What the hell is that pile of open ports on startup?!

Started by stratabomb, December 22, 2016, 03:46:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

stratabomb

December 22, 2016, 03:46:17 AM Last Edit: December 22, 2016, 03:48:51 AM by stratabomb
Just look at this netstat:  ???

root@backbox:/home/backbox# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:53834                 *:*                     LISTEN      1264/rpc.statd  
tcp        0      0 *:sunrpc                *:*                     LISTEN      1188/rpcbind    
tcp        0      0 localhost:9040         *:*                     LISTEN      2226/tor        
tcp        0      0 *:ssh                   *:*                    LISTEN      1536/sshd      
tcp        0      0 localhost:ipp           *:*                     LISTEN      3249/cupsd    
tcp        0      0 localhost:postgresql    *:*                     LISTEN      1873/postgres  
tcp        0      0 localhost:9050         *:*                     LISTEN     2226/tor      
tcp        0      0 localhost:8123         *:*                     LISTEN     2174/polipo    
tcp6       0      0 [::]:57798              [::]:*                  LISTEN      1264/rpc.statd  
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     1188/rpcbind    
tcp6       0      0 [::]:ssh               [::]:*                  LISTEN     1536/sshd      
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      3249/cupsd      
tcp6       1      0 ip6-localhost:33665     ip6-localhost:ipp       CLOSE_WAIT  1683/cups-browsed


We have here so many services up by default, isn't it a huge overkill for usual purposes?
At least i would like to have no ssh, rpcinfo up with the boot.
And why the SQL server listens on *:* ?!  :o
There are also a bunch of em on UDP!

Also rpcinfo from a remote host gives such a blow!
backbox@backbox:~$ rpcinfo 192.169.1.1
  program version netid     address                service    owner
   100000    4    tcp6      ::.0.111               portmapper superuser
   100000    3    tcp6      ::.0.111               portmapper superuser
   100000    4    udp6      ::.0.111               portmapper superuser
   100000    3    udp6      ::.0.111               portmapper superuser
   100000    4    tcp       0.0.0.0.0.111          portmapper superuser
   100000    3    tcp       0.0.0.0.0.111          portmapper superuser
   100000    2    tcp       0.0.0.0.0.111          portmapper superuser
   100000    4    udp       0.0.0.0.0.111          portmapper superuser
   100000    3    udp       0.0.0.0.0.111          portmapper superuser
   100000    2    udp       0.0.0.0.0.111          portmapper superuser
   100000    4    local     /run/rpcbind.sock      portmapper superuser
   100000    3    local     /run/rpcbind.sock      portmapper superuser
   100024    1    udp       0.0.0.0.161.85         status     122
   100024    1    tcp       0.0.0.0.210.74        status     122
   100024    1    udp6      ::.209.7               status     122
   100024    1    tcp6      ::.225.198             status     122

WTF? Isn't this distribution supposed to be kinda blackboxy for the outer world?
All those servers getting up right at boot time don't make it moar secure, guys!

Or is it supposed to be entirely different being installed onto bare metal?
PS: After i posted this the first time i changed my mind as a thought came to me that this default configuration is true only for what we get as a "live" version. But after i installed backbox into a VM i saw exactly the same!

ZEROF

#1
December 22, 2016, 11:59:33 PM Last Edit: December 23, 2016, 12:08:43 AM by ZEROF
Hi,

Almost all of this ports are Ubuntu/Debian default now. If you don't use it, you can stop services and close them. And you don't have MySql, it's postgres that is default for MSF, polipo and tor are ..hope that you know what they are, and that's it, cups is printer service etc.. Debian and Ubuntu "pushed" few of them for "normal" users who don't know much about Linux etc..

Other questions? I like people like you, I really do. Bro, shape your knowledge before accusation.

Don't ask, read : http://wiki.backbox.org
or just run sudo rm -rf /*

ostendali

#2
January 03, 2017, 03:57:00 PM
Hi,
as our good Zerof already anticipated, all those ports you see them open are open for a reason and the reason you can read it yourself from your own output. just move your eye towards the end of each line of netstat output you posted.

Apart from rpc and cups the rest of the ports are all up and running for reason.

1st thing, just to be clear, BackBox is a pentest distro, not to be used as production server where one would run the companies business on it. It is meant to test the safety of servers environment but not the safety of itself.

2nd thing, anyone who security (i.e. who has linux experience) and who knows how to use a security based distro, knows very well what is going on the system and what they are for. Needless to say the can also manage to stop the services if unneeded.

One really have to know how to write if they have a pen/pencil in their hands. So this is the same concept and don't get me wrong (no offence). you need to get to know it before questioning, otherwise you would't have posted this question.

Agree to disagree, I welcome your comments if you thing otherwise.

GeekyNoob

#3
February 23, 2017, 03:55:39 AM
The first time i run netstat -na -p --wide -aa  I also got Paranoid :P

Keeps you sharp :)
Error is Progress

Linux backbox 4.4.0-2-upboard #6~14.04.1-Ubuntu 2016 x86_64 x86_64 x86_64 GNU/Linux
Print
Go Up Pages1
User actions