Why s port 111 still open?
Lisi
security discussion on this list. Today, because I was trying to remove
Samba, I ran nmap to see what was going on. Here is the "conversation" I had
with Tux just now:
<quote>
lisi@Tux:~$ nmap Tux
Starting Nmap 4.62 ( http://nmap.org ) at 2011-08-29 10:31 BST
Interesting ports on Tux (192.168.0.2):
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
6881/tcp open bittorrent-tracker
Nmap done: 1 IP address (1 host up) scanned in 0.126 seconds
lisi@Tux:~$ which rpcbind
lisi@Tux:~$ whereis rpcbind
rpcbind:
lisi@Tux:~$ locate rpcbind
lisi@Tux:~$ find rpcbind
find: `rpcbind': No such file or directory
lisi@Tux:~$
</quote>
Do I need to do anything about it, or should I just take no notice?
Thanks,
Lisi
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/201108291038.3...@gmail.com
Scott Ferguson
=======Copy of what I just posted to Yuri query=========
Probably portmap...
See if it's installed
$ dpkg --get-selections portmap
If it is, and it bothers you, it can be removed - check and see if
anything uses it:-
# apt-get -s remove portmap | less
If it's the only package to be removed:-
# apt-get --purge remove portmap
Check your port:-
$ netstat -an | grep 111
SUN RPC is another protocol that uses that port.
Cheers
--
"I've got a bathtub and an imagination, I'm staying indoors this summer.
That way I can listen to music that I like."
— Bill Hicks
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Scott Ferguson
=======Copy of what I just posted to Yuri query=========
Probably portmap...
See if it's installed
$ dpkg --get-selections portmap
If it is, and it bothers you, it can be removed - check and see if
anything uses it:-
# apt-get -s remove portmap | less
If it's the only package to be removed:-
# apt-get --purge remove portmap
Check your port:-
$ netstat -an | grep 111
SUN RPC is another protocol that uses that port.
Cheers
--
"I've got a bathtub and an imagination, I'm staying indoors this summer.
That way I can listen to music that I like."
— Bill Hicks
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Jochen Spieker
>
> <quote>
> lisi@Tux:~$ nmap Tux
>
> Starting Nmap 4.62 ( http://nmap.org ) at 2011-08-29 10:31 BST
> Interesting ports on Tux (192.168.0.2):
> Not shown: 1711 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 80/tcp open http
> 111/tcp open rpcbind
> 6881/tcp open bittorrent-tracker
>
> Nmap done: 1 IP address (1 host up) scanned in 0.126 seconds
> lisi@Tux:~$ which rpcbind
JFTR: just because nmap calls the program using this port "rpcbind",
that doesn't mean you have a program or package on your system with that
exact name.
What I would do, if I wanted to get rid of the program using port 59446
on my system (and didn't know which program it is):
# netstat -tlpn | grep 59446
tcp 0 0 0.0.0.0:59446 0.0.0.0:* LISTEN 4586/rpc.mountd
# which rpc.mountd
/usr/sbin/rpc.mountd
# dpkg -S /usr/sbin/rpc.mountd
nfs-kernel-server: /usr/sbin/rpc.mountd
# aptitude why nfs-kernel-server
Unable to find a reason to install nfs-kernel-server.
# apt-get remove nfs-kernel-server
> lisi@Tux:~$ find rpcbind
> find: `rpcbind': No such file or directory
This command doesn't do what you expect. It prints all files found in
the directory "rcpbind" in your current working directory. Since no such
directory exists, find exits with the error message above.
J.
--
I am on the payroll of a company to whom I owe my undying gratitude.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Lisi
> =======Copy of what I just posted to Yuri query=========
Thanks Scott and sorry. That email landed on my box after I had sent my
query.
Lisi
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/201108291221.2...@gmail.com
Ivan Shmakov
>>>>> Lisi:
[…]
>> lisi@Tux:~$ find rpcbind
>> find: `rpcbind': No such file or directory
> This command doesn't do what you expect. It prints all files found
> in the directory "rcpbind" in your current working directory. Since
> no such directory exists, find exits with the error message above.
I guess that $ dpkg -S rpcbind ; would be more appropriate.
