* Ray Dillinger wrote on Thu, Nov 22, 2001 at 09:08 -0800:

When I run nmap against my system, it says something called "auth" is running on port 113. But there is no man page for auth. What is it? What will quit working if I shut it down?

The service is called ident too. Check it: root@dx:~ # netstat -anp|grep 113 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1914/in.identd the binary has the name in.identd which has a man page. In short, that deamon can tell what account name bind to a local port. It can be used by tcp wrappers (the host.allow think). It's mostly a security risk to have identd enabled.

In inetd.conf, there were several services -- such as a "time" daemon with both UDP and TCP sockets, that had no explanation. I shut them down and nothing seems to have broken.

This is for remote time "syncronisation". Basically, you receive a int32 with current time stamp. If you want time sync, use NTP (via xntpd), and if you dont want it comment out time too :)

The documentation for sunrpc, which binds port 111, does not say what it's used for in a SuSE install. Clearly, there could be important stuff depending on it.

The portmapper is required for NFS Server and other RPC services (NIS and so on). Try "rpcinfo -p localhost" to get a list of registered services. If you don't need them, turn them off, too.

How can I tell whether there actually is? Just shut it down and see what breaks? Aargh!

:) Yep, this is an idea :) Check "man portmap" to get some doc.

I think that in general ANYTHING that binds a port ought to have a man page explaining what it is, why it needs a port, and what depends on it.

On Un*x, it usually has, but the service name may != binary name != man page name :) So it's not easy. If you use netstat to find the binary name, you can find out the RPM package by useing "rpm -qf <file>", i.e.: root@dx:~ # netstat -anp|grep 111 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1550/portmap portmap, aha: root@dx:~ # rpm -qf `which portmap` portmap-123 The RPM package is found. Now tell RPM to list available documentation of this package: root@dx:~ # rpm -qd portmap [...] /usr/share/doc/packages/portmap/README [...] /usr/share/man/man8/portmap.8.gz The last is the man page, so incoke man 8 portmap to read it.

It would make the job of security newbies who want to actually understand their systems instead of hamfistedly shutting stuff down and hoping for the best ever so much easier.

Correct! And now you know how to do :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

best bet is for you to run harden_suse on your machine. It will help get rid of all the unnecessary stuff thus you only enable those you need. Noah. On Thu, 22 Nov 2001, Ray Dillinger wrote:

When I run nmap against my system, it says something called "auth" is running on port 113. But there is no man page for auth. What is it? What will quit working if I shut it down?

In inetd.conf, there were several services -- such as a "time" daemon with both UDP and TCP sockets, that had no explanation. I shut them down and nothing seems to have broken.

The documentation for sunrpc, which binds port 111, does not say what it's used for in a SuSE install. Clearly, there could be important stuff depending on it. How can I tell whether there actually is? Just shut it down and see what breaks? Aargh!

I think that in general ANYTHING that binds a port ought to have a man page explaining what it is, why it needs a port, and what depends on it. It would make the job of security newbies who want to actually understand their systems instead of hamfistedly shutting stuff down and hoping for the best ever so much easier.

Bear

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com