[ale] xinetd config (RH7.2)

Gene Matthews gene at mmc-inc.com
Thu Feb 28 13:00:42 EST 2002


I tried to disabled = yes and restarted xinetd and I am still seeing way
too many services being listened for.

I have even stopped xinetd and then done 'netstat -l' and I still see
finger, echo, discard, etc. all having a state of "LISTEN".

Hmmm.  This is a relatively new (couple of weeks) RH7.2 upgrade.
Comparing the ps and netstat executables to my laptop (also RH7.2) they
look the same:

-r-xr-xr-x    1 root     root        63180 Aug 27  2001 /bin/ps
-rwxr-xr-x    1 root     root        83132 Jul 31  2001 /bin/netstat

I don't THINK i've been hacked.  Any ideas on how I find what is telling
it to listen to certain services if it isn't xinetd?  

There isn't much running on this box:


# ps -ef 
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 12:46 ?        00:00:04 init [3] 
root         2     1  0 12:46 ?        00:00:00 [keventd]
root         3     1  0 12:46 ?        00:00:00 [kapm-idled]
root         4     0  0 12:46 ?        00:00:00 [ksoftirqd_CPU0]
root         5     0  0 12:46 ?        00:00:00 [kswapd]
root         6     0  0 12:46 ?        00:00:00 [kreclaimd]
root         7     0  0 12:46 ?        00:00:00 [bdflush]
root         8     0  0 12:46 ?        00:00:00 [kupdated]
root         9     1  0 12:46 ?        00:00:00 [mdrecoveryd]
root        13     1  0 12:46 ?        00:00:00 [kjournald]
root        79     1  0 12:46 ?        00:00:00 [khubd]
root       172     1  0 12:46 ?        00:00:00 [kjournald]
root       173     1  0 12:46 ?        00:00:00 [kjournald]
root       174     1  0 12:46 ?        00:00:00 [kjournald]
root       833     1  0 12:46 ?        00:00:00 syslogd -m 0
root       838     1  0 12:47 ?        00:00:00 klogd -2
root       944     1  0 12:47 ?        00:00:00 /usr/sbin/apmd -p 10 -w
5 -W -P /etc/sysconfig/apm-scripts/apmscript
root       981     1  0 12:47 ?        00:00:00 /usr/sbin/sshd
root      1031     1  0 12:47 ?        00:00:00 crond
daemon    1067     1  0 12:47 ?        00:00:00 /usr/sbin/atd
root      1084     1  0 12:47 ?        00:00:00 /usr/sbin/portsentry
-tcp
root      1088     1  0 12:47 ?        00:00:00 /usr/sbin/portsentry
-udp
root      1141     1  0 12:47 tty1     00:00:00 /sbin/mingetty tty1
root      1142     1  0 12:47 tty2     00:00:00 /sbin/mingetty tty2
root      1143     1  0 12:47 tty3     00:00:00 /sbin/mingetty tty3
root      1144     1  0 12:47 tty4     00:00:00 /sbin/mingetty tty4
root      1145     1  0 12:47 tty5     00:00:00 /sbin/mingetty tty5
root      1146     1  0 12:47 tty6     00:00:00 /sbin/mingetty tty6
root      1149   981  0 12:47 ?        00:00:00 /usr/sbin/sshd
gene      1150  1149  0 12:47 pts/0    00:00:00 -bash
root      1188  1150  0 12:47 pts/0    00:00:00 su -
root      1189  1188  0 12:47 pts/0    00:00:00 -bash
root      1338  1189  0 13:01 pts/0    00:00:00 ps -ef


Anyone have any ideas?

