2 How to look for services

On a Debian system, a list of services is available at /etc/services. A description of the file can be accessed by the command man services. This file does not control services, but it assigns names to port numbers.

If a service is handled by inetd, the controling file is /etc/inetd.conf. Any line that does not start with a pound # symbol sets up a helper server program. You can use the command man inetd.conf to read the system’s own manual on this file.

The important part is to search for a line that does not start with a pound (#) symbol. Such a line specifies that a particular service (first item of the line) is handled by a specific server program (last entry on a line). On a default Debian system, IDENT should be the only service handled by inetd.

Other services can be handled by standalone daemons. These services include SSH, HTTP and many others. To find out which ports are being “listened” by a daemon, use the following command:

This command runs a port scan against “localhost”, which means the machine that is running the scan. It lists the ports that are being listened. Note that if a machine has anti-scanning measures in place, this command can cause a false alarm.

Another method is to use the following command:

This command lists listening ports. Note that some ports are listed by numbers, and others listed by name. The ones listed by names are the ones defined in /etc/services. You only need to focus on the first part of the output, where the word LISTEN is on the right hand side.

The netstat command should not cause any false alarm. Here is how a line is interpreted (some extra spaces removed):

• tcp this is the protocol. TCP is the only protocol that can listen. Don’t worry about tcp6, as it is just referring to TCP version 6 (as opposed to version 4). The same ports should be open for both tcp and tcp6.
• 0 you can ignore this.
• 0 you can ignore this one, too.
• 0.0.0.0:2222 this indicates the local address. The IP address to the left of the colon indicates which interface of the computer is listening to this port. 0.0.0.0 means any interface can connect. The number to the right is the port number.
• 0.0.0.0:* this indicate the foreign address. This IP address to the left of the colon indicate which IP addresses the computer is listening to. 0.0.0.0 means the computer is listening to any IP address. The * symbol indicates the port number on the remote side. The patten 0.0.0.0:* should apply to all the ports being listened.
• LISTEN because of how the command is set up (to only list ports being listened).
• PID/Program name indicates the process ID (the identifier of the daemon) that listens to the port and the name of the daemon. In this example, 3492 is the process ID, and sshd is the name of the daemon.

Take a good look at the output of nmap and netstat. This gives you an idea of which ports are being listened to.