[ale] xinetd config (RH7.2)
Gene Matthews
gene at mmc-inc.com
Thu Feb 28 13:00:42 EST 2002
I tried to disabled = yes and restarted xinetd and I am still seeing way
too many services being listened for.
I have even stopped xinetd and then done 'netstat -l' and I still see
finger, echo, discard, etc. all having a state of "LISTEN".
Hmmm. This is a relatively new (couple of weeks) RH7.2 upgrade.
Comparing the ps and netstat executables to my laptop (also RH7.2) they
look the same:
-r-xr-xr-x 1 root root 63180 Aug 27 2001 /bin/ps
-rwxr-xr-x 1 root root 83132 Jul 31 2001 /bin/netstat
I don't THINK i've been hacked. Any ideas on how I find what is telling
it to listen to certain services if it isn't xinetd?
There isn't much running on this box:
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 12:46 ? 00:00:04 init [3]
root 2 1 0 12:46 ? 00:00:00 [keventd]
root 3 1 0 12:46 ? 00:00:00 [kapm-idled]
root 4 0 0 12:46 ? 00:00:00 [ksoftirqd_CPU0]
root 5 0 0 12:46 ? 00:00:00 [kswapd]
root 6 0 0 12:46 ? 00:00:00 [kreclaimd]
root 7 0 0 12:46 ? 00:00:00 [bdflush]
root 8 0 0 12:46 ? 00:00:00 [kupdated]
root 9 1 0 12:46 ? 00:00:00 [mdrecoveryd]
root 13 1 0 12:46 ? 00:00:00 [kjournald]
root 79 1 0 12:46 ? 00:00:00 [khubd]
root 172 1 0 12:46 ? 00:00:00 [kjournald]
root 173 1 0 12:46 ? 00:00:00 [kjournald]
root 174 1 0 12:46 ? 00:00:00 [kjournald]
root 833 1 0 12:46 ? 00:00:00 syslogd -m 0
root 838 1 0 12:47 ? 00:00:00 klogd -2
root 944 1 0 12:47 ? 00:00:00 /usr/sbin/apmd -p 10 -w
5 -W -P /etc/sysconfig/apm-scripts/apmscript
root 981 1 0 12:47 ? 00:00:00 /usr/sbin/sshd
root 1031 1 0 12:47 ? 00:00:00 crond
daemon 1067 1 0 12:47 ? 00:00:00 /usr/sbin/atd
root 1084 1 0 12:47 ? 00:00:00 /usr/sbin/portsentry
-tcp
root 1088 1 0 12:47 ? 00:00:00 /usr/sbin/portsentry
-udp
root 1141 1 0 12:47 tty1 00:00:00 /sbin/mingetty tty1
root 1142 1 0 12:47 tty2 00:00:00 /sbin/mingetty tty2
root 1143 1 0 12:47 tty3 00:00:00 /sbin/mingetty tty3
root 1144 1 0 12:47 tty4 00:00:00 /sbin/mingetty tty4
root 1145 1 0 12:47 tty5 00:00:00 /sbin/mingetty tty5
root 1146 1 0 12:47 tty6 00:00:00 /sbin/mingetty tty6
root 1149 981 0 12:47 ? 00:00:00 /usr/sbin/sshd
gene 1150 1149 0 12:47 pts/0 00:00:00 -bash
root 1188 1150 0 12:47 pts/0 00:00:00 su -
root 1189 1188 0 12:47 pts/0 00:00:00 -bash
root 1338 1189 0 13:01 pts/0 00:00:00 ps -ef
Anyone have any ideas?
Thanks,
Gene
On Thu, 2002-02-28 at 12:08, James P. Kinney III wrote:
> Should be:
>
> disabled = yes
>
> On Thu, 2002-02-28 at 12:08, Gene Matthews wrote:
> > I'm trying to tighten down a RH7.2 box. Below is what /etc/xinetd.conf
> > currently looks like. I have added the 'disabled' line to the defaults
> > and sent a SIGUSR2 signal to the xinetd pid. However, a lot of unwanted
> > services are still being listened for.
