Port Security Scan script
I have been working for half a year on part-time security. I would like to share with you how I am doing security here. Of course, as a part-time employee, I am not very thorough and I am not a reference for attacking.
The following describes port security, which is mainly used to enable ports for all ip segments in the IDC of the company. For example, for a server, only the ssh port is required by default. However, if other ports not permitted are enabled, it may be caused by false drive or intrusion, so that the O & M personnel need to know and solve the problem in advance.
How to implement:
1. Use nmap + diff to scan ports of all IDCs of the company;
2. The scan results of the day are compared with those of yesterday's scan results;
3. If a new host or an existing host has a new or closed port, send an email notification.
Result Display:
1. No difference
2. There are new hosts
3. Existing host ports are added or closed
The following is the port security scan script content:
#! /Bin/bash # Thisscriptnameisscan_analyse.sh. /etc/profileecho "starttimeis $ (date)" time = $ (date + "% Y-% m-% d ") yesterday = 'date-d "1 dayago" + "% Y-% m-% d" 'Work _ dir = "/root/nmap_scan" now_dir = "$ work_dir/scan_result/ $ time "IP = '1. 1.1.0/24 'Contact _ mail = 'xx @ mail.com 'rm-rf $ now_dirif [! -D "$ work_dir/scan_result/$ time"]; thenmkdir-p $ work_dir/scan_diff_result/$ timefirm-rf $ work_dir/scan_diff_result/$ time/result. logip_32 = 'echo $ IP | cut-d. -f1-3 'If [! -D $ now_dir/$ ip_32]; thenmkdir-p $ now_dir/$ ip_321_oriin {1 .. 254} donmap-sS-r-n $ ip_32. $ I | egrep-v "(Starting | scanned)" | egrep "(Nmap | open)"> $ now_dir/$ ip_32/$ ip_32. $ iif ['cat $ now_dir/$ ip_32/$ ip_32. $ I | wc-l '-eq1]; thenrm-rf $ now_dir/$ ip_32/$ ip_32. $ ifidoneecho "stoptimeis $ (date)" forbin $ ip_32doforiin $ (ls $ now_dir/$ B) doif [! -F "$ work_dir/scan_source/$ B/$ I"]; thenecho "adds a new host $ I. The following is all information: ">>$ work_dir/scan_diff_result/$ time/result. logif ['cat $ now_dir/$ B/$ I | wc-l'-gt100]; thenecho "enables all ports. It is suspected that there is nat or Server Load balancer! ">>$ Work_dir/scan_diff_result/$ time/result. logelsecat $ now_dir/$ B/$ I >>$ work_dir/scan_diff_result/$ time/result. logfielseif ['diff-u $ now_dir/$ B/$ I $ work_dir/scan_source/$ B/$ I | egrep-v "(\-| \ + \ + \ + | @@) "| egrep" (Nmap | \-| \ +) "| wc-l '-gt100]; thenhead-n1 $ now_dir/$ B/$ I> $ work_dir/scan_diff_result/$ time/result. logecho "all ports are enabled. It is suspected that there is nat or Server Load balancer! ">>$ Work_dir/scan_diff_result/$ time/result. logelsediff-u $ now_dir/$ B/$ I $ work_dir/scan_source/$ B/$ I | egrep-v "(\-| \ + | @@) "| egrep" (Nmap | \-| \ +) "| sed-e's # Nmapscanreportfor # scan host # G' | sed-e's # ^ + # disabled # G'-e's # ^-# Enabled # G'> $ work_dir/scan_diff_result/$ time/result. logtailidonedoneif ['cat $ work_dir/scan_diff_result/$ time/result. log | wc-l '-eq0]; thenecho "everything is normal today, no changed port! "| Mail-s" [$ time] All IDC data center differential port scan results "$ contact_mailelsesed-i" 1i Hello everyone: \ n is the situation of adding hosts or adding or disabling ports to or from all IDC data centers on $ time. The project owner should promptly claim and confirm the port. \ n "$ work_dir/scan_diff_result/$ time/result. logcat $ work_dir/scan_diff_result/$ time/result. log | mail-s "[$ time] All IDC data center differential port scan results" $ contact_mailfirm-rf $ work_dir/scan_source/cp-a $ work_dir/scan_result/$ time $ work_dir/scan_sourceif [$? -Eq0]; thenecho "Operation completed, operation successful! "Elseecho" is running successfully. operation failed! "Fi
Modify the IP address and contact_mail.
Structure:
12:55:17 # tree/root/nmap_scan // root/nmap_scan/| -- scan_diff_result # structure of the scan today and yesterday | '-- # directory of the current day |' -- result. log # comparison result content | -- scan_result # store the scan results today | -- scan_shell # store the scan script | '-- scan_analyse.sh # Security Port Scan script' -- scan_source # scan results from yesterday, source 5 directories, 2 files compared with today
Usage:
1. Run this script first
Create Script directory
Mkdir-p/root/nmap_scan/scan_shell
Then, place the script in this directory to generate the source file for comparison. The subsequent scans will be compared with the source file.
2. Run the script using crontab
3001 ***/bin/bash/root/nmap_scan/scan_shell/scan_analyse.sh>/tmp/scan. log2> & 1
In this way, you can run the script at every day.
In this way, you only need to read the email every day to know all IP segments in all IDCs and which hosts have added or disabled ports, so as to promptly solve the problem.
The script is in the attachment and can be downloaded by yourself.
This article is from the "Yin-Technical Exchange" blog, please be sure to keep this source http://dl528888.blog.51cto.com/2382721/1429685