From owner-freebsd-questions@FreeBSD.ORG Mon Sep 20 23:45:23 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B1AF106564A for ; Mon, 20 Sep 2010 23:45:23 +0000 (UTC) (envelope-from carlj@peak.org) Received: from redcondor1.peak.org (redcondor1.peak.org [69.59.192.54]) by mx1.freebsd.org (Postfix) with ESMTP id F17A88FC13 for ; Mon, 20 Sep 2010 23:45:22 +0000 (UTC) Received: from peak-mail-gateway.peak.org ([69.59.192.42]) by redcondor1.peak.org ({e03e86cd-14ae-47ce-9578-3c080ce9c462}) via TCP (outbound) with ESMTP id 20100920234518880 for ; Mon, 20 Sep 2010 23:45:18 +0000 X-RC-FROM: X-RC-RCPT: Received: from oak.localnet (207.55.91.197.peak.org [207.55.91.197] (may be forged)) by peak-mail-gateway.peak.org (8.12.10/8.12.8) with ESMTP id o8KNjGNS037965 for ; Mon, 20 Sep 2010 16:45:17 -0700 (PDT) Received: from oak.localnet (localhost [127.0.0.1]) by oak.localnet (Postfix) with ESMTP id A4623CD00 for ; Mon, 20 Sep 2010 16:45:16 -0700 (PDT) Received: (from carlj@localhost) by oak.localnet (8.14.4/8.14.4/Submit) id o8KNjGbD033337; Mon, 20 Sep 2010 16:45:16 -0700 (PDT) (envelope-from carlj@peak.org) X-Authentication-Warning: oak.localnet: carlj set sender to carlj@peak.org using -f From: Carl Johnson To: freebsd-questions@freebsd.org References: <87pqwar5sc.fsf@oak.localnet> Date: Mon, 20 Sep 2010 16:45:16 -0700 In-Reply-To: <87pqwar5sc.fsf@oak.localnet> (Carl Johnson's message of "Sat, 18 Sep 2010 16:27:47 -0700") Message-ID: <87iq20ou7n.fsf@oak.localnet> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: extra open ports in rkhunter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2010 23:45:23 -0000 Carl Johnson writes: > I am running rkhunter and it keeps reporting a port inconsistency > between sockstat and netstat -a. Netstat shows an extra 5 ports open, > but netstat doesn't show what is holding ports open, so I don't know > what they are. Does anybody know how to determine what is holding open > a port? I have been looking around but none of my ideas show anything. > This is a full desktop system with KDE4 and VirtualBox running, so it > has a lot of things running. The following are the ports if anybody has > any ideas, but I would also like to know how to trace them down myself: > tcp4 0 0 *.876 *.* LISTEN > tcp6 0 0 *.921 *.* LISTEN > udp4 0 0 *.608 *.* > udp6 0 0 *.952 *.* > udp6 0 0 *.804 *.* I did some further testing after getting some prompting from an off-list email. It turns out that all of those come from rpc.lockd, and that they are not fixed but change after every restart of rpc.lockd. I confirmed this with a fresh install from FreeBSD-8.1-RELEASE-amd64-dvd1.iso into VirtualBox with networking disabled. I also verified the checksums of the .iso to be sure that nothing had been tampered with. I had just been trying out nfs but didn't find anything that I couldn't handle with ssh, so I have since disabled NFS and all rpc daemons. Unlisted ports should be useless, so something else must handle those addresses, probably rpcbind or maybe rpc.statd. It does seem odd that rpc.statd has port addresses that show up in sockstat and others, but rpc.lockd does not. I never did find anthing that will show many of those hidden ports. Nmap will show open ports for tcp4 and tcp6, but it is too slow for upd4 and doesn't handle udp6 at all. Nmap also doesn't identify who has opened ports except by standard addresses, so that can't identify daemons that dynamically assign their addresses. Thanks for all of the suggestions. -- Carl Johnson carlj@peak.org