Thanks,

Gene

On Thu, 2002-02-28 at 12:08, James P. Kinney III wrote:
> Should be:
> 
> disabled = yes
> 
> On Thu, 2002-02-28 at 12:08, Gene Matthews wrote:
> > I'm trying to tighten down a RH7.2 box.  Below is what /etc/xinetd.conf
> > currently looks like.  I have added the 'disabled' line to the defaults
> > and sent a SIGUSR2 signal to the xinetd pid.  However, a lot of unwanted
> > services are still being listened for.  
> > 
> > 
> > defaults
> > {
> > 	disabled
> > 	instances               = 60
> >         log_type                = SYSLOG authpriv
> >         log_on_success		= HOST PID
> >         log_on_failure		= HOST
> > 	cps			= 25 30
> > 
> > }
> > 
> > includedir /etc/xinetd.d
> > 
> > 
> > 
> > The only thing enabled in /etc/xinetd.d/ is amanda.  However, a 'netstat
> > -l' still shows lots of stuff open. I know somethings don't use
> > inetd/xinetd; they may have their own deamon (like sshd).  But finger,
> > echo, discard, etc. do (I think!).
> > 
> > Anyone have any pointers.  The 'disabled' flag should work if I'm
> > reading the man page correctly and sending the SIGUSR2 should reload
> > it.  I'm trying to avoid a reboot.
> > 
> > Thanks,
> > 
> > Gene
> > 
> > # netstat -l
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address           Foreign Address        
> > State      
> > tcp        0      0 *:tcpmux                *:*                    
> > LISTEN      
> > tcp        0      0 *:20034                 *:*                    
> > LISTEN      
> > tcp        0      0 *:32771                 *:*                    
> > LISTEN      
> > tcp        0      0 *:32772                 *:*                    
> > LISTEN      
> > tcp        0      0 *:40421                 *:*                    
> > LISTEN      
> > tcp        0      0 *:32773                 *:*                    
> > LISTEN      
> > tcp        0      0 *:32774                 *:*                    
> > LISTEN      
> > tcp        0      0 *:31337                 *:*                    
> > LISTEN      
> > tcp        0      0 *:ircd                  *:*                    
> > LISTEN      
> > tcp        0      0 *:systat                *:*                    
> > LISTEN      
> > tcp        0      0 *:5742                  *:*                    
> > LISTEN      
> > tcp        0      0 *:imap                  *:*                    
> > LISTEN      
> > tcp        0      0 *:finger                *:*                    
> > LISTEN      
> > tcp        0      0 *:netstat               *:*                    
> > LISTEN      
> > tcp        0      0 *:54320                 *:*                    
> > LISTEN      
> > tcp        0      0 *:2000                  *:*                    
> > LISTEN      
> > tcp        0      0 *:ingreslock            *:*                    
> > LISTEN      
> > tcp        0      0 *:ssh                   *:*                    
> > LISTEN      
> > tcp        0      0 *:nntp                  *:*                    
> > LISTEN      
> > tcp        0      0 *:socks                 *:*                    
> > LISTEN      
> > tcp        0      0 *:12345                 *:*                    
> > LISTEN      
> > tcp        0      0 *:12346                 *:*                    
> > LISTEN      
> > tcp        0      0 *:635                   *:*                    
> > LISTEN      
> > tcp        0      0 *:49724                 *:*                    
> > LISTEN      
> > tcp        0      0 *:uucp                  *:*                    
> > LISTEN      
> > udp        0      0 *:640                  
> > *:*                                 
> > udp        0      0 *:641                  
> > *:*                                 
> > udp        0      0 *:who                  
> > *:*                                 
> > udp        0      0 *:tcpmux               
> > *:*                                 
> > udp        0      0 *:32770                
> > *:*                                 
> > udp        0      0 *:32771                
> > *:*                                 
> > udp        0      0 *:32772                
> > *:*                                 
> > udp        0      0 *:32773                
> > *:*                                 
> > udp        0      0 *:32774                
> > *:*                                 
> > udp        0      0 *:echo                 
> > *:*                                 
> > udp        0      0 *:discard              
> > *:*                                 
> > udp        0      0 *:snmp                 
> > *:*                                 
> > udp        0      0 *:snmptrap             
> > *:*                                 
> > udp        0      0 *:54321                
> > *:*                                 
> > udp        0      0 *:700                  
> > *:*                                 
> > udp        0      0 *:tftp                 
> > *:*                                 
> > udp        0      0 *:amanda               
> > *:*                                 
> > udp        0      0 *:31337                
> > *:*                                 
> > Active UNIX domain sockets (only servers)
> > Proto RefCnt Flags       Type       State         I-Node Path
> > 
> > 
> > 
> > 
> > -- 
> > Gene Matthews
> > Matthews Midrange Consulting, Inc.
> > (678) 923-8327
> > (877) 882-6291 (toll free)
> > http://mmc-inc.com
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > sent to listmaster at ale dot org.
> > 
> -- 
> James P. Kinney III   \Changing the mobile computing world/
> President and COO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
> 
> 
-- 
Gene Matthews
Matthews Midrange Consulting, Inc.
(678) 923-8327
(877) 882-6291 (toll free)
http://mmc-inc.com


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list