How to Find Unnecessary Network Processes in Ubuntu/Linux

Post by on December 30, 2013

Have you ever wondered what processes are listening to network traffic? Knowing what processes are listening is both a concern for performance and security. As long as you don't have a lot of processes on your system, you can do this fairly easily.

Before you begin, let me give a disclaimer that my method of sysadmin is to turn processes off and see if anyone complains. This is not best practice and make sure you have a backup before you uninstall applications. Now, with niceties out of the way, let's begin.

First, let's list what processes are listening on what ports:

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN      3447/sogod
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      2396/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      2396/dovecot
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      3967/perl
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      927/apache2
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2630/postgres
tcp        0      0 127.0.0.1:5433          0.0.0.0:*               LISTEN      3049/postgres
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      927/apache2
tcp6       0      0 :::993                  :::*                    LISTEN      2396/dovecot
tcp6       0      0 :::143                  :::*                    LISTEN      2396/dovecot
udp        0      0 0.0.0.0:10000           0.0.0.0:*                           3967/perl
...
(Note: I eliminated irrelevant processes, i.e. you may see many more processes on your system.)

Tip: build a set of networking aliases to aid your memory.

I keep a running list of bash aliases to help with networking (see aliases_networking in my dotfiles). I use the following:

alias lsports='netstat -tulpn'

Notice the "sogod" process? Well, I know exactly what that is, it's the SOGo mailserver that I am not using. So, I will go ahead and completely uninstall it:

$ sudo apt-get remove --purge sogo

Next, there is this mysterious perl process. I haven't a clue what it is. So, I'll do a process list and grep for this PID:

$ ps aux | grep 3967
joseph    1003  0.0  0.1   4388   564 pts/1    R+   18:20   0:00 grep 3967
root      3967  0.0  0.4  18904  2160 ?        Ss   Dec27   0:25 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

Well, I do not need that either, so I can delete it too:

$ sudo apt-get remove --purge webmin

Next, I notice Dovecot is installed. I didn't install it and I'm not sure what is using it, so for now I just want to disable it:

$ sudo /etc/init.d/dovecot stop

(Come to find out, dovecot is an smtp/pop3 server compatible with postfix and exim. So, I'm glad I didn't uninstall it.)

Last, I notice that postgres is running, but I'm quite sure nothing is using it. Well, one easy way to tell is to see what data is in there. Since I don't have the password and it's my own server, I'm going to put postgres into trust mode so I can login. First, I need to find the config file:

$ find /etc/postgresql/ -name "pg_hba.conf"
/etc/postgresql/8.4/main/pg_hba.conf
/etc/postgresql/9.1/main/pg_hba.conf

I will edit the file and change:

local   all             all                                     peer

To:

local   all             postgres                                trust

Now, I will restart postgres and login:

$ sudo service postgresql restart
$ su - postgres
$ psql
psql (8.4.17)
Type "help" for help.

postgres=# \list
                                  List of databases
   Name    |  Owner   | Encoding |  Collation  |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
                                                             : postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
                                                             : postgres=CTc/postgres
(3 rows)

It looks like these databases are all default. So, I'm going to take my chances that postgres isn't even used and uninstall it.

$ sudo apt-get remove --purge postgresql-8.4 postgresql-9.1

Voilá! I've cleaned up some applications that I didn't need that take up resources and are a security risk since they have public interfaces.

For more related tips, read nixCraft's article on "Linux: Find Out Which Process Is Listening Upon a Port".

Older Posts »