--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/86vctgf...@gray.siamics.net
Tom H
>
> I was under the impression that I had cleansed my system of rpcbind after the
> security discussion on this list. Today, because I was trying to remove
> Samba, I ran nmap to see what was going on. Here is the "conversation" I had
> with Tux just now:
>
> Starting Nmap 4.62 ( http://nmap.org ) at 2011-08-29 10:31 BST
> Interesting ports on Tux (192.168.0.2):
> Not shown: 1711 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 80/tcp open http
> 111/tcp open rpcbind
> 6881/tcp open bittorrent-tracker
>
> Nmap done: 1 IP address (1 host up) scanned in 0.126 seconds
> lisi@Tux:~$ which rpcbind
> lisi@Tux:~$ whereis rpcbind
> rpcbind:
> lisi@Tux:~$ locate rpcbind
> lisi@Tux:~$ find rpcbind
> find: `rpcbind': No such file or directory
> lisi@Tux:~$
CHeck whether the rpcbind or the portmap packages are installed.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAOdoSy-CMkh2yRLJSo_zQU...@mail.gmail.com
shawn wilson
Your issue seems to be resolved. However, I'd prefer to teach a man to fish.... As it were, lsof -i :111 should show you the pid of what is on that port. From there, ps and then look through logs or 'find /etc/unit.d -type f -print0 | xargs -0 -i{} grep <p name> {}' sometimes works. But if you don't see am unit service, chances are its tcp wrapper / portmap. FWIW
Lisi
> On Mon, Aug 29, 2011 at 5:38 AM, Lisi <lisi....@gmail.com> wrote:
> > I was under the impression that I had cleansed my system of rpcbind after
> > the security discussion on this list. Today, because I was trying to
> > remove Samba, I ran nmap to see what was going on. Here is the
> > "conversation" I had with Tux just now:
> >
> > lisi@Tux:~$ nmap Tux
> > Starting Nmap 4.62 ( http://nmap.org ) at 2011-08-29 10:31 BST
> > Interesting ports on Tux (192.168.0.2):
> > Not shown: 1711 closed ports
> > PORT STATE SERVICE
> > 22/tcp open ssh
> > 80/tcp open http
> > 111/tcp open rpcbind
> > 6881/tcp open bittorrent-tracker
> >
> > Nmap done: 1 IP address (1 host up) scanned in 0.126 seconds
> > lisi@Tux:~$ which rpcbind
> > lisi@Tux:~$ whereis rpcbind
> > rpcbind:
> > lisi@Tux:~$ locate rpcbind
> > lisi@Tux:~$ find rpcbind
> > find: `rpcbind': No such file or directory
> > lisi@Tux:~$
>
> CHeck whether the rpcbind or the portmap packages are installed.
I have portmap, but not rpcbind. Would that explain why that port is open? I
seem to have nothing left of rpcbind and its configuration/data files etc.
The other three are open fpr identifiable (by me) reasons. But why is that
rpcbind one still open? The computer has been completely shutdown between
wehn I removed rpcbind and now.
Lisi
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/201108291654.0...@gmail.com
Lisi
> Your issue seems to be resolved. However, I'd prefer to teach a man to
> fish.... As it were, lsof -i :111 should show you the pid of what is on
> that port. From there, ps and then look through logs or 'find /etc/unit.d
> -type f -print0 | xargs -0 -i{} grep <p name> {}' sometimes works. But if
> you don't see am unit service, chances are its tcp wrapper / portmap. FWIW
Thanks for that.
So the fact that nmap says that 111 is open for rpcbind does not mean that it
is open for rpcbind??
And for what it is worth:
lisi@Tux:~$ lsof -i :111
lisi@Tux:~$
!!
But it is open....
So the conclusion that it is portmap is where this method leads too?!
If I live to the age of 100, I shall still barely have scratched the surface
of Debian and Linux.
Lisi
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/201108291702.3...@gmail.com
Ivan Shmakov
>>>>> On Monday 29 August 2011 15:29:41 shawn wilson wrote:
>> Your issue seems to be resolved. However, I'd prefer to teach a man
>> to fish.... As it were, lsof -i :111 should show you the pid of what
>> is on that port. From there, ps and then look through logs or 'find
>> /etc/unit.d -type f -print0 | xargs -0 -i{} grep <p name> {}'
>> sometimes works. But if you don't see am unit service, chances are
>> its tcp wrapper / portmap. FWIW
> So the fact that nmap says that 111 is open for rpcbind does not mean
> that it is open for rpcbind??
For the sake of simplicity, let me explain that as follows:
nmap(1) says about port 111 being available for the rpcbind
/protocol/. This protocol is implemented by /both/ portmap
/and/ rpcbind.
