How to determine unused network services

[piet83]

Hello i'm quite new to AIX and Unix in general. And I have a question.

How can I monitor which network services are being used and unused. And how can I determine what or who uses it.

For example I would like to disable rsh and replace it by ssh. How can I see who is using rsh and what they are doing with it.

I know I can see a lot with netstat -i and lsof -i but they are not giving me the information I'd like. Can someone give me some tips?

 

[khalidaaa]

How about netstat -a? or netstat -aon?

Regards,
Khalid

 

[piet83]

Yes thank you, I know that I can see the network status with `netstat -a` and then I can do an `lsof -i :[portnr or servicename]` to see what kind of PID is behind that port or service.

But that just a snapshot of one moment in time. I could run the commands on different times and days but isn't there an easier way to do this?

How would the experts do this? How do they determine the unused services? And how do they work when they're replacing rsh with ssh? There are many scripts that still use rsh.

 

[vodkadrinker]

How would the experts do this? How do they determine the unused services?"

Switch off all services and wait for the complaints to come in then open them up one by one.

Or you need to know your network.

 

[psi07004]

One way to do this is to replace the acutal command with one that traps usage. For example:

rename /usr/bin/rsh to /usr/bin/rshr
put the following script in /usr/bin and name it rsh
be sure to provide execute permission

# /usr/bin/rsh replacement command to trap rsh usage
COMO=/tmp/rsh_log.`date +%d%h%y.%H:%M`
COMD=rsh_"$@"
who -m >> ${COMO}
print ${COMD} >> ${COMO}
rshr "$@" | tee -a ${COMO}
date >> ${COMO}
echo "rsh has been used" | mail me@mydomain.com
~

This will capture who, when, and what in a file in /tmp and also send you an email to let you know it happened.

Change the command names to do this for as many commands as you like.

 

[piet83]

Thank you for your reply. It is very useful but there is still one thing. If the rsh command is executed from within a script I would like to log the name of that script.

 

[piet83]

When I try you script rsh doesn't work anymore.

hostname# rsh hostname
+ + date +%d%h%y.%H:%M
COMO=/tmp/rsh_log.24Oct08.10:34
+ COMD=rsh_hostname
+ who -m
+ 1>> /tmp/rsh_log.24Oct08.10:34
+ print rsh_hostname
+ 1>> /tmp/rsh_log.24Oct08.10:34
+ /usr/bin/rshr hostname
+ tee -a /tmp/rsh_log.24Oct08.10:34
host: name rshr NOT FOUND
+ date
+ 1>> /tmp/rsh_log.24Oct08.10:34

It looks like it tries to conect to rshr but I don't know why.

 

[piet83]

I have fixed it thanks to a colleague of mine. I moved rsh to /root/bin/ and then made the script below in /usr/bin/ named rsh.
It even catches the script name from which it is started with the variable $PPID. Be sure to put #!/usr/bin/ksh to your scripts and it works.

#!/usr/bin/ksh
#/usr/bin/rsh replacement command to trap rsh usage
COMO=/tmp/rsh_log.`date +%d%h%y.%H:%M`
COMD=rsh_"$@"
ps -ef | grep $PPID | while read LINE
do
echo $LINE | awk '{print $2}' | grep -q $PPID
if [ $? = 0 ] ; then
echo $LINE >> ${COMO}
fi
done
who -m >> ${COMO}
print ${COMD} >> ${COMO}
/root/bin/rsh "$@" | tee -a ${COMO}
date >> ${COMO}
################################

Thank you for your help.