Netstat … a Security Tool???
Netstat is a rather simple tool often overlooked by new system administrators. In fact netstat can be quite helpful in determining who is connected to your host or what process is holding open a port. Both pieces of information can be quite useful when troubleshooting network connections or responding to an incident.
Let’s begin by looking at ports. Each service or daemon running on your host binds to an available port and creates a socket. Ports are grouped into 3 categories by IANA (Internet Assigned Numbers Authority) .
Well Known Ports or Privileged ports range from 1-1023
Registered Ports range from 1024-49151
Dynamic or Private ports range from 49152-65535
Ports below 1023 have been registered and assigned to specific services. While dynamic ports are used by unregistered processes or applications when communicating with other hosts across the network. The following are examples of the most commonly used well known ports;
HTTP is assigned port 80
HTTPS is assigned port 443
SSH is assigned port 22
FTP is assigned port 21
Telnet is assigned port 23
A port can be in several different states; below is a list of most common.
Using ‘netstat’ you can generate a list of network ports in listening state by issuing the following command;
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN
tcp 0 0 192.168.5.1:22 0.0.0.0:* LISTEN
udp 0 0 192.168.4.2:53 0.0.0.0:* LISTEN
Above example has 3 ports actively listening. (3 daemon services)
Web Server on TCP port 80
SSH Server on TCP port 22
DNS Server on UDP port 53
You would typically see these ports on a Web Server, DNS Server or SSH administration server.
In my opinion everyone should check netstat output from time to time and compare generated list of listening services to expected legitimate services. You may be surprised to find a rogue daemon or service running on your host. You could utilize cron and schedule a job, redirecting netstat output and email it to yourself daily or weekly.
Sometimes you may need more information to determine what application or process is holding open a specific port. This is important because only 1 daemon or service can bind to a port. If you have a rogue service utilizing port 80 your legitimate Apache web server will not start, you’ll most likely get a port bind error.
Issuing ‘netstat’ with the ‘p’ switch will display binary file using port along with its PID.
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN 452/httpd
tcp 0 0 192.168.5.1:22 0.0.0.0:* LISTEN 378/sshd
udp 0 0 192.168.4.2:53 0.0.0.0:* LISTEN 200/named
In above example SSH Daemon is running as PID 378. If you determine PID 378 is a rogue service you can use the ‘kill’ command and stop the process from accepting connections.
Netstat has many more options and when leveraged with other Linux commands like ‘ps’ can provide very useful information when investigating incidents.