait bin /usr/lbin/fingerd fingerd
# kshell stream tcp nowait root /usr/lbin/remshd remshd -K
# klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K
# dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
# rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttd
bserver
# rpc dgram udp wait root /usr/dt/bin/rpc.cmsd 100068 2-5 rpc.cmsd
# recserv stream tcp nowait root /usr/lbin/recserv recserv -display :0

When it comes to security, I am ruthless--I turn off anything I don't know about and wait for a request or problem before turning it back on.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.