如何读取 netstat 端口?
How to read netstat ports?
我做了 netstat -tulpn | grep listen 并得到了下一个结果:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 14901/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1011/exim4
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 826/ang
tcp6 0 0 :::80 :::* LISTEN 655/apache2
tcp6 0 0 :::22 :::* LISTEN 14901/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1011/exim4
tcp6 0 0 :::443 :::* LISTEN 655/apache2
如何关闭端口?
此配置是否存在任何安全问题?
问题的第一部分-如何关闭端口?
You can stop the service listed in the last column, or kill it. Stopping the service makes sure it wont start again on its own. Killing the service means some other process like upstart might start it up again.
问题的第二部分 - 这是否存在安全问题?
I would say yes, unless you have some firewall and access control mechanism in place. The reason is that the ssh service is listening for connections from any source. Ideally, you would restrict this on the firewall (or in the ssh config) and only allow known sources to connect. If you want to go one step further, make ssh listen on another port than the default port (22) so that you can avoid being seen by the most basic/common scanners. I only mention ssh as an example. You will need to review this periodically for any more software/services you deploy on that machine.
我做了 netstat -tulpn | grep listen 并得到了下一个结果:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 14901/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1011/exim4
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 826/ang
tcp6 0 0 :::80 :::* LISTEN 655/apache2
tcp6 0 0 :::22 :::* LISTEN 14901/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1011/exim4
tcp6 0 0 :::443 :::* LISTEN 655/apache2
如何关闭端口? 此配置是否存在任何安全问题?
问题的第一部分-如何关闭端口?
You can stop the service listed in the last column, or kill it. Stopping the service makes sure it wont start again on its own. Killing the service means some other process like upstart might start it up again.
问题的第二部分 - 这是否存在安全问题?
I would say yes, unless you have some firewall and access control mechanism in place. The reason is that the ssh service is listening for connections from any source. Ideally, you would restrict this on the firewall (or in the ssh config) and only allow known sources to connect. If you want to go one step further, make ssh listen on another port than the default port (22) so that you can avoid being seen by the most basic/common scanners. I only mention ssh as an example. You will need to review this periodically for any more software/services you deploy on that machine.