Another example of this sort you've already seen is:
$ nmap -6 ::1 | grep -F 80/tcp
80/tcp open http
$
However, the machine the command above was run on has /no/
“http” installed:
$ dpkg -l http
No packages found matching http.
$
(It has apache2-mpm-prefork installed, though.)
[…]
--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/86ippgf...@gray.siamics.net
Bob Proulx
> lisi@Tux:~$ lsof -i :111
> lisi@Tux:~$
Needs to be run as root.
$ lsof -i :111
$ sudo lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
portmap 1569 daemon 4u IPv4 7285 0t0 UDP *:sunrpc
portmap 1569 daemon 5u IPv4 5039 0t0 TCP *:sunrpc (LISTEN)
Bob
shawn wilson
yeah, i just got to a computer and realized i should have said that :)
so, just to show the process:
root@shawn-desktop:/home/shawn# whoami
root
root@shawn-desktop:/home/shawn# nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 13:09 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 988 closed ports
PORT STATE SERVICE
...
111/tcp open rpcbind
...
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
root@shawn-desktop:/home/shawn# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
portmap 16262 daemon 5u IPv4 243950 0t0 UDP *:sunrpc
portmap 16262 daemon 6u IPv4 243956 0t0 TCP *:sunrpc (LISTEN)
root@shawn-desktop:/home/shawn# ps ax | grep 16262
10007 pts/1 S+ 0:00 grep 16262
16262 ? Ss 0:00 portmap
######
after looking through logs and remembering that tcpd is stupid, i did
what i originally suggested. this is a kubuntu box (don't ask), so the
results might look different
######
root@shawn-desktop:/home/shawn# find /etc/init.d/ -type f -print0 |
xargs -0 -i{} grep -H portmap {}
/etc/init.d/quotarpc:# Should-Start: $portmap rpcbind
/etc/init.d/quotarpc:# Should-Stop: $portmap rpcbinf
/etc/init.d/quotarpc:pidp=`pidof portmap`
/etc/init.d/quotarpc: # To start the daemon, portmap must be up and running
/etc/init.d/quotarpc: log_warning_msg "Not starting $DESC
rpc.rquotad, because neither portmap nor rcpbind are running"
/etc/init.d/umountnfs.sh:# Should-Stop: $network $portmap nfs-common
/etc/init.d/openbsd-inetd:checkportmap () {
/etc/init.d/openbsd-inetd: elif ! /usr/bin/rpcinfo -u localhost
portmapper >/dev/null 2>&1; then
/etc/init.d/openbsd-inetd: log_action_msg "WARNING: portmapper
inactive - RPC services unavailable!"
/etc/init.d/openbsd-inetd: checkportmap
/etc/init.d/openbsd-inetd: checkportmap
/etc/init.d/xinetd:checkportmap () {
/etc/init.d/xinetd: if ! rpcinfo -u localhost portmapper >/dev/null
2>&1; then
/etc/init.d/xinetd: echo "WARNING: portmapper inactive - RPC
services unavailable!"
/etc/init.d/xinetd: checkportmap
###
at any rate, it's being started in one (or more) of three places -
quotarpc, openbsd-inetd, xinetd. i'm going to take a wild guess and
say it's in xinetd... and be totally wrong. under kubuntu, it looks
like it's started in openbsd-inetd. at this point, i started from
another angle - noticing that the daemon was nice enough to put a
portmap.pid in /var/run:
root@shawn-desktop:/home/shawn# find /var/run/ -type f -print0 | xargs
-0 -i{} grep -H 16262 {}
/var/run/portmap.pid:16262
i took the sledgehammer approach and looked at every file in /etc for
that pid file:
root@shawn-desktop:/home/shawn# find /etc/ -type f -print0 | xargs -0
-i{} grep -H portmap.pid {}
/etc/init/portmap.conf: ln -s /var/run/portmap.pid
/lib/init/rw/sendsigs.omit.d/portmap
which seems to be the main configuration file for this ancient pos :)
just fyi, these are the *portmap* files in etc under kubuntu and their
line counts:
root@shawn-desktop:/home/shawn# find /etc -iname "*portmap*" -type f
-print0 | xargs -0 -i{} wc -l {}
11 /etc/default/portmap
46 /etc/init/portmap.conf
10 /etc/init/portmap-boot.conf
26 /etc/init/portmap-wait.conf
#############################
if someone has a better method for finding what is running services,
i'm all ears. i've gotten pretty good at tracking these down but have
often thought "there's got to be a better way" :)
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAH_OBifghMjRyV82JUwoFpe...@mail.gmail.com
Ivan Shmakov
[…]
> root@shawn-desktop:/home/shawn# find /etc/init.d/ -type f -print0 |
> xargs -0 -i{} grep -H portmap {}
As a news:comp.unix.shell regular, I simply cannot leave such a
command line in its present state.
