I have been working for half a year on part-time security. I would like to share with you how I am doing security here. of course, as a part-time employee, I am not very thorough and I am not a reference for attacking. The following describes port security, which is mainly used to enable ports for all ip segments in the IDC of the company. for example, for a server, only the ssh port is required by default. However, if other ports not permitted are enabled, it may be caused by false drive or intrusion, so that the O & M personnel need to know and solve the problem in advance. How to implement: 1. use nmap + diff to scan ports of all IDCs in the company
I have been working for half a year on part-time security. I would like to share with you how I am doing security here. of course, as a part-time employee, I am not very thorough and I am not a reference for attacking.
The following describes port security, which is mainly used to enable ports for all ip segments in the IDC of the company. for example, for a server, only the ssh port is required by default. However, if other ports not permitted are enabled, it may be caused by false drive or intrusion, so that the O & M personnel need to know and solve the problem in advance.
How to implement:
1. use nmap + diff to scan ports of all IDCs of the company;
2. the scan results of the day are compared with those of yesterday's scan results;
3. if a new host or an existing host has a new or closed port, send an email notification.
Result Display:
1. no difference
2. there are new hosts
3. existing host ports are added or closed
The following is the port security scan script content:
|
#! /Bin/bash # This script name is scan_analyse.sh. /etc/profileecho "start time is $ (date)" time = $ (date + "% Y-% m-% d ") yesterday = 'date-d "1 day ago" + "% Y-% m-% d" 'work _ dir = "/root/nmap_scan" now_dir = "$ work_dir/scan_result /$ time "IP = '1. 1.1.0/24 'contact _ mail = 'XX @ mail.com 'rm-rf $ now_dirif [! -D "$ work_dir/scan_result/$ time"]; thenmkdir-p $ work_dir/scan_diff_result/$ timefirm-rf $ work_dir/scan_diff_result/$ time/result. logip_32 = 'echo $ IP | cut-d. -f 1-3 'if [! -D $ now_dir/$ ip_32]; then mkdir-p $ now_dir/$ ip_321_or I in {1 .. 254} donmap-sS-r-n $ ip_32. $ I | egrep-v "(Starting | scanned)" | egrep "(Nmap | open)"> $ now_dir/$ ip_32/$ ip_32. $ iif ['cat $ now_dir/$ ip_32/$ ip_32. $ I | wc-l '-eq 1]; thenrm-rf $ now_dir/$ ip_32/$ ip_32. $ ifidoneecho "stop time is $ (date)" for B in $ ip_32 dofor I in $ (ls $ now_dir/$ B) doif [! -F "$ work_dir/scan_source/$ B/$ I"]; thenecho "adds a new host $ I. The following is all information: ">>$ work_dir/scan_diff_result/$ time/result. log if ['cat $ now_dir/$ B/$ I | wc-L'-gt 100]; then echo "enables all ports. it is suspected that there is nat or server load balancer! ">>$ Work_dir/scan_diff_result/$ time/result. log else cat $ now_dir/$ B/$ I >>$ work_dir/scan_diff_result/$ time/result. log fi else if ['diff-u $ now_dir/$ B/$ I $ work_dir/scan_source/$ B/$ I | egrep-v "(\-| \ + | @@) "| egrep" (Nmap | \-| \ +) "| wc-l '-gt 100]; then head-n 1 $ now_dir/$ B/$ I >>$ work_dir/scan_diff_result/$ time/result. log echo "all ports are enabled. we suspect there is nat or server load balancer! ">>$ Work_dir/scan_diff_result/$ time/result. log else diff-u $ now_dir/$ B/$ I $ work_dir/scan_source/$ B/$ I | egrep-v "(\-| \ + \ + | @@) "| egrep" (Nmap | \-| \ +) "| sed-e's # Nmap scan report for # scan hosts # G' | sed-e's # ^ + # disabled # G'-e's # ^- # G'> $ work_dir/scan_diff_result/$ time/result is enabled. log worker idonedoneif ['cat $ work_dir/scan_diff_result/$ time/result. log | wc-l '-eq 0]; thenecho "everything is normal today, no changed port! "| Mail-s" [$ time] result of differential port scan for all IDCs "$ contact_mailelsesed-I" 1i Hello everyone: \ n is the situation of adding hosts or adding or disabling ports to or from all IDC data centers on $ time. the project owner should promptly claim and confirm the port. \ n "$ work_dir/scan_diff_result/$ time/result. logcat $ work_dir/scan_diff_result/$ time/result. log | mail-s "[$ time] result of differential port scan for all IDC data centers" $ contact_mailfirm-rf $ work_dir/scan_source/cp-a $ work_dir/scan_result/$ time $ work_dir/ scan_sourceif [$? -Eq 0]; thenecho "operation completed, Operation successful! "Elseecho" is running successfully. operation failed! "Fi |
Modify the IP address and contact_mail.
Structure:
|
12:55:17 # tree/root/nmap_scan // root/nmap_scan/| -- scan_diff_result # Structure of the scan today and yesterday | '-- # directory of the current day |' -- result. log # Comparison result content | -- scan_result # store the scan results today | -- scan_shell # store the scan script | '-- scan_analyse.sh # Security port scan script' -- scan_source # scan results from yesterday, SOURCE 5 directories, 2 files compared with today |
Usage:
1. run this script first
Create script Directory
|
Mkdir-p/root/nmap_scan/scan_shell |
Then, place the script in this directory to generate the source file for comparison. the subsequent scans will be compared with the source file.
2. run the script using crontab
|
30 01 ***/bin/bash/root/nmap_scan/scan_shell/scan_analyse.sh>/tmp/scan. log 2> & 1 |
In this way, you can run the script at every day.
In this way, you only need to read the email every day to know all IP segments in all IDCs and which hosts have added or disabled ports, so as to promptly solve the problem.
The script is in the attachment and can be downloaded by yourself.
This article is from the "yin-technical exchange" blog, please be sure to keep this source http://dl528888.blog.51cto.com/2382721/1429685