Simple security by evaluating ports

A simple but effective procedure for evaluating security on your computer is to check what sites it's connecting to, or what sites are connecting to it. Most critical malware nowadays turn computers into zombies for botnets -- typically zombified hosts will connect to a central server using IRC. Or it could be that you're inadvertently running a program that's listening for Internet requests. In any case, it's good to check these connections.

In TCP/IP, connections happen by way of ports. A port is a number that uniquely identifies a connection. Some ports are well-known and usually identified with a service, e.g. port 80 for HTTP requests.

To see what ports are open, i.e., what connections your computer currently has, use the netstat -a command.

The output will be lengthy, but we're really only interested in the top section. An example from my own computer:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 aspire.local:49132 tc-in-f19.google.co:www TIME_WAIT
tcp 0 0 aspire.local:60227 tx-in-f103.google.c:www ESTABLISHED
udp 0 0 aspire.local:33954 58.69.254.67:domain ESTABLISHED
udp 0 0 *:bootpc *:*
udp 0 0 aspire.local:42088 58.69.254.68:domain ESTABLISHED
udp 0 0 *:mdns *:*
udp 0 0 *:38142 *:*


What does this say? That my computer is currently connected to web servers (the :www entries) and is making DNS requests (:domain). These are the entries which are simpler to understand. But what of the others?

:ipp is the port used by the printer daemon, :mdns is used for local multicast DNS, and :bootpc is for DHCP client requests. These are the ports that a default Ubuntu installation listens on. :ipp is opened by cupsd, and :mdns and :bootpc by avahi.

But what of that open port 38142? How come it's not identified? You can check it by running

sudo lsof -i :38142

You'll see that it's also owned by the Avahi daemon. Just what is Avahi?

Avahi is a system which facilitates service discovery on a local network. This means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. This kind of technology is already found in Apple MacOS X (branded Rendezvous, Bonjour and sometimes Zeroconf) and is very convenient. Avahi is mainly based on Lennart Poettering's flexmdns mDNS implementation for Linux which has been discontinued in favour of Avahi.


So really, in a default Ubuntu installation, you really should have just ports opened by the printer daemon and Avahi. Other usual connections are for HTTP and DNS. Anything else that you're not sure of is typically suspect.