{"id":30,"date":"2006-10-17T10:12:11","date_gmt":"2006-10-17T10:12:11","guid":{"rendered":"http:\/\/ramblingsofasysadmin.com\/blog\/?p=30"},"modified":"2006-10-17T10:12:11","modified_gmt":"2006-10-17T10:12:11","slug":"port-utilization-checkup","status":"publish","type":"post","link":"http:\/\/ramblingsofasysadmin.com\/?p=30","title":{"rendered":"port utilization checkup."},"content":{"rendered":"

i run nmap on localhost on a nightly basis and compare the results (which are emailed to me) against the previous night’s. this way, i can tell if something happened at a certain time if a new port mysteriously opens itself.
\ntoday, i encountered an open port on 6010. i investigated who was using them by running the following useful commands, which i am posting here for reference:
\n# \/usr\/sbin\/lsof -i TCP:6010
\nCOMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
\nsshd 21176 user 9u IPv4 13084094 TCP localhost:x11-ssh-offset (LISTEN)<\/font>
\nguess he was using X11, which opens an additional port.
\ni further broke this down by looking into the following:
\n# \/sbin\/fuser -name tcp 6010
\nhere: 6010
\n6010\/tcp: 24345<\/font>
\nthis indicated that process ID (pid) 24345 was doing something funny.
\nso i looked into the pid:
\n# \/usr\/sbin\/lsof -p 24345
\nCOMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
\nsshd 24345 user cwd DIR 8,5 4096 2 \/
\nsshd 24345 user rtd DIR 8,5 4096 2 \/
\nsshd 24345 user txt REG 8,5 309200 20922628 \/usr\/sbin\/sshd
\nsshd 24345 user mem REG 8,5 941024 23234362 \/lib\/libcrypto.so.0.9.7a
\nsshd 24345 user mem REG 8,5 14542 23234382 \/lib\/libutil-2.3.4.so
\nsshd 24345 user mem REG 8,5 63624 3069543 \/usr\/lib\/libz.so.1.2.1.2
\nsshd 24345 user mem REG 8,5 56328 23232671 \/lib\/libselinux.so.1
\n[snip]<\/font>
\npoint being: i now knew the source of the open port, and it was harmless.
\non the other hand, if it was something to wonder about, i’d have killed the process using kill -9 24345<\/font> and have figured out the entry point to the server in order to better secure it.<\/p>\n","protected":false},"excerpt":{"rendered":"

i run nmap on localhost on a nightly basis and compare the results (which are emailed to me) against the previous night’s. this way, i can tell if something happened at a certain time if a new port mysteriously opens itself. today, i encountered an open port on 6010. i investigated who was using them by running the following useful commands, which i am posting here for reference: # \/usr\/sbin\/lsof -i TCP:6010 COMMAND PID USER …<\/span> Read More →<\/span><\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30"}],"version-history":[{"count":0,"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions"}],"wp:attachment":[{"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ramblingsofasysadmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}