FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-29-2011, 04:11 PM
Ivan Shmakov
 
Default Why s port 111 still open?

>>>>> Lisi <lisi.reisz@gmail.com> writes:
>>>>> On Monday 29 August 2011 15:29:41 shawn wilson wrote:

>> Your issue seems to be resolved. However, I'd prefer to teach a man
>> to fish.... As it were, lsof -i :111 should show you the pid of what
>> is on that port. From there, ps and then look through logs or 'find
>> /etc/unit.d -type f -print0 | xargs -0 -i{} grep <p name> {}'
>> sometimes works. But if you don't see am unit service, chances are
>> its tcp wrapper / portmap. FWIW

> So the fact that nmap says that 111 is open for rpcbind does not mean
> that it is open for rpcbind??

For the sake of simplicity, let me explain that as follows:
nmap(1) says about port 111 being available for the rpcbind
/protocol/. This protocol is implemented by /both/ portmap
/and/ rpcbind.

Another example of this sort you've already seen is:

$ nmap -6 ::1 | grep -F 80/tcp
80/tcp open http
$

However, the machine the command above was run on has /no/
“http” installed:

$ dpkg -l http
No packages found matching http.
$

(It has apache2-mpm-prefork installed, though.)

[…]

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 86ippgfb9c.fsf@gray.siamics.net">http://lists.debian.org/86ippgfb9c.fsf@gray.siamics.net
 
Old 08-29-2011, 04:49 PM
Bob Proulx
 
Default Why s port 111 still open?

Lisi wrote:
> lisi@Tux:~$ lsof -i :111
> lisi@Tux:~$

Needs to be run as root.

$ lsof -i :111
$ sudo lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
portmap 1569 daemon 4u IPv4 7285 0t0 UDP *:sunrpc
portmap 1569 daemon 5u IPv4 5039 0t0 TCP *:sunrpc (LISTEN)

Bob
 
Old 08-29-2011, 05:32 PM
shawn wilson
 
Default Why s port 111 still open?

On Mon, Aug 29, 2011 at 12:49, Bob Proulx <bob@proulx.com> wrote:
> Lisi wrote:
>> lisi@Tux:~$ *lsof -i :111
>> lisi@Tux:~$
>
> Needs to be run as root.
>
> *$ lsof -i :111
> *$ sudo lsof -i :111
> *COMMAND *PID * USER * FD * TYPE DEVICE SIZE/OFF NODE NAME
> *portmap 1569 daemon * *4u *IPv4 * 7285 * * *0t0 *UDP *:sunrpc
> *portmap 1569 daemon * *5u *IPv4 * 5039 * * *0t0 *TCP *:sunrpc (LISTEN)
>

yeah, i just got to a computer and realized i should have said that

so, just to show the process:

root@shawn-desktop:/home/shawn# whoami
root
root@shawn-desktop:/home/shawn# nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 13:09 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 988 closed ports
PORT STATE SERVICE
...
111/tcp open rpcbind
...

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
root@shawn-desktop:/home/shawn# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
portmap 16262 daemon 5u IPv4 243950 0t0 UDP *:sunrpc
portmap 16262 daemon 6u IPv4 243956 0t0 TCP *:sunrpc (LISTEN)
root@shawn-desktop:/home/shawn# ps ax | grep 16262
10007 pts/1 S+ 0:00 grep 16262
16262 ? Ss 0:00 portmap

######
after looking through logs and remembering that tcpd is stupid, i did
what i originally suggested. this is a kubuntu box (don't ask), so the
results might look different
######

root@shawn-desktop:/home/shawn# find /etc/init.d/ -type f -print0 |
xargs -0 -i{} grep -H portmap {}
/etc/init.d/quotarpc:# Should-Start: $portmap rpcbind
/etc/init.d/quotarpc:# Should-Stop: $portmap rpcbinf
/etc/init.d/quotarpcidp=`pidof portmap`
/etc/init.d/quotarpc: # To start the daemon, portmap must be up and running
/etc/init.d/quotarpc: log_warning_msg "Not starting $DESC
rpc.rquotad, because neither portmap nor rcpbind are running"
/etc/init.d/umountnfs.sh:# Should-Stop: $network $portmap nfs-common
/etc/init.d/openbsd-inetd:checkportmap () {
/etc/init.d/openbsd-inetd: elif ! /usr/bin/rpcinfo -u localhost
portmapper >/dev/null 2>&1; then
/etc/init.d/openbsd-inetd: log_action_msg "WARNING: portmapper
inactive - RPC services unavailable!"
/etc/init.d/openbsd-inetd: checkportmap
/etc/init.d/openbsd-inetd: checkportmap
/etc/init.d/xinetd:checkportmap () {
/etc/init.d/xinetd: if ! rpcinfo -u localhost portmapper >/dev/null
2>&1; then
/etc/init.d/xinetd: echo "WARNING: portmapper inactive - RPC
services unavailable!"
/etc/init.d/xinetd: checkportmap