> >
> >
> > defaults
> > {
> > disabled
> > instances = 60
> > log_type = SYSLOG authpriv
> > log_on_success = HOST PID
> > log_on_failure = HOST
> > cps = 25 30
> >
> > }
> >
> > includedir /etc/xinetd.d
> >
> >
> >
> > The only thing enabled in /etc/xinetd.d/ is amanda. However, a 'netstat
> > -l' still shows lots of stuff open. I know somethings don't use
> > inetd/xinetd; they may have their own deamon (like sshd). But finger,
> > echo, discard, etc. do (I think!).
> >
> > Anyone have any pointers. The 'disabled' flag should work if I'm
> > reading the man page correctly and sending the SIGUSR2 should reload
> > it. I'm trying to avoid a reboot.
> >
> > Thanks,
> >
> > Gene
> >
> > # netstat -l
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address Foreign Address
> > State
> > tcp 0 0 *:tcpmux *:*
> > LISTEN
> > tcp 0 0 *:20034 *:*
> > LISTEN
> > tcp 0 0 *:32771 *:*
> > LISTEN
> > tcp 0 0 *:32772 *:*
> > LISTEN
> > tcp 0 0 *:40421 *:*
> > LISTEN
> > tcp 0 0 *:32773 *:*
> > LISTEN
> > tcp 0 0 *:32774 *:*
> > LISTEN
> > tcp 0 0 *:31337 *:*
> > LISTEN
> > tcp 0 0 *:ircd *:*
> > LISTEN
> > tcp 0 0 *:systat *:*
> > LISTEN
> > tcp 0 0 *:5742 *:*
> > LISTEN
> > tcp 0 0 *:imap *:*
> > LISTEN
> > tcp 0 0 *:finger *:*
> > LISTEN
> > tcp 0 0 *:netstat *:*
> > LISTEN
> > tcp 0 0 *:54320 *:*
> > LISTEN
> > tcp 0 0 *:2000 *:*
> > LISTEN
> > tcp 0 0 *:ingreslock *:*
> > LISTEN
> > tcp 0 0 *:ssh *:*
> > LISTEN
> > tcp 0 0 *:nntp *:*
> > LISTEN
> > tcp 0 0 *:socks *:*
> > LISTEN
> > tcp 0 0 *:12345 *:*
> > LISTEN
> > tcp 0 0 *:12346 *:*
> > LISTEN
> > tcp 0 0 *:635 *:*
> > LISTEN
> > tcp 0 0 *:49724 *:*
> > LISTEN
> > tcp 0 0 *:uucp *:*
> > LISTEN
> > udp 0 0 *:640
> > *:*
> > udp 0 0 *:641
> > *:*
> > udp 0 0 *:who
> > *:*
> > udp 0 0 *:tcpmux
> > *:*
> > udp 0 0 *:32770
> > *:*
> > udp 0 0 *:32771
> > *:*
> > udp 0 0 *:32772
> > *:*
> > udp 0 0 *:32773
> > *:*
> > udp 0 0 *:32774
> > *:*
> > udp 0 0 *:echo
> > *:*
> > udp 0 0 *:discard
> > *:*
> > udp 0 0 *:snmp
> > *:*
> > udp 0 0 *:snmptrap
> > *:*
> > udp 0 0 *:54321
> > *:*
> > udp 0 0 *:700
> > *:*
> > udp 0 0 *:tftp
> > *:*
> > udp 0 0 *:amanda
> > *:*
> > udp 0 0 *:31337
> > *:*
> > Active UNIX domain sockets (only servers)
> > Proto RefCnt Flags Type State I-Node Path
> >
> >
> >
> >
> > --
> > Gene Matthews
> > Matthews Midrange Consulting, Inc.
> > (678) 923-8327
> > (877) 882-6291 (toll free)
> > http://mmc-inc.com
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > sent to listmaster at ale dot org.
> >
> --
> James P. Kinney III \Changing the mobile computing world/
> President and COO \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
>
--
Gene Matthews
Matthews Midrange Consulting, Inc.
(678) 923-8327
(877) 882-6291 (toll free)
http://mmc-inc.com
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list