Re: security risk of having a long list of services in inetd
- To: debian-user@lists.debian.org
- Subject: Re: security risk of having a long list of services in inetd
- From: Tim Edwards <timothy.edwards.ext@siemens.com>
- Date: Mon, 01 Sep 2008 10:31:26 +0200
- Message-id: <[🔎] 48BBA85E.9060906@siemens.com>
- In-reply-to: <10b8339f0808300536n52689117x2f6574641174ebc8@mail.gmail.com>
- References: <10b8339f0808292051p2037ddabv2132a7727c0ca0d4@mail.gmail.com> <g9asvm$rg1$1@news.thomas-weinbrenner.de> <10b8339f0808300536n52689117x2f6574641174ebc8@mail.gmail.com>
Paul Dufresne wrote:
> 2008/8/30 Thomas Weinbrenner <thomas@thomas-weinbrenner.de>:
> Well, it is more than just a name. man inetd says:
> "inetd should be run at boot time by /etc/rc (see rc(8)). It then listens
> for connections on certain internet sockets. When a connection is found
> on one of its sockets, it decides what service the socket corresponds to,
> and invokes a program to service the request. After the program is fin‐
> ished, it continues to listen on the socket (except in some cases which
> will be described below). Essentially, inetd allows running one daemon
> to invoke several others, reducing load on the system."
>
The man page also says:
"Upon execution, inetd reads its configuration information from a
configu‐ration file which, by default, is /etc/inetd.conf" :)
As pointed out by martin /etc/services is just an information file, used
by all sorts of programs (netstat, tcpdump etc.) so that they know that,
for eg., the string 'ssh' means TCP port 22.
/etc/inetd.conf is the file you should be looking at as this is inetd's
config file, and controls which ports it will listen on. The default in
Debian, and most other distros, nowadays is for it not to listen on any
ports - you have to configure what services you want.
>>> When there is so much, it become too hard to look at each door to see
>>> if there is a program behind, and if it does what it should.
>> "netstat -plunt" will show you exactly which programs are listening on
>> which port.
> Thanks, I tend to use 'lsof -i4' but I believe your command is better for that.
> If I was to exploit a security vulnerability (never did, nor want to)
> and become root on your computer, I would prefer to abuse one of the
> service in /etc/services rather than have a program sitting there to
> listen to the Internet. That way, you would have to do the 'netstat
> -plunt' command, while I am sending commands to your computer to
> discover me.
But if there's no program sitting there listening on the port there's
nothing to connect to and nothing to abuse. You'll simply get a 'port
unreachable' (or something similar) ICMP message back from the kernel.
Unless the kernel itself has a security hole of course, which is why
running apt-get upgrade regularly is a good idea :)
Reply to: