[ale] xinetd config (RH7.2)

Gene Matthews gene at mmc-inc.com
Thu Feb 28 13:05:37 EST 2002


I just had a thought (dangerous, I know!).  The  install/setup of
portsentry predates me on this box and I don't know much about it.  But
I'm seeing some of the ports that are being listened for in the
portsentry conf file.  Could it be portsentry opening these ports?

Any portsentry guru's out there?

thanks,

gene


On Thu, 2002-02-28 at 13:00, Gene Matthews wrote:
> I tried to disabled = yes and restarted xinetd and I am still seeing way
> too many services being listened for.
> 
> I have even stopped xinetd and then done 'netstat -l' and I still see
> finger, echo, discard, etc. all having a state of "LISTEN".
> 
> Hmmm.  This is a relatively new (couple of weeks) RH7.2 upgrade.
> Comparing the ps and netstat executables to my laptop (also RH7.2) they
> look the same:
> 
> -r-xr-xr-x    1 root     root        63180 Aug 27  2001 /bin/ps
> -rwxr-xr-x    1 root     root        83132 Jul 31  2001 /bin/netstat
> 
> I don't THINK i've been hacked.  Any ideas on how I find what is telling
> it to listen to certain services if it isn't xinetd?  
> 
> There isn't much running on this box:
> 
> 
> # ps -ef 
> UID        PID  PPID  C STIME TTY          TIME CMD
> root         1     0  0 12:46 ?        00:00:04 init [3] 
> root         2     1  0 12:46 ?        00:00:00 [keventd]
> root         3     1  0 12:46 ?        00:00:00 [kapm-idled]
> root         4     0  0 12:46 ?        00:00:00 [ksoftirqd_CPU0]
> root         5     0  0 12:46 ?        00:00:00 [kswapd]
> root         6     0  0 12:46 ?        00:00:00 [kreclaimd]
> root         7     0  0 12:46 ?        00:00:00 [bdflush]
> root         8     0  0 12:46 ?        00:00:00 [kupdated]
> root         9     1  0 12:46 ?        00:00:00 [mdrecoveryd]
> root        13     1  0 12:46 ?        00:00:00 [kjournald]
> root        79     1  0 12:46 ?        00:00:00 [khubd]
> root       172     1  0 12:46 ?        00:00:00 [kjournald]
> root       173     1  0 12:46 ?        00:00:00 [kjournald]
> root       174     1  0 12:46 ?        00:00:00 [kjournald]
> root       833     1  0 12:46 ?        00:00:00 syslogd -m 0
> root       838     1  0 12:47 ?        00:00:00 klogd -2
> root       944     1  0 12:47 ?        00:00:00 /usr/sbin/apmd -p 10 -w
> 5 -W -P /etc/sysconfig/apm-scripts/apmscript
> root       981     1  0 12:47 ?        00:00:00 /usr/sbin/sshd
> root      1031     1  0 12:47 ?        00:00:00 crond
> daemon    1067     1  0 12:47 ?        00:00:00 /usr/sbin/atd
> root      1084     1  0 12:47 ?        00:00:00 /usr/sbin/portsentry
> -tcp
> root      1088     1  0 12:47 ?        00:00:00 /usr/sbin/portsentry
> -udp
> root      1141     1  0 12:47 tty1     00:00:00 /sbin/mingetty tty1
> root      1142     1  0 12:47 tty2     00:00:00 /sbin/mingetty tty2
> root      1143     1  0 12:47 tty3     00:00:00 /sbin/mingetty tty3
> root      1144     1  0 12:47 tty4     00:00:00 /sbin/mingetty tty4
> root      1145     1  0 12:47 tty5     00:00:00 /sbin/mingetty tty5
> root      1146     1  0 12:47 tty6     00:00:00 /sbin/mingetty tty6
> root      1149   981  0 12:47 ?        00:00:00 /usr/sbin/sshd
> gene      1150  1149  0 12:47 pts/0    00:00:00 -bash
> root      1188  1150  0 12:47 pts/0    00:00:00 su -
> root      1189  1188  0 12:47 pts/0    00:00:00 -bash
> root      1338  1189  0 13:01 pts/0    00:00:00 ps -ef
> 
> 
> Anyone have any ideas?
> 
> Thanks,
> 
> Gene
> 
> On Thu, 2002-02-28 at 12:08, James P. Kinney III wrote:
> > Should be:
> > 
> > disabled = yes
> > 
> > On Thu, 2002-02-28 at 12:08, Gene Matthews wrote:
> > > I'm trying to tighten down a RH7.2 box.  Below is what /etc/xinetd.conf
> > > currently looks like.  I have added the 'disabled' line to the defaults
> > > and sent a SIGUSR2 signal to the xinetd pid.  However, a lot of unwanted
> > > services are still being listened for.  
> > > 
> > > 
> > > defaults
> > > {
> > > 	disabled
> > > 	instances               = 60
> > >         log_type                = SYSLOG authpriv
> > >         log_on_success		= HOST PID
> > >         log_on_failure		= HOST
> > > 	cps			= 25 30
> > > 
> > > }
> > > 
> > > includedir /etc/xinetd.d
> > > 
> > > 
> > > 
> > > The only thing enabled in /etc/xinetd.d/ is amanda.  However, a 'netstat
> > > -l' still shows lots of stuff open. I know somethings don't use
> > > inetd/xinetd; they may have their own deamon (like sshd).  But finger,
> > > echo, discard, etc. do (I think!).
> > > 
> > > Anyone have any pointers.  The 'disabled' flag should work if I'm
> > > reading the man page correctly and sending the SIGUSR2 should reload
> > > it.  I'm trying to avoid a reboot.
> > > 
> > > Thanks,
> > > 
> > > Gene
> > > 
> > > # netstat -l
> > > Active Internet connections (only servers)
> > > Proto Recv-Q Send-Q Local Address           Foreign Address        
