Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 17.4 Security Implications of Network ServicesChapter 17
TCP/IP Services
Next: 17.6 Network Scanning
 

17.5 Monitoring Your Network with netstat

You can use the netstat command to list all of the active and pending TCP/IP connections between your machine and every other machine on the Internet. This command is very important if you suspect that somebody is breaking into your computer or using your computer to break into another one. netstat lets you see which machines your machine is talking to over the network. The command's output includes the host and port number of each end of the connection, as well as the number of bytes in the receive and transmit queues. If a port has a name assigned in the /etc/services file, netstat will print it instead of the port number.

Normally, the netstat command displays UNIX domain sockets in addition to IP sockets. You can restrict the display to IP sockets only by using the -f inet option.

Sample output from the netstat command looks like this:

charon% netstat -f inet
Active Internet connections
Proto Recv-Q Send-
Q Local Address          Foreign Address        (state)
tcp   0      0      CHARON.MIT.EDU.telnet  GHOTI.LCS.MIT.ED.1300  ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.telnet  amway.ch.apollo..4196  ESTABLISHED
tcp   4096   0      CHARON.MIT.EDU.1313    E40-008-7.MIT.ED.telne ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.1312    MINT.LCS.MIT.EDU.6001  ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.1309    MINT.LCS.MIT.EDU.6001  ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.telnet  MINT.LCS.MIT.EDU.1218  ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.1308    E40-008-7.MIT.ED.telne ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.login   RING0.MIT.EDU.1023     ESTABLISHED
tcp   0      0      CHARON.MIT.EDU.1030    *.*                    LISTEN

NOTE: The netstat program only displays abridged hostnames, but you can use the -n flag to display the IP address of the foreign machine.

The first two lines of this output indicate Telnet connections between the machines GHOTI.LCS.MIT.EDUu and AMWAY.CH.APOLLO.COM and the machine CHARON.MIT.EDU. Both of these connections originated at the remote machine and represent interactive sessions currently being run on CHARON; you can tell this because these ports are greater than 1023 and are connected to the Telnet port. (They may or may not be unnamed.) Likewise, the third Telnet connection, between CHARON and E40-008-7.MIT.EDU, originated at CHARON to the machine E40-008-7. The next two lines are connections to port 6001 (the X Window Server) on MINT.LCS.MIT.EDU. There is a Telnet from MINT to CHARON, one from CHARON to E40-008-7.MIT.EDU, and an rlogin from RINGO.MIT.EDU to CHARON. The last line indicates that a user program running on CHARON is listening for connections on port 1030. If you run netstat on your computer, you are likely to see many connections. If you use the X Window System, you may also see "UNIX domain sockets" that are the local network connections from your X clients to the X Window Server.

With the -a option, netstat will also print a list of all of the TCP and UDP sockets to which programs are listening. Using the -a option will provide you with a list of all the ports that programs and users outside your computer can use to enter the system via the network. (Unfortunately, netstat will not give you the name of the program that is listening on the socket.)[20]:

[20] But the lsof command will. See the discussion about lsof in Chapter 25, Denial of Service Attacks and Solutions.

charon% netstat -a -f inet
Active Internet connections
Proto Recv-Q Send-
Q Local Address          Foreign Address        (state)

Previous netstat printout
...
tcp       0       0  *.telnet              *.*                    LISTEN
tcp       0       0  *.smtp                *.*                    LISTEN
tcp       0       0  *.finger              *.*                    LISTEN
tcp       0       0  *.printer             *.*                    LISTEN
tcp       0       0  *.time                *.*                    LISTEN
tcp       0       0  *.daytime             *.*                    LISTEN
tcp       0       0  *.chargen             *.*                    LISTEN
tcp       0       0  *.discard             *.*                    LISTEN
tcp       0       0  *.echo                *.*                    LISTEN
tcp       0       0  *.exec                *.*                    LISTEN
tcp       0       0  *.login               *.*                    LISTEN
tcp       0       0  *.shell               *.*                    LISTEN
tcp       0       0  *.ftp                 *.*                    LISTEN
udp       0       0  *.time                *.*
udp       0       0  *.daytime             *.*
udp       0       0  *.chargen             *.*
udp       0       0  *.discard             *.*
udp       0       0  *.echo                *.*
udp       0       0  *.ntalk               *.*
udp       0       0  *.talk                *.*
udp       0       0  *.biff                *.*
udp       0       0  *.tftp                *.*
udp       0       0  *.syslog              *.*
charon%

NOTE: There are weaknesses in the implementation of network services that can be exploited so that one machine can masquerade temporarily as another machine. There is nothing that you can do to prevent this deception, assuming that the attacker gets the code correct and has access to the network. This kind of "spoof" is not easy to carry out, but toolkits are available to make the process easier. Some forms of spoofing may require physical access to your local network, but others may be done remotely. All require exact timing of events to succeed. Such spoofs are often impossible to spot afterwards.


Previous: 17.4 Security Implications of Network ServicesPractical UNIX & Internet SecurityNext: 17.6 Network Scanning
17.4 Security Implications of Network ServicesBook Index17.6 Network Scanning