[ale] xinetd config (RH7.2)
Gene Matthews
gene at mmc-inc.com
Thu Feb 28 13:05:37 EST 2002
I just had a thought (dangerous, I know!). The install/setup of
portsentry predates me on this box and I don't know much about it. But
I'm seeing some of the ports that are being listened for in the
portsentry conf file. Could it be portsentry opening these ports?
Any portsentry guru's out there?
thanks,
gene
On Thu, 2002-02-28 at 13:00, Gene Matthews wrote:
> I tried to disabled = yes and restarted xinetd and I am still seeing way
> too many services being listened for.
>
> I have even stopped xinetd and then done 'netstat -l' and I still see
> finger, echo, discard, etc. all having a state of "LISTEN".
>
> Hmmm. This is a relatively new (couple of weeks) RH7.2 upgrade.
> Comparing the ps and netstat executables to my laptop (also RH7.2) they
> look the same:
>
> -r-xr-xr-x 1 root root 63180 Aug 27 2001 /bin/ps
> -rwxr-xr-x 1 root root 83132 Jul 31 2001 /bin/netstat
>
> I don't THINK i've been hacked. Any ideas on how I find what is telling
> it to listen to certain services if it isn't xinetd?
>
> There isn't much running on this box:
>
>
> # ps -ef
> UID PID PPID C STIME TTY TIME CMD
> root 1 0 0 12:46 ? 00:00:04 init [3]
> root 2 1 0 12:46 ? 00:00:00 [keventd]
> root 3 1 0 12:46 ? 00:00:00 [kapm-idled]
> root 4 0 0 12:46 ? 00:00:00 [ksoftirqd_CPU0]
> root 5 0 0 12:46 ? 00:00:00 [kswapd]
> root 6 0 0 12:46 ? 00:00:00 [kreclaimd]
> root 7 0 0 12:46 ? 00:00:00 [bdflush]
> root 8 0 0 12:46 ? 00:00:00 [kupdated]
> root 9 1 0 12:46 ? 00:00:00 [mdrecoveryd]
> root 13 1 0 12:46 ? 00:00:00 [kjournald]
> root 79 1 0 12:46 ? 00:00:00 [khubd]
> root 172 1 0 12:46 ? 00:00:00 [kjournald]
> root 173 1 0 12:46 ? 00:00:00 [kjournald]
> root 174 1 0 12:46 ? 00:00:00 [kjournald]
> root 833 1 0 12:46 ? 00:00:00 syslogd -m 0
> root 838 1 0 12:47 ? 00:00:00 klogd -2
> root 944 1 0 12:47 ? 00:00:00 /usr/sbin/apmd -p 10 -w
> 5 -W -P /etc/sysconfig/apm-scripts/apmscript
> root 981 1 0 12:47 ? 00:00:00 /usr/sbin/sshd
> root 1031 1 0 12:47 ? 00:00:00 crond
> daemon 1067 1 0 12:47 ? 00:00:00 /usr/sbin/atd
> root 1084 1 0 12:47 ? 00:00:00 /usr/sbin/portsentry
> -tcp
> root 1088 1 0 12:47 ? 00:00:00 /usr/sbin/portsentry
> -udp
> root 1141 1 0 12:47 tty1 00:00:00 /sbin/mingetty tty1
> root 1142 1 0 12:47 tty2 00:00:00 /sbin/mingetty tty2
> root 1143 1 0 12:47 tty3 00:00:00 /sbin/mingetty tty3
> root 1144 1 0 12:47 tty4 00:00:00 /sbin/mingetty tty4
> root 1145 1 0 12:47 tty5 00:00:00 /sbin/mingetty tty5
> root 1146 1 0 12:47 tty6 00:00:00 /sbin/mingetty tty6
> root 1149 981 0 12:47 ? 00:00:00 /usr/sbin/sshd
> gene 1150 1149 0 12:47 pts/0 00:00:00 -bash
> root 1188 1150 0 12:47 pts/0 00:00:00 su -
> root 1189 1188 0 12:47 pts/0 00:00:00 -bash
> root 1338 1189 0 13:01 pts/0 00:00:00 ps -ef
>
>
> Anyone have any ideas?
>
> Thanks,
>
> Gene
>
> On Thu, 2002-02-28 at 12:08, James P. Kinney III wrote:
> > Should be:
> >
> > disabled = yes
> >
> > On Thu, 2002-02-28 at 12:08, Gene Matthews wrote:
> > > I'm trying to tighten down a RH7.2 box. Below is what /etc/xinetd.conf
> > > currently looks like. I have added the 'disabled' line to the defaults
> > > and sent a SIGUSR2 signal to the xinetd pid. However, a lot of unwanted
> > > services are still being listened for.