> > > State      
> > > tcp        0      0 *:tcpmux                *:*                    
> > > LISTEN      
> > > tcp        0      0 *:20034                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:32771                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:32772                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:40421                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:32773                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:32774                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:31337                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:ircd                  *:*                    
> > > LISTEN      
> > > tcp        0      0 *:systat                *:*                    
> > > LISTEN      
> > > tcp        0      0 *:5742                  *:*                    
> > > LISTEN      
> > > tcp        0      0 *:imap                  *:*                    
> > > LISTEN      
> > > tcp        0      0 *:finger                *:*                    
> > > LISTEN      
> > > tcp        0      0 *:netstat               *:*                    
> > > LISTEN      
> > > tcp        0      0 *:54320                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:2000                  *:*                    
> > > LISTEN      
> > > tcp        0      0 *:ingreslock            *:*                    
> > > LISTEN      
> > > tcp        0      0 *:ssh                   *:*                    
> > > LISTEN      
> > > tcp        0      0 *:nntp                  *:*                    
> > > LISTEN      
> > > tcp        0      0 *:socks                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:12345                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:12346                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:635                   *:*                    
> > > LISTEN      
> > > tcp        0      0 *:49724                 *:*                    
> > > LISTEN      
> > > tcp        0      0 *:uucp                  *:*                    
> > > LISTEN      
> > > udp        0      0 *:640                  
> > > *:*                                 
> > > udp        0      0 *:641                  
> > > *:*                                 
> > > udp        0      0 *:who                  
> > > *:*                                 
> > > udp        0      0 *:tcpmux               
> > > *:*                                 
> > > udp        0      0 *:32770                
> > > *:*                                 
> > > udp        0      0 *:32771                
> > > *:*                                 
> > > udp        0      0 *:32772                
> > > *:*                                 
> > > udp        0      0 *:32773                
> > > *:*                                 
> > > udp        0      0 *:32774                
> > > *:*                                 
> > > udp        0      0 *:echo                 
> > > *:*                                 
> > > udp        0      0 *:discard              
> > > *:*                                 
> > > udp        0      0 *:snmp                 
> > > *:*                                 
> > > udp        0      0 *:snmptrap             
> > > *:*                                 
> > > udp        0      0 *:54321                
> > > *:*                                 
> > > udp        0      0 *:700                  
> > > *:*                                 
> > > udp        0      0 *:tftp                 
> > > *:*                                 
> > > udp        0      0 *:amanda               
> > > *:*                                 
> > > udp        0      0 *:31337                
> > > *:*                                 
> > > Active UNIX domain sockets (only servers)
> > > Proto RefCnt Flags       Type       State         I-Node Path
> > > 
> > > 
> > > 
> > > 
> > > -- 
> > > Gene Matthews
> > > Matthews Midrange Consulting, Inc.
> > > (678) 923-8327
> > > (877) 882-6291 (toll free)
> > > http://mmc-inc.com
> > > 
> > > 
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > > sent to listmaster at ale dot org.
> > > 
> > -- 
> > James P. Kinney III   \Changing the mobile computing world/
> > President and COO      \          one Linux user         /
> > Local Net Solutions,LLC \           at a time.          /
> > 770-493-8244             \.___________________________./
> > 
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
> > 
> > 
> -- 
> Gene Matthews
> Matthews Midrange Consulting, Inc.
> (678) 923-8327
> (877) 882-6291 (toll free)
> http://mmc-inc.com
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
Gene Matthews
Matthews Midrange Consulting, Inc.
(678) 923-8327
(877) 882-6291 (toll free)
http://mmc-inc.com


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list