Since most remote exploits involve connecting to a service that is running on your computer then the obvious answer is to reduce the number of services you run. You should only be running services that you understand.
There are many different ways of checking to see what services there are running on your computer that can be connected to from the outside world. I normally use `lsof -i'.
[stephen@kebl1088 stephen]$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
portmap 299 bin 3u inet 0x02494018 0t0 UDP *:sunrpc
portmap 299 bin 4u inet 0x022b6c0c 0t0 TCP *:sunrpc (LISTEN)
syslogd 405 root 1u inet 0x02213018 0t0 UDP *:syslog
inetd 447 root 4u inet 0x0214e810 0t0 TCP *:ftp (LISTEN)
inetd 447 root 5u inet 0x0214ec0c 0t0 TCP *:telnet (LISTEN)
inetd 447 root 6u inet 0x02144018 0t0 UDP *:talk
inetd 447 root 7u inet 0x02144414 0t0 UDP *:ntalk
inetd 447 root 8u inet 0x02144810 0t0 TCP *:pop-3 (LISTEN)
inetd 447 root 9u inet 0x02144c0c 0t0 TCP *:imap (LISTEN)
inetd 447 root 10u inet 0x02143018 0t0 TCP *:finger (LISTEN)
inetd 447 root 11u inet 0x02143414 0t0 TCP *:auth (LISTEN)
httpd 30082 httpd 15u inet 0x02407018 0t0 TCP *:http (LISTEN)
httpd 30651 httpd 15u inet 0x02407018 0t0 TCP *:http (LISTEN)
sendmail 31682 stephen 9u inet 0x022fb810 0xbb2a9b1a TCP kebl1088.keble.ox.ac.uk:30256
->mta-v14.mail.yahoo.com:smtp (SYN_SENT)
epic 19820 chris 3u inet 0x00845810 0x944d8094 TCP localhost:14725->
localhost:irc (ESTABLISHED)
...
Notice that given the options I did you got both the LISTENing processes (those processes that are waiting for a connection from the outside world, such as the web server, and open connections, such as sendmail sending an outgoing email and a user called chris connecting to the local IRC server).
Some people like to use `netstat' instead:
[stephen@eddie stephen]$ netstat --listen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN udp 0 0 *:sunrpc *:* ... Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 510076 /tmp/.font-unix/fs-1 ...
Aside lsof is cool for other reasons, eg, looking at which processes currently have a file open, or in the case below which processes are suing a particular mounted partition.
[stephen@kebl1088 stephen]$ sudo /usr/sbin/lsof /home COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME irc 2237 nikita cwd DIR 3,3 1024 240817 /home (/dev/hda3) screen 4027 lucy cwd DIR 3,3 1024 73467 /home (/dev/hda3) bash 6974 wol cwd DIR 3,3 2048 153045 /home (/dev/hda3) ssh 6968 wol cwd DIR 3,3 2048 153045 /home (/dev/hda3) bash 18462 tr cwd DIR 3,3 1024 85682 /home (/dev/hda3) ssh 18463 tr cwd DIR 3,3 1024 85682 /home (/dev/hda3) epic 19820 chris cwd DIR 3,3 4096 161168 /home (/dev/hda3) ....
In both cases read the man page to find out more about the wealth of parameters they provide and the information they can give.
If you don't have access to either netstat or lsof then you could try a running a `strobe' or `portscan' on your computer, which will try to connect to each port and tell you if anything is listening. There are many pieces of software for doing this, including some that can try to give you information even behind certain types of firewall. One commond one is called nmap (and it's available for Windows as well as Unix).
[stephen@kebl1088 nmap-2.07]$ ./nmap -FI eddie Starting nmap V. 2.07 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on eddie.cipe (10.2.5.2): Port State Protocol Service Owner 21 open tcp ftp root 22 open tcp ssh root 79 open tcp finger root 111 open tcp sunrpc bin 113 open tcp auth root 119 open tcp nntp root 515 open tcp printer root 2049 open tcp nfs nobody 3900 open tcp udt_os stephen 6000 open tcp xterm root Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds [stephen@kebl1088 nmap-2.07]$
NB -F is `fast', it doesn't check all ports, just the ones that are listed in /etc/services. It's worth understanding the options that you use.
nmap can, of course, be used against remote computers to determine if they are running any services you think are expoitable. For this reason you might want to log portscans that your computer recieves. To do this under linux use `tcplog' which will log all attempted connections, even if they don't connect to a service that you are running. do not run nmap against remote hosts, many administrators will look on it as the beginning of an cracking attempt and may either firewall you or contact OUCS about it!