Re: security risk of having a long list of services in inetd
2008/8/30 Thomas Weinbrenner <thomas@thomas-weinbrenner.de>:
> Paul Dufresne <dufresnep@gmail.com> schrieb:
>>> From: Paul Dufresne <dufresnep@gmail.com>
>>>> Looking to /etc/services, I found that Debian seems to like to have a
>>>> very big file with all known services rather than just add the
>>>> services needed. I don't even knows if other distributions does just
>>>> add the needed services.
>>>
>>> That file is just a mapping of service names and ports, it has no relation
>>> to services that are actually running.
>>
>> Yes, I know. But as I see it, each mapping is like a *possible* door
>> to the Internet.
>
> No, each *port* is like a possible door to the internet. /etc/services
> is just a way to give ports names, regards if those ports are used or
> not.
Well, it is more than just a name. man inetd says:
"inetd should be run at boot time by /etc/rc (see rc(8)). It then listens
for connections on certain internet sockets. When a connection is found
on one of its sockets, it decides what service the socket corresponds to,
and invokes a program to service the request. After the program is fin‐
ished, it continues to listen on the socket (except in some cases which
will be described below). Essentially, inetd allows running one daemon
to invoke several others, reducing load on the system."
>> When there is so much, it become too hard to look at each door to see
>> if there is a program behind, and if it does what it should.
>
> "netstat -plunt" will show you exactly which programs are listening on
> which port.
Thanks, I tend to use 'lsof -i4' but I believe your command is better for that.
If I was to exploit a security vulnerability (never did, nor want to)
and become root on your computer, I would prefer to abuse one of the
service in /etc/services rather than have a program sitting there to
listen to the Internet. That way, you would have to do the 'netstat
-plunt' command, while I am sending commands to your computer to
discover me.
Reply to: