Shulou(Shulou.com)06/01 Report--

Part-time security for half a year, share how I do security here, of course, as a part-time job, not too in-depth, offensive reference.

Port security is described below, mainly about the opening of ports in all ip segments of the company's IDC server room. For example, for a server, only ssh ports are required by default, but if other unallowed ports are opened, it may be opened by mistake or *. This requires OPS to know in advance and solve the problem.

How to achieve:

1. Use nmap+diff to scan all the idc ports of the company.

2. Compare the scanning results of the same day with those of yesterday.

3. If a new host or an existing host adds or closes ports, email notification will also be made.

The results show:

1. Situations where there is no difference.

2. New hosts

3. The existing host has added or closed ports.

The following is the content of the port security scan script:

#! / bin/bash#This script name is scan_analyse.sh. / etc/profileecho "start time is $(date)" time=$ (date + "% Y-%m-%d") yesterday= `date-d "1 day ago" + "% Y-%m-%d" `work_dir= "/ root/nmap_scan" now_dir= "$work_dir/scan_result/$time" IP='1.1.1.0/24'contact_mail='xx@mail.com'rm-rf $now_dirif [!-d "$work_dir/scan_result/$time"] Thenmkdir-p $work_dir/scan_diff_result/$timefirm-rf $work_dir/scan_diff_result/$time/result.logip_32= `echo $IP | cut-d. -f 1-3`if [!-d $now_dir/$ip_32]; then mkdir-p $now_dir/$ip_32fifor I in {1.. 254} donmap-sS-r-n $ip_32.$i | egrep-v "(Starting | scanned)" | egrep "(Nmap | open)" > $now_dir/$ip_32/$ip_32.$iif [`cat $now_dir/$ip_32/$ip_32.$i | wc-l`-eq 1] Thenrm-rf $now_dir/$ip_32/$ip_32.$ifidoneecho "stop time is $(date)" for b in $ip_32 dofor i in $(ls $now_dir/$b) doif [!-f