Port Security Scan script

Source: Internet
Author: User
Tags ssh port egrep

Port Security Scan script

I have been working for half a year on part-time security. I would like to share with you how I am doing security here. Of course, as a part-time employee, I am not very thorough and I am not a reference for attacking.

The following describes port security, which is mainly used to enable ports for all ip segments in the IDC of the company. For example, for a server, only the ssh port is required by default. However, if other ports not permitted are enabled, it may be caused by false drive or intrusion, so that the O & M personnel need to know and solve the problem in advance.

How to implement:

1. Use nmap + diff to scan ports of all IDCs of the company;

2. The scan results of the day are compared with those of yesterday's scan results;

3. If a new host or an existing host has a new or closed port, send an email notification.

Result Display:

1. No difference

2. There are new hosts

3. Existing host ports are added or closed

The following is the port security scan script content:

#! /Bin/bash # Thisscriptnameisscan_analyse.sh. /etc/profileecho "starttimeis $ (date)" time = $ (date + "% Y-% m-% d ") yesterday = 'date-d "1 dayago" + "% Y-% m-% d" 'Work _ dir = "/root/nmap_scan" now_dir = "$ work_dir/scan_result/ $ time "IP = '1. 1.1.0/24 'Contact _ mail = 'xx @ mail.com 'rm-rf $ now_dirif [! -D "$ work_dir/scan_result/$ time"]; thenmkdir-p $ work_dir/scan_diff_result/$ timefirm-rf $ work_dir/scan_diff_result/$ time/result. logip_32 = 'echo $ IP | cut-d. -f1-3 'If [! -D $ now_dir/$ ip_32]; thenmkdir-p $ now_dir/$ ip_321_oriin {1 .. 254} donmap-sS-r-n $ ip_32. $ I | egrep-v "(Starting | scanned)" | egrep "(Nmap | open)"> $ now_dir/$ ip_32/$ ip_32. $ iif ['cat $ now_dir/$ ip_32/$ ip_32. $ I | wc-l '-eq1]; thenrm-rf $ now_dir/$ ip_32/$ ip_32. $ ifidoneecho "stoptimeis $ (date)" forbin $ ip_32doforiin $ (ls $ now_dir/$ B) doif [! -F "$ work_dir/scan_source/$ B/$ I"]; thenecho "adds a new host $ I. The following is all information: ">>$ work_dir/scan_diff_result/$ time/result. logif ['cat $ now_dir/$ B/$ I | wc-l'-gt100]; thenecho "enables all ports. It is suspected that there is nat or Server Load balancer! ">>$ Work_dir/scan_diff_result/$ time/result. logelsecat $ now_dir/$ B/$ I >>$ work_dir/scan_diff_result/$ time/result. logfielseif ['diff-u $ now_dir/$ B/$ I $ work_dir/scan_source/$ B/$ I | egrep-v "(\-| \ + \ + \ + | @@) "| egrep" (Nmap | \-| \ +) "| wc-l '-gt100]; thenhead-n1 $ now_dir/$ B/$ I> $ work_dir/scan_diff_result/$ time/result. logecho "all ports are enabled. It is suspected that there is nat or Server Load balancer! ">>$ Work_dir/scan_diff_result/$ time/result. logelsediff-u $ now_dir/$ B/$ I $ work_dir/scan_source/$ B/$ I | egrep-v "(\-| \ + | @@) "| egrep" (Nmap | \-| \ +) "| sed-e's # Nmapscanreportfor # scan host # G' | sed-e's # ^ + # disabled # G'-e's # ^-# Enabled # G'> $ work_dir/scan_diff_result/$ time/result. logtailidonedoneif ['cat $ work_dir/scan_diff_result/$ time/result. log | wc-l '-eq0]; thenecho "everything is normal today, no changed port! "| Mail-s" [$ time] All IDC data center differential port scan results "$ contact_mailelsesed-i" 1i Hello everyone: \ n is the situation of adding hosts or adding or disabling ports to or from all IDC data centers on $ time. The project owner should promptly claim and confirm the port. \ n "$ work_dir/scan_diff_result/$ time/result. logcat $ work_dir/scan_diff_result/$ time/result. log | mail-s "[$ time] All IDC data center differential port scan results" $ contact_mailfirm-rf $ work_dir/scan_source/cp-a $ work_dir/scan_result/$ time $ work_dir/scan_sourceif [$? -Eq0]; thenecho "Operation completed, operation successful! "Elseecho" is running successfully. operation failed! "Fi

Modify the IP address and contact_mail.

Structure:

12:55:17 # tree/root/nmap_scan // root/nmap_scan/| -- scan_diff_result # structure of the scan today and yesterday | '-- # directory of the current day |' -- result. log # comparison result content | -- scan_result # store the scan results today | -- scan_shell # store the scan script | '-- scan_analyse.sh # Security Port Scan script' -- scan_source # scan results from yesterday, source 5 directories, 2 files compared with today

Usage:

1. Run this script first

Create Script directory

Mkdir-p/root/nmap_scan/scan_shell

Then, place the script in this directory to generate the source file for comparison. The subsequent scans will be compared with the source file.

2. Run the script using crontab

3001 ***/bin/bash/root/nmap_scan/scan_shell/scan_analyse.sh>/tmp/scan. log2> & 1

In this way, you can run the script at every day.

In this way, you only need to read the email every day to know all IP segments in all IDCs and which hosts have added or disabled ports, so as to promptly solve the problem.

The script is in the attachment and can be downloaded by yourself.

This article is from the "Yin-Technical Exchange" blog, please be sure to keep this source http://dl528888.blog.51cto.com/2382721/1429685

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.