###
at any rate, it's being started in one (or more) of three places -
quotarpc, openbsd-inetd, xinetd. i'm going to take a wild guess and
say it's in xinetd... and be totally wrong. under kubuntu, it looks
like it's started in openbsd-inetd. at this point, i started from
another angle - noticing that the daemon was nice enough to put a
portmap.pid in /var/run:

root@shawn-desktop:/home/shawn# find /var/run/ -type f -print0 | xargs
-0 -i{} grep -H 16262 {}
/var/run/portmap.pid:16262

i took the sledgehammer approach and looked at every file in /etc for
that pid file:

root@shawn-desktop:/home/shawn# find /etc/ -type f -print0 | xargs -0
-i{} grep -H portmap.pid {}
/etc/init/portmap.conf: ln -s /var/run/portmap.pid
/lib/init/rw/sendsigs.omit.d/portmap

which seems to be the main configuration file for this ancient pos
just fyi, these are the *portmap* files in etc under kubuntu and their
line counts:
root@shawn-desktop:/home/shawn# find /etc -iname "*portmap*" -type f
-print0 | xargs -0 -i{} wc -l {}
11 /etc/default/portmap
46 /etc/init/portmap.conf
10 /etc/init/portmap-boot.conf
26 /etc/init/portmap-wait.conf

#############################

if someone has a better method for finding what is running services,
i'm all ears. i've gotten pretty good at tracking these down but have
often thought "there's got to be a better way"


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAH_OBifg=hMjRyV82JUwoFpe9pM+RzeVNaJjgWgqqW=mfTfD-g@mail.gmail.com">http://lists.debian.org/CAH_OBifg=hMjRyV82JUwoFpe9pM+RzeVNaJjgWgqqW=mfTfD-g@mail.gmail.com
 
Old 08-29-2011, 06:25 PM
Ivan Shmakov
 
Default Why s port 111 still open?

>>>>> shawn wilson <ag4ve.us@gmail.com> writes:

[…]

> root@shawn-desktop:/home/shawn# find /etc/init.d/ -type f -print0 |
> xargs -0 -i{} grep -H portmap {}

As a news:comp.unix.shell regular, I simply cannot leave such a
command line in its present state.

First of all, {} is not necessary, but -- may be, as well as -F
to grep(1), in some circumstances, so:

$ find /etc/init.d/ -type f -print0 |
xargs -0 -- grep -HF -- portmap

Then, find(1) has -exec, so:

$ find /etc/init.d/ -type f -exec grep -HF -- portmap {} +

This is both shorter and more efficient.

[…]

> if someone has a better method for finding what is running services,
> i'm all ears. i've gotten pretty good at tracking these down but have
> often thought "there's got to be a better way"

I'd do it as follows:

• # netstat -p (as root) to get the PID;

• $ readlink /proc/PID/exe (will work as an unprivileged user)
to find the executable;

• $ dpkg -S /usr/bin/executable (as user, too) to find the
package.

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 867h5wf534.fsf@gray.siamics.net">http://lists.debian.org/867h5wf534.fsf@gray.siamics.net
 
Old 08-29-2011, 07:36 PM
Lisi
 
Default Why s port 111 still open?

On Monday 29 August 2011 17:49:13 Bob Proulx wrote:
> Lisi wrote:
> > lisi@Tux:~$ lsof -i :111
> > lisi@Tux:~$
>
> Needs to be run as root.
>
> $ lsof -i :111
> $ sudo lsof -i :111
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> portmap 1569 daemon 4u IPv4 7285 0t0 UDP *:sunrpc
> portmap 1569 daemon 5u IPv4 5039 0t0 TCP *:sunrpc (LISTEN)

Tux:/home/lisi# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 1980 daemon 4u IPv4 6097 UDP *:sunrpc
portmap 1980 daemon 5u IPv4 6106 TCP *:sunrpc (LISTEN)
Tux:/home/lisi#


Thanks!

Lisi


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201108292036.31656.lisi.reisz@gmail.com">http://lists.debian.org/201108292036.31656.lisi.reisz@gmail.com
 
Old 08-29-2011, 08:18 PM
Jochen Spieker
 
Default Why s port 111 still open?

