RedHat 5.2 opens raw inet socket on port 1, why?

RedHat 5.2 opens raw inet socket on port 1, why?

Post by Fred Wilson Horc » Sun, 07 Feb 1999 04:00:00



Any networking gurus out there willing to answer a few questions from a
RedHat Linux user?

I'd like to understand why my system (RedHat 5.2, Linux hostname 2.0.36
#1 Tue Dec 29 13:11:13 EST 1998 i586 unknown) is opening a raw inet
socket on port 1.  E.g.,

$ netstat -a --inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State      
raw        0      0 *:1                     *:*

None of the online resources or books I've seen (I spent the morning
browsing through TCP/IP Illustrated and a number of Linux networking
references) seem to talk much about AF_INET, SOCK_RAW ports.  I think I
understand what types of sockets exist, but my questions are:

1) What are the security implications of opening this port when
connected to the Internet?

2) I can list what processes are running (ps auxww) and what inet
sockets are open (netstat -a --inet), but how do I list which processes
have opened which sockets?

3) I've read about IP (RFC 791, 950, 919, 922), ARP (RFC 826), ICMP (RFC
792), UDP (RFC 768), TCP (RFC 793), BSD sockets and SVR4 STREAMS, but
I'm still having a hard time putting it all together.  I'm at the point
where I can't see the forest for the trees.  Can anyone recommend a good
expert reference book?  Should I shell out the bucks for TCP/IP
Illustrated?  (Anyone want to sell a used copy?)  Should I just memorize
the RFCs and meditate until I reach higher consciousness?

I know about the ISO layers, but I'm confused how all of these protocols
map on top of each other, and how the kernel, modules and user programs
divide up the tasks between getting information from the user and
sending a packet on the wire, and vice versa.  For example, I'm assuming
the inet port for a SOCK_STREAM, SOCK_DGRAM, or SOCK_RAW packet is
tucked into the IP packet somehow, but what about ICMP and ARP?  Are
ICMP messages sent in IP packets?  Do they have ports?

Who opens up each IP packet to see what's in it -- the kernel, a module,
or a user program?  Who exactly deals with ICMP?  (If you can't tell,
I'm not a kernel hacker.  If theses questions seem stupid, please
forgive my ignorance and point me to a source of wisdom.)

4) I'm looking for maybe ten pages of information that would explain in
reasonable detail what protocols a Linux box on an Ethernet connected to
the Internet needs to speak, and which programs are responsible for
which parts.  For example, I know that I need to be able to send and
receive IP, but it's a little vague to me what part of Linux does that,
and if I can upgrade that part independently from, say, the part that
handles virtual memory.

Where can I find this online?  So far, I've done searches in InfoSeek,
HotBot, Yahoo, the Mozilla directory, Google, and DejaNews.  I've also
read http://metalab.unc.edu/LDP/HOWTO/Firewall-HOWTO.html,
http://metalab.unc.edu/LDP/HOWTO/NET-3-HOWTO.html,
http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html,
http://metalab.unc.edu/LDP/LDP/sag/index.html, and a bunch of others.

Yes, I did RTFM for kerneld, netstat, ifconfig, arp, init and route.
And I have read the above-referenced RFCs at
http://info.internet.isi.edu:80/in-notes/rfc/.

Thanks for the bandwidth,
Fred

P.S.  If you're running RedHat Linux 5.1 or below, I'd highly recommend
reading http://www.cert.org/advisories/CA-98.12.mountd.html.  Someone
over the Internet got root on two RedHat systems I'm responsible for.
It was not fun.

 
 
 

RedHat 5.2 opens raw inet socket on port 1, why?

Post by Nick Shor » Mon, 08 Feb 1999 04:00:00


RedHat 5.0 too.  Thanks for the info, I got hacked a few weeks ago, what I could piece together was a weakness in the NFS system was exploited.
Quote:>P.S.  If you're running RedHat Linux 5.1 or below, I'd highly recommend
>reading http://www.cert.org/advisories/CA-98.12.mountd.html.  Someone
>over the Internet got root on two RedHat systems I'm responsible for.
>It was not fun.


 
 
 

1. What is "Raw Port #1, State 7" on Redhat 5.2?

As part of my efforts to tighten security on a Redhat 5.2 server, I've
looked at "netstat -an".  The one entry I don't understand is:

Proto  ...  Local Address ... State
raw    ...  0.0.0.0:1     ... 7

(I'm new to Linux, but I haven't seen this on the SGI/Irix & Sun/Solaris
servers that I usually work on.)

What is this?  Should I be concerned from a security perspective?

(This server is being prepared for deployment on the Internet.)

2. More Problems with mounting ext2 zip disks

3. /etc/inet/inet/inet/inet...

4. broken my root partion

5. "open() failed" problem when accessing SCSI scanner from Redhat 5.2

6. netscape 6.1 cache dir?

7. redhat 5.2 gpm error unable to open /dev/mouse

8. RedHat 6 - Suse 6.2 or Mandrake 6.0

9. How do I read open source code CD Redhat 5.2?

10. Sockets On Redhat 5.2

11. Socket programming under redhat 5.2

12. RHL 5.2 setup: Cannot open /tmp/rhimage/RedHat/base/Install3.tr

13. open ports - why are they open?