Hello, I just wanted to verify that the only services that have open ports on my server are the web server and SSH server. So I ran netstat -anp and I don't understand some of the listings; I read the netstat man page but it doesn't really answer my questions. I will list my netstat output interleaved with my comments here, with some IP addresses changed to protect the innocent, and with the unix sockets stuff removed because I don't think it's relevent:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   

This is my SSH server listening on port 22 for all the world to connect to.

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -                   

This is my postgres server listening only on the local IP address, not routable, for all the world to connect to. I believe that only my own server can connect internally to it because it is using the localhost IP address; but I wonder why the configuration is such that the port is open to anyone. Does this mean that if someone managed to tunnel over my SSH server that they could connect remotely to my postgres server? Would it make any difference to change my postgres configuration to only listen for connections from localhost?

tcp        0     48 AAA.BBB.CCC.DDD:22      WWW.XXX.YYY.ZZZ:21796     ESTABLISHED -                   

This is my current SSH connection to the server on which I ran netstat (IP addresses redacted).

tcp        0      0 :::80                   :::*                    LISTEN      -                   

This is my Apache web server listening on port 80 for the world to connect to. But I don't understand why it is listed in this form - I don't understand this form of address (three colons and then a port). Why isn't it listed like the SSH server as 0.0.0.0:80 with remote address 0.0.0.0:*? I don't understand this way of listing addresses or why it is different than the SSH case.

tcp        0      0 ::1:5432                :::*                    LISTEN      -                   

This is my postgres server again, I believe; the port number is right. But I don't understand why it's listed again here. For what it's worth, I did try connecting to port 5432 from the outside and got 'connection refused' even though this line makes it look like postgres is listening to the world. I am confused.

udp        0      0 ::1:57034               ::1:57034               ESTABLISHED -      

OK what the heck is this?

Your postgres is listening on localhost only which means only your server can connect to it, if someone got into your server via SSH then yes they could connect but you'd also have bigger problems.

Postgres/apache is listed twice because of IPv6, ::1:5432 is the IPv6 equivalent of 127.0.0.1:5432

The last one not sure, run sudo netstat -lpntu to see what's listening the pid/program name is only shown when running as root.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Thank you for your response. If the ::: address form is for IPv6, why would my apache server only be listed as listening on :::80? Does that mean that it is only listening on IPv6 (impossible as I connect to it via IPv4 all the time)? Or is the IPv4 listing somehow 'folded up' into this IPv6 line?

I ran the netstat -lpntu command you specified but that UDP connection is gone now and isn't listed anymore. I really don't know what that was. Should I be concerned?

Apache should be listening on ipv4 as well, what does sudo netstat -lpntu show (the full output).

netstat -apn shows all connections not just listening ones so the other udp you can ignore, it was only localhost anyway.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

OK, I can answer my own question here, after having done some reading on IPv6 (very interesting!).

Linux supports IPv4-mapped IPv6 addresses and thus a process on Linux can listen only on an IPv6 port and still communicate with IPv4 hosts. To the server, it is always talking only IPv6; but IPv4 clients are automaticaly connected to the server via the IPv4 to IPv6 mapping that the Linux TCP stack(s) do.

This is a nice feature of Linux that makes server implementations simpler while at the same time providing support for both IPv4 and IPv6 transparently.

I guess that Apache is now written to take advantage of this feature, whereas postgresql and sshd (at least the old-ish versions I have) are not, which explains the differences in the way they are listed from netstat (postgresql and sshd being listed as IPv4 services, Apache as an IPv6 service).

EDIT
I also figured out what that weird udp connection was ... I got another one and it looks like it's postgresql. I have no idea why postgresql sends IPv6 UDP packets to itself but anyway the connection appears to be postgresql related. e.g.

udp        0      0 ::1:57034               ::1:57034               ESTABLISHED 1313/postgres