Let's take a look at the output of tcpdchk on a sample system:
# tcpdchk warning: /etc/inetd.conf, line 75: in.tftpd: not found in /usr/sbin: No such file or directory
Well, that's not good. The output tells me that on line 75, the TFTP daemon is enabled, but it doesn't exist on the system. Good thing, because I didn't install it. In fact, I don't want TFTP enabled. Commenting out line 75 and the output from tcpdchk becomes nothing. That's good. The tcpdchk utility checks for programs and also ensures that an entry for the program can be found in /etc/services. After all, inetd has to know which port to bind. If nothing's wrong, you get no output.
This brings me to my next point. I didn't want TFTP enabled at all. Good thing I didn't install it. But tcpdchk won't tell me what is enabled; I have to check that myself. The tool I use for this is netstat. In this case, I'll use netstat -a to show me not just current connections, but servers listening on ports for connections (this is a partial listing):
# netstat -a tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:7110 *:* LISTEN tcp 0 0 volcan.pananix.c:domain *:* LISTEN tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:swat *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:uucp *:* LISTEN tcp 0 0 *:imap2 *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:pop2 *:* LISTEN tcp 0 0 *:exec *:* LISTEN tcp 0 0 *:login *:* LISTEN tcp 0 0 *:shell *:* LISTEN
Here's the first mysterywhat's that listening on 7110? Let's use the fuser command (specifying the TCP namespace) to find out:
# fuser -n tcp 7110 7110/tcp: 2967
And the winner is: process ID 2967. Okay, let's see what it is:
# ps awx | grep 2967 2967 ? S 0:02 /usr/opt/applix/axdata/fontmetrics/gallium/fs/axfontfs -cf /usr/opt/applix/axdata/fontmetrics/gallium/fs/
Well, this looks like it's the Applix font server. That's okay with me, so let's look a little further. Most look innocuous enoughSMTP, DNS, HTTP, LP, AUTH, SWAT, and so on. But then we get down to EXEC, LOGIN, and SHELL. I don't think I want those "r" commands running. They're a bit too unsecure even for this system, which dials in to the Internet only infrequently.
So where are they running from? Let's use fuser, ps, and grep to find out (just like we did previously):
# fuser -n tcp shell shell/tcp: 617
Our grep of ps awx shows this:
617 ? SW 0:00 [inetd]
This is our old friend inetd. So, we need to find the shell line, comment it out, save the file, and restart inetd.