Lisi:
>
> So the fact that nmap says that 111 is open for rpcbind does not mean that it
> is open for rpcbind??

Exactly. Nmap can only guess what program is listening on the other end.
An easy test:

(0) (root@jigsaw):~# nc -l -p 80 &
[1] 17913

(1) (root@jigsaw):~# nmap localhost | grep 80
80/tcp open http

(nc is netcat, which in this case simply listens on the given port.)

In this example, nmap guesses what kind of program listens on port
80 by simply deriving it from the port number. You can use nmap's option
'-sV' to make nmap probe for more details.

Anyway, using nmap on localhost doesn't make much sense. Use netstat or
lsof instead.

J.
--
If I could travel through time I would go back to yesterday and
apologise.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
 
Old 08-29-2011, 08:30 PM
Bob Proulx
 
Default Why s port 111 still open?

Jochen Spieker wrote:
> Anyway, using nmap on localhost doesn't make much sense. Use netstat or
> lsof instead.

Agreed. For example if you have a firewall on the local host.
Usually connections from the local host to the local host are
allowed but inbound connections from other hosts are blocked. In that
case nmap on the local host would report open ports that would show as
blocked when coming from a remote host. You would need to probe your
host from another one in order to gain meaningful information about
remote networking attacks.

Bob
 
Old 08-29-2011, 08:58 PM
shawn wilson
 
Default Why s port 111 still open?

On Mon, Aug 29, 2011 at 16:18, Jochen Spieker <ml@well-adjusted.de> wrote:
> Lisi:
>>
>> So the fact that nmap says that 111 is open for rpcbind does not mean that it
>> is open for rpcbind??
>
> Exactly. Nmap can only guess what program is listening on the other end.
> An easy test:
>
> (0) (root@jigsaw):~# nc -l -p 80 &
> [1] 17913
>
> (1) (root@jigsaw):~# nmap localhost | grep 80
> 80/tcp * *open *http
>

well, you can ask nmap to let you know if it doesn't know (note, i
only scanned the port i wanted because i don't want to die waiting for
it)

root@shawn-desktop:~# nmap -sV --version-all -p8080 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 17:05 EDT
Got nsock WRITE error #104 (Connection reset by peer)
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE VERSION
8080/tcp open http-proxy?

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.58 seconds
root@shawn-desktop:~# nmap -sV --version-all -p22 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 17:05 EDT
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

>
> Anyway, using nmap on localhost doesn't make much sense. Use netstat or
> lsof instead.
>

well, it's a nice check of what everyone else sees - ie, apache and
mysql and the likes can bind to an ip. mysql, by default binds to
localhost which can be missed by just looking at lsof.

just so that i don't get corrected, i know you can see the difference with lsof:
apache2 28946 root 4u IPv4 14498250 0t0 TCP
shawn-desktop.local:www (LISTEN)
apache2 28946 root 6u IPv4 14600633 0t0 TCP localhost:www (LISTEN)

but, if a service you're looking for just doesn't show up when you
nmap, you know you won't connect to it (you'll get different results
with a port scan to localhost vs your external ip).


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAH_OBieD_SzQ7hZwJWQ4dEm9xfFixAKcSKk8GHX-RGGBZsn76g@mail.gmail.com">http://lists.debian.org/CAH_OBieD_SzQ7hZwJWQ4dEm9xfFixAKcSKk8GHX-RGGBZsn76g@mail.gmail.com
 
Old 08-29-2011, 09:02 PM
shawn wilson
 
Default Why s port 111 still open?

On Mon, Aug 29, 2011 at 16:30, Bob Proulx <bob@proulx.com> wrote:
> Jochen Spieker wrote:
>> Anyway, using nmap on localhost doesn't make much sense. Use netstat or
>> lsof instead.
>
> Agreed. *For example if you have a firewall on the local host.
> Usually connections from the local host to the local host are
> allowed but inbound connections from other hosts are blocked. *In that
> case nmap on the local host would report open ports that would show as
> blocked when coming from a remote host. *You would need to probe your
> host from another one in order to gain meaningful information about
> remote networking attacks.

iirc, nmap should show 'filtered' from another host. it's a part of
the process as far as i'm concerned. see:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAH_OBicEQk7YgNaYxm-yPhs66--hdjd7bwt=NEtHH4pQv6FJPg@mail.gmail.com">http://lists.debian.org/CAH_OBicEQk7YgNaYxm-yPhs66--hdjd7bwt=NEtHH4pQv6FJPg@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 05:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org