Client-server applications open communication ports on
the server, allowing the applications to listen to incoming client
requests.
Because open ports are vulnerable to potential security
attacks, identify which applications have open ports and close those
ports that are open unnecessarily. This practice is useful because
it allows you to understand what systems are being made available
to anyone who has access to the Internet.
To determine which
ports are open, follow these steps:
Identify the services by using the
netstat command as follows:
# netstat -af inet
The following is an example of this command output. The last
column of the netstat command output indicates
the state of each service. Services that are waiting for incoming
connections are in the LISTEN state.
This is an example of the command output when running the netstat command.
| Active Internet connection (including servers) |
| Proto |
Recv-Q |
Send-Q |
Local Address |
Foreign Address |
(state) |
tcp4
|
0
|
0
|
*.echo
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.discard
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.daytime
|
*.*
|
LISTEN
|
tcp
|
0
|
0
|
*.chargen
|
*.*
|
LISTEN
|
tcp
|
0
|
0
|
*.ftp
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.telnet
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.smtp
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.time
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.www
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.sunrpc
|
*.*
|
LISTEN
|
tcp
|
0
|
0
|
*.smux
|
*.*
|
LISTEN
|
tcp
|
0
|
0
|
*.exec
|
*.*
|
LISTEN
|
tcp
|
0
|
0
|
*.login
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.shell
|
*.*
|
LISTEN
|
tcp4
|
0
|
0
|
*.klogin
|
*.*
|
LISTEN
|
udp4
|
0
|
0
|
*.kshell
|
*.*
|
LISTEN
|
udp4
|
0
|
0
|
*.echo
|
*.*
|
|
udp4
|
0
|
0
|
*.discard
|
*.*
|
|
udp4
|
0
|
0
|
*.daytime
|
*.*
|
|
udp4
|
0
|
0
|
*.chargen
|
*.*
|
|
udp4
|
0
|
0
|
*.time
|
*.*
|
|
udp4
|
0
|
0
|
*.bootpc
|
*.*
|
|
udp4
|
0
|
0
|
*.sunrpc
|
*.*
|
|
udp4
|
0
|
0
|
255.255.255.255.ntp
|
*.*
|
|
udp4
|
0
|
0
|
1.23.123.234.ntp
|
*.*
|
|
udp4
|
0
|
0
|
localhost.domain.ntp
|
*.*
|
|
udp4
|
0
|
0
|
name.domain..ntp
|
*.*
|
|
| .................................... |
Open the
/etc/services file and check the Internet Assigned Numbers Authority (IANA) services
to map the service to port numbers within the operating system.
The following is a sample fragment of the
/etc/services file:
tcpmux 1/tcp # TCP Port Service Multiplexer
tcpmux 1/tcp # TCP Port Service Multiplexer
Compressnet 2/tcp # Management Utility
Compressnet 2/udp # Management Utility
Compressnet 3/tcp # Compression Process
Compressnet 3/udp Compression Process
Echo 7/tcp
Echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
..............
rfe 5002/tcp # Radio Free Ethernet
rfe 5002/udp # Radio Free Ethernet
rmonitor_secure 5145/tcp
rmonitor_secure 5145/udp
pad12sim 5236/tcp
pad12sim 5236/udp
sub-process 6111/tcp # HP SoftBench Sub-Process Cntl.
sub-process 6111/udp # HP SoftBench Sub-Process Cntl.
xdsxdm 6558/ucp
xdsxdm 6558/tcp
afs3-fileserver 7000/tcp # File Server Itself
afs3-fileserver 7000/udp # File Server Itself
af3-callback 7001/tcp # Callbacks to Cache Managers
af3-callback 7001/udp # Callbacks to Cache Managers
- Close the unnecessary ports by removing the running services.
Note: Port 657 is used by Resource Monitoring and Control
(RMC) for communication between nodes. You cannot block or otherwise
restrict this port.