Checking if service is running

anaigini45 · April 27, 2017, 2:54am

Hi,

For audit reasons, I need to stop the web server service in some Solaris servers.
The port that is listening for this service is port 10000.

This is the output that shows the port 10000 is open in the server :

# netstat -an | grep 10000
10.70.21.144.10000   10.70.21.133.58130   49640      0 49640      0 FIN_WAIT_2
      *.10000              *.*                0      0 49152      0 LISTEN
10.70.21.145.52626   10.70.21.248.10000   17536      0 49640      0 CLOSE_WAIT
#

However, firewall is not even enabled in the server. How come the port shows as listening if the firewall is not even open :

# svcs -a|grep -i ipfil
disabled       Dec_23   svc:/network/ipfilter:default
#

Seems like apache2 shows disabled :

# svcs apache2
STATE          STIME    FMRI
disabled       Dec_23   svc:/network/http:apache2
#

Checking for service apache and httpd does not produce any output :

# svcs httpd
svcs: Pattern 'httpd' doesn't match any instances
STATE          STIME    FMRI

# svcs apache
svcs: Pattern 'apache' doesn't match any instances
STATE          STIME    FMRI
#

And when I check if apache process is running :

# ps -ef | grep apache
 sdpuser  1134  1358   0   Apr 26 ?           0:00 /usr/apache/bin/httpd
 sdpuser 22971  1358   0   Apr 26 ?           0:00 /usr/apache/bin/httpd
 sdpuser 10910  1358   0 11:11:14 ?           0:00 /usr/apache/bin/httpd
 sdpuser  1358     1   0   Dec 23 ?           2:25 /usr/apache/bin/httpd
 sdpuser 14745  1358   0 09:41:09 ?           0:00 /usr/apache/bin/httpd
 sdpuser 10915  1358   0 11:11:15 ?           0:00 /usr/apache/bin/httpd
    root  6445  5575   0 14:47:52 pts/5       0:00 grep apache

# ps -ef | grep httpd
 sdpuser  1134  1358   0   Apr 26 ?           0:00 /usr/apache/bin/httpd
 sdpuser 22971  1358   0   Apr 26 ?           0:00 /usr/apache/bin/httpd
 sdpuser 10910  1358   0 11:11:14 ?           0:00 /usr/apache/bin/httpd
 sdpuser  1358     1   0   Dec 23 ?           2:25 /usr/apache/bin/httpd
 sdpuser 14745  1358   0 09:41:09 ?           0:00 /usr/apache/bin/httpd
 sdpuser 10915  1358   0 11:11:15 ?           0:00 /usr/apache/bin/httpd
    root  6463  5575   0 14:48:00 pts/5       0:00 grep httpd
#

I do not understand how the outputs above are related. When I check the status of apache2 with svcs it shows that apache2 is disabled. There is no output for svcs apache & svcs httpd. But ps -ef shows some httpd process. Does this mean that apache/httpd is started in some customized way, and not using svcs?

If so, does killing the process id from the ps -ef output kill the web server process once and for all?

And how do I stop the server from listening to port 10000 when the firewall is not even open? Will killing the process id "49152" do it?

Thanks,
Aigini

jlliagre · April 27, 2017, 3:13am

Likely "apachectl start"

Yes, although "apachectl stop" would be a cleaner way to stop it.

A firewall doesn't prevent a process to listen to whatever port, it might just prevent some or all traffic to reach that port.

There is no process 49152 involved here but in any case, killing whatever process wouldn't change the fact apache listens on port 10000.

anaigini45 · April 27, 2017, 5:38am

Thank you, for the information.
However, is there a command that can stop the server from listening to port 10000?

I need to stop the listening on this port.

rbatte1 · April 27, 2017, 9:05am

A good tool is lsof used like this:-

lsof -i tcp:10000

You will get a few lines of output and the PID should be obvious. Be careful, because you will also list processes connected to remote port 10000 too.

I hope that this helps,
Robin

jlliagre · April 27, 2017, 11:56am

If the issue is about this port number specifically, you can configure apache to listen to a different TCP port by editing the /etc/apache2/httpd.conf file (or a file referenced by it), "Listen" directive.

Otherwise, there is no way to configure apache not to listen on any port, which would be quite pointless, just stop the server.

---------- Post updated at 17:56 ---------- Previous update was at 17:51 ----------

As long as it is installed which is often not the case, "lsof" not being part of Solaris distributions. See How to install pkg lsof in Solaris 11?, especially the last posting.

achenle · April 29, 2017, 10:50am

If you're on Solaris 11.2 or later

netstat -aun

will show what PID is attached to all network objects (listening on ports, connected, etc) along with the base name of the process executable.

jlliagre · April 29, 2017, 5:33pm

and for older releases, "pfiles -p pid" can be used to confirm what ports, if any, a given process is listening to.