Finding out all processes associated with open sockets
Normally I’ve only used the
'netstat' command to find out what are the
sockets opened in the operating system by using
'-a' flag, but the new
thing I’ve discovered recently is that
netstat even allows me to track
the processes that are opening them, via the
'-p' flag. A simple dump
of the command on my system gives the following output:
# netstat -ap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:http *:* LISTEN 6695/apache2 tcp 0 0 *:ssh *:* LISTEN 6604/sshd udp 0 0 *:bootpc *:* 5294/dhcpcd Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 10287 6696/apache2 /var/run/cgisock unix 2 [ ACC ] STREAM LISTENING 9767 6324/gdm /tmp/.gdm_socket ... remaining output truncated.
'-p' flag allows us to track applications that are holding onto
open sockets, which is a good way to understand why certain sockets may
have to be open, like bootpc in
my example, which is necessary for the DHCP daemon to function.
Knowing this information will allow you to close down any unnecessary services that you do not need, reducing the amount of attack vectors that your machine is exposed to.