Bob Miller wrote: >Ben Barrett wrote: > >>And in general, how can one tell what processes are bound to what ports? >> > >lsof -i Run it as root or as yourself. >Also netstat and netstat -a. > >>Also: I am confused about ports being "open" when there are no services >>running on them... >> > >So am I. lsof will tell you who has it open. > >>I can telnet to some specific ports, and it connects me and then >>immediately disconnects me again... >> > >Could be tcpwrappers doing that. Do you have them installed? > >>Other ports are fully "closed" and will not conenct, hurrah this is what >>I want! >> >
Well thanks a bit, I'm starting to understand more (tnx 2 Kahli 2)... 'netstat -p' actually shows PID's, which netstat -a doesn't (4me anywhoo). But lsof -i is the best thing yet. So unless these binaries deceive me, I am seeing all open connections (netstat uses "CONNECTED", and lsof uses "ESTABLISHED"/"LISTEN" for state-designations). But I am stilll befuddled by this behaviour: [root@benBox /etc]# telnet localhost 6667 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. Connection closed by foreign host. [root@benBox /etc]# telnet localhost 6668 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused [root@benBox /etc]# IRC is one of the ports that nmap told me was "open", ie available. However, *no* information about port 6667 is returned from netstat or lsof. I offer this example to show the difference. But ah. I was just googling a bit and found my solution (imagine that!): portsentry is a bastard! I had only heard good things about it, and so did not disable it's default operation. I should've known that RedHat *continues* to run too much for my tastes by default. This URL speaks truth to me: http://www.linux.ie/articles/portsentryandsnortcompared.php Unofortunately, it does not seem to be dated, so I don't know how old it is, but I've been starting to use snort a bit already but didn't understand that portsentry actually binds to the list of ports in /etc/portsentry/portsentry.conf so that resulting scans make the system appear generic and running lots of services! Thanks for the help, y'all, and watch out for portsentry... ben