First of all, {} is not necessary, but -- may be, as well as -F
to grep(1), in some circumstances, so:
$ find /etc/init.d/ -type f -print0 |
xargs -0 -- grep -HF -- portmap
Then, find(1) has -exec, so:
$ find /etc/init.d/ -type f -exec grep -HF -- portmap {} +
This is both shorter and more efficient.
[…]
> if someone has a better method for finding what is running services,
> i'm all ears. i've gotten pretty good at tracking these down but have
> often thought "there's got to be a better way" :)
I'd do it as follows:
• # netstat -p (as root) to get the PID;
• $ readlink /proc/PID/exe (will work as an unprivileged user)
to find the executable;
• $ dpkg -S /usr/bin/executable (as user, too) to find the
package.
--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/867h5wf...@gray.siamics.net
Lisi
Tux:/home/lisi# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 1980 daemon 4u IPv4 6097 UDP *:sunrpc
portmap 1980 daemon 5u IPv4 6106 TCP *:sunrpc (LISTEN)
Tux:/home/lisi#
Thanks!
Lisi
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/201108292036.3...@gmail.com
Jochen Spieker
>
> So the fact that nmap says that 111 is open for rpcbind does not mean that it
> is open for rpcbind??
Exactly. Nmap can only guess what program is listening on the other end.
An easy test:
(0) (root@jigsaw):~# nc -l -p 80 &
[1] 17913
(1) (root@jigsaw):~# nmap localhost | grep 80
80/tcp open http
(nc is netcat, which in this case simply listens on the given port.)
In this example, nmap guesses what kind of program listens on port
80 by simply deriving it from the port number. You can use nmap's option
'-sV' to make nmap probe for more details.
Anyway, using nmap on localhost doesn't make much sense. Use netstat or
lsof instead.
J.
--
If I could travel through time I would go back to yesterday and
apologise.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Bob Proulx
> Anyway, using nmap on localhost doesn't make much sense. Use netstat or
> lsof instead.
Agreed. For example if you have a firewall on the local host.
Usually connections from the local host to the local host are
allowed but inbound connections from other hosts are blocked. In that
case nmap on the local host would report open ports that would show as
blocked when coming from a remote host. You would need to probe your
host from another one in order to gain meaningful information about
remote networking attacks.
Bob
shawn wilson
> Lisi:
>>
>> So the fact that nmap says that 111 is open for rpcbind does not mean that it
>> is open for rpcbind??
>
> Exactly. Nmap can only guess what program is listening on the other end.
> An easy test:
>
> (0) (root@jigsaw):~# nc -l -p 80 &
> [1] 17913
>
> (1) (root@jigsaw):~# nmap localhost | grep 80
> 80/tcp open http
>
well, you can ask nmap to let you know if it doesn't know (note, i
only scanned the port i wanted because i don't want to die waiting for
it)
root@shawn-desktop:~# nmap -sV --version-all -p8080 localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 17:05 EDT
Got nsock WRITE error #104 (Connection reset by peer)
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE VERSION
8080/tcp open http-proxy?
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.58 seconds
root@shawn-desktop:~# nmap -sV --version-all -p22 localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 17:05 EDT
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
>
> Anyway, using nmap on localhost doesn't make much sense. Use netstat or
> lsof instead.
>
well, it's a nice check of what everyone else sees - ie, apache and
mysql and the likes can bind to an ip. mysql, by default binds to
localhost which can be missed by just looking at lsof.
just so that i don't get corrected, i know you can see the difference with lsof:
apache2 28946 root 4u IPv4 14498250 0t0 TCP
shawn-desktop.local:www (LISTEN)
apache2 28946 root 6u IPv4 14600633 0t0 TCP localhost:www (LISTEN)
but, if a service you're looking for just doesn't show up when you
nmap, you know you won't connect to it (you'll get different results
with a port scan to localhost vs your external ip).
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAH_OBieD_SzQ7hZwJWQ4dEm9...@mail.gmail.com
shawn wilson
iirc, nmap should show 'filtered' from another host. it's a part of
the process as far as i'm concerned. see:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAH_OBicEQk7YgNaYxm-yPhs6...@mail.gmail.com