> > >
> > >
> > > defaults
> > > {
> > > disabled
> > > instances = 60
> > > log_type = SYSLOG authpriv
> > > log_on_success = HOST PID
> > > log_on_failure = HOST
> > > cps = 25 30
> > >
> > > }
> > >
> > > includedir /etc/xinetd.d
> > >
> > >
> > >
> > > The only thing enabled in /etc/xinetd.d/ is amanda. However, a 'netstat
> > > -l' still shows lots of stuff open. I know somethings don't use
> > > inetd/xinetd; they may have their own deamon (like sshd). But finger,
> > > echo, discard, etc. do (I think!).
> > >
> > > Anyone have any pointers. The 'disabled' flag should work if I'm
> > > reading the man page correctly and sending the SIGUSR2 should reload
> > > it. I'm trying to avoid a reboot.
> > >
> > > Thanks,
> > >
> > > Gene
> > >
> > > # netstat -l
> > > Active Internet connections (only servers)
> > > Proto Recv-Q Send-Q Local Address Foreign Address
> > > State
> > > tcp 0 0 *:tcpmux *:*
> > > LISTEN
> > > tcp 0 0 *:20034 *:*
> > > LISTEN
> > > tcp 0 0 *:32771 *:*
> > > LISTEN
> > > tcp 0 0 *:32772 *:*
> > > LISTEN
> > > tcp 0 0 *:40421 *:*
> > > LISTEN
> > > tcp 0 0 *:32773 *:*
> > > LISTEN
> > > tcp 0 0 *:32774 *:*
> > > LISTEN
> > > tcp 0 0 *:31337 *:*
> > > LISTEN
> > > tcp 0 0 *:ircd *:*
> > > LISTEN
> > > tcp 0 0 *:systat *:*
> > > LISTEN
> > > tcp 0 0 *:5742 *:*
> > > LISTEN
> > > tcp 0 0 *:imap *:*
> > > LISTEN
> > > tcp 0 0 *:finger *:*
> > > LISTEN
> > > tcp 0 0 *:netstat *:*
> > > LISTEN
> > > tcp 0 0 *:54320 *:*
> > > LISTEN
> > > tcp 0 0 *:2000 *:*
> > > LISTEN
> > > tcp 0 0 *:ingreslock *:*
> > > LISTEN
> > > tcp 0 0 *:ssh *:*
> > > LISTEN
> > > tcp 0 0 *:nntp *:*
> > > LISTEN
> > > tcp 0 0 *:socks *:*
> > > LISTEN
> > > tcp 0 0 *:12345 *:*
> > > LISTEN
> > > tcp 0 0 *:12346 *:*
> > > LISTEN
> > > tcp 0 0 *:635 *:*
> > > LISTEN
> > > tcp 0 0 *:49724 *:*
> > > LISTEN
> > > tcp 0 0 *:uucp *:*
> > > LISTEN
> > > udp 0 0 *:640
> > > *:*
> > > udp 0 0 *:641
> > > *:*
> > > udp 0 0 *:who
> > > *:*
> > > udp 0 0 *:tcpmux
> > > *:*
> > > udp 0 0 *:32770
> > > *:*
> > > udp 0 0 *:32771
> > > *:*
> > > udp 0 0 *:32772
> > > *:*
> > > udp 0 0 *:32773
> > > *:*
> > > udp 0 0 *:32774
> > > *:*
> > > udp 0 0 *:echo
> > > *:*
> > > udp 0 0 *:discard
> > > *:*
> > > udp 0 0 *:snmp
> > > *:*
> > > udp 0 0 *:snmptrap
> > > *:*
> > > udp 0 0 *:54321
> > > *:*
> > > udp 0 0 *:700
> > > *:*
> > > udp 0 0 *:tftp
> > > *:*
> > > udp 0 0 *:amanda
> > > *:*
> > > udp 0 0 *:31337
> > > *:*
> > > Active UNIX domain sockets (only servers)
> > > Proto RefCnt Flags Type State I-Node Path
> > >
> > >
> > >
> > >
> > > --
> > > Gene Matthews
> > > Matthews Midrange Consulting, Inc.
> > > (678) 923-8327
> > > (877) 882-6291 (toll free)
> > > http://mmc-inc.com
> > >
> > >
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > > sent to listmaster at ale dot org.
> > >
> > --
> > James P. Kinney III \Changing the mobile computing world/
> > President and COO \ one Linux user /
> > Local Net Solutions,LLC \ at a time. /
> > 770-493-8244 \.___________________________./
> >
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> >
> >
> --
> Gene Matthews
> Matthews Midrange Consulting, Inc.
> (678) 923-8327
> (877) 882-6291 (toll free)
> http://mmc-inc.com
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
>
--
Gene Matthews
Matthews Midrange Consulting, Inc.
(678) 923-8327
(877) 882-6291 (toll free)
http://mmc-inc.com
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list