When I check my server, I found some strange ports:
JavaScript
x
[root@server ~]# netstat -tulnp |grep "-"Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:33181 0.0.0.0:* LISTEN - udp 0 0 0.0.0.0:2049 0.0.0.0:* - udp 0 0 0.0.0.0:33252 0.0.0.0:* - No program can be found in the output of netstat -tulnp(with root privilege).
How could I find the usage of these ports? How could I judge it’s safe or not?
OS: CentOS 5.6 x86_64
Kernel: 2.6.18-238.el5 #1 SMP Thu Jan 13 15:51:15 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
update:
JavaScript
# rpcinfo -pprogram vers proto port100000 2 tcp 111 portmapper100000 2 udp 111 portmapper100011 1 udp 824 rquotad100011 2 udp 824 rquotad100011 1 tcp 827 rquotad100011 2 tcp 827 rquotad100003 2 udp 2049 nfs100003 3 udp 2049 nfs100003 4 udp 2049 nfs100021 1 udp 33252 nlockmgr100021 3 udp 33252 nlockmgr100021 4 udp 33252 nlockmgr100003 2 tcp 2049 nfs100003 3 tcp 2049 nfs100003 4 tcp 2049 nfs100021 1 tcp 33181 nlockmgr100021 3 tcp 33181 nlockmgr100021 4 tcp 33181 nlockmgr100005 1 udp 839 mountd100005 1 tcp 842 mountd100005 2 udp 839 mountd100005 2 tcp 842 mountd100005 3 udp 839 mountd100005 3 tcp 842 mountdAdvertisement
Answer
These are likely to be RPC ports reserved by the portmapper. 2049 is a well known port used by NFS. Your other ports are probably other RPC services. To query the portmapper for a full list of services and their ports use rpcinfo -p.