Before discussing this issue, let's first understand computer concepts such as physical ports, logical ports, and port numbers.
Port-related concepts:
In network technology, ports include logical ports and physical ports. Physical ports refer to physically existing ports, such as ports on ADSL Modem, hubs, switches, and routers that are used to connect other network devices, such as RJ-45 ports, SC ports, and so on. Logical port refers to the port used to differentiate services in a logical sense, such as the service port in the TCP/IP protocol. The port number ranges from 0 to 65535, such as port 80 for browsing web services and port 21 for FTP services. Wait. Due to the large number of physical ports and logical ports, in order to distinguish the ports, each port is numbered, which is the port number
Ports can be divided into three categories according to the port number:
1: Well Known Port
The recognized port numbers are from 0 to 1023, and they are tightly bound to some common services. For example, the FTP service uses port 21. You can see the mapping relationship in /etc/services.
2: Registered Ports:
From 1024 to 49151. They are loosely bound to some services. That is, there are many services bound to these ports, and these ports are also used for many other purposes.
3: Dynamic and/or Private Ports
Dynamic ports, or private port numbers, are the number of ports that can be used by any software to communicate with any other software, using the Internet's Transmission Control Protocol, or the User Transport Protocol. Dynamic ports are generally from 49152 to 65535
There is a limited range of ports in Linux, if I want to reserve some ports for my program, then I need to control this port range. /proc/sys/net/ipv4/ip_local_port_range defines the local TCP/UDP port range, you can define net.ipv4.ip_local_port_range = 1024 65000 in /etc/sysctl.conf
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_local_port_range
32768 61000
[root@localhost ~]# echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
Regarding ports and services, I used to use public toilets as an analogy. Every toilet in a public toilet is like every port in the system. Providing convenience for people is the so-called service. If you provide these services, then you must open the port (toilet). , when someone goes to the toilet, the link is established on these ports. If the toilet is occupied, it means that the port number is occupied by the service. If one day the public toilet service is not provided here, the public toilet is removed, and naturally there will be no port number. In fact, a more vivid example is like the bank lobby, the port numbers are those counters, and those who take the numbers to handle the business are like various clients linked to the server. They send business contacts with the counter through port redirection technology. To give another easy-to-understand example, the port number is like each station on the high-speed rail line. For example, Changsha, Yueyang, etc. respectively represent a port number. Passengers go to their respective stations through train tickets, just like each application is sent to the server. The IP packet of the port.
The relationship between ports and services
What is the port for? We know that a host with an IP address can provide many services, such as Web services, FTP services, SMTP services, etc. These services can be achieved through one IP address. So, how do hosts differentiate between different network services? Obviously can not rely on IP addresses, because the relationship between IP addresses and network services is a one-to-many relationship. In fact, different services are distinguished by "IP address + port number".
The correspondence between port numbers and corresponding services is stored in the /etc/services file, where most ports can be found.
How to check whether the port is open, in fact, I don't know how to do it, there are so many methods!
1: nmap tool detects open ports
nmap is a tool for network scanning and host detection. The installation of nmap is very simple as shown in the following rpm installation.
[root@DB-Server Server]# rpm -ivh nmap-4.11-1.1.x86_64.rpm
warning: nmap-4.11-1.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:nmap ########################################### [100%]
[root@DB-Server Server]# rpm -ivh nmap-frontend-4.11-1.1.x86_64.rpm
warning: nmap-frontend-4.11-1.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:nmap-frontend ########################################### [100%]
[root@DB-Server Server]#
Regarding the use of nmap, you can have a long-form close-up, which will not be expanded here. As shown below, nmap 127.0.0.1 checks the open ports of the machine and scans all ports. Of course, other server ports can also be scanned.
[root@DB-Server Server]# nmap 127.0.0.1
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-06-22 15:46 CST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
1011/tcp open unknown
3306/tcp open mysql
Nmap finished: 1 IP address (1 host up) scanned in 0.089 seconds
You have new mail in /var/spool/mail/root
[root@DB-Server Server]#
2: The netstat tool detects open ports
[root@DB-Server Server]# netstat -anlp | grep 3306
tcp 0 0 :::3306 :::* LISTEN 7358/mysqld
[root@DB-Server Server]# netstat -anlp | grep 22
tcp 0 0 :::22 :::* LISTEN 4020/sshd
tcp 0 52 ::ffff:192.168.42.128:22 ::ffff:192.168.42.1:43561 ESTABLISHED 6198/2
[root@DB-Server Server]#
As you can see above, this tool feels less clean and concise than nmap. Of course, it is not as powerful as nmap.
3: lsof tool detects open ports
[root@DB-Server Server]# service mysql start
Starting MySQL......[ OK ]
[root@DB-Server Server]# lsof -i:3306
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mysqld 7860 mysql 15u IPv6 44714 TCP *:mysql (LISTEN)
[root@DB-Server Server]# service mysql stop
Shutting down MySQL..[ OK ]
[root@DB-Server Server]# lsof -i:3306
[root@DB-Server Server]#
[root@DB-Server Server]# lsof -i TCP| fgrep LISTEN
cupsd 3153 root 4u IPv4 9115 TCP localhost.localdomain:ipp (LISTEN)
portmap 3761 rpc 4u IPv4 10284 TCP *:sunrpc (LISTEN)
rpc.statd 3797 rpcuser 7u IPv4 10489 TCP *:1011 (LISTEN)
sshd 4020 root 3u IPv6 12791 TCP *:ssh (LISTEN)
sendmail 4042 root 4u IPv4 12876 TCP localhost.localdomain:smtp (LISTEN)
4: Use telnet to detect whether the port is open
Even if the server port is in the listening state, but the firewall iptables blocks the port, it is impossible to detect whether the port is open by this method.
5: The netcat tool detects whether the port is open.
[root@DB-Server ~]# nc -vv 192.168.42.128 1521
Connection to 192.168.42.128 1521 port [tcp/ncube-lm] succeeded!
[root@DB-Server ~]# nc -z 192.168.42.128 1521; echo $?
Connection to 192.168.42.128 1521 port [tcp/ncube-lm] succeeded!
0
[root@DB-Server ~]# nc -vv 192.168.42.128 1433
nc: connect to 192.168.42.128 port 1433 (tcp) failed: No route to host
Close ports and open ports
Closing a port and opening a port should be two different concepts, each port has a corresponding service, so to close a port, just close the corresponding service. Like the example below, the MySQL service is turned on, and the port 3306 is in the listening state. After the MySQL service is turned off, the port 3306 is naturally closed.
[root@DB-Server Server]# service mysql start
Starting MySQL......[ OK ]
[root@DB-Server Server]# lsof -i:3306
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mysqld 7860 mysql 15u IPv6 44714 TCP *:mysql (LISTEN)
[root@DB-Server Server]# service mysql stop
Shutting down MySQL..[ OK ]
[root@DB-Server Server]# lsof -i:3306
[root@DB-Server Server]#
Therefore, there are some unnecessary ports and services in the system. From the perspective of security or resource saving, those unnecessary services should be closed. Close the corresponding port. In addition, even if the service is enabled, the firewall restricts the corresponding port, so that the port cannot be accessed, but the port itself is not closed, but the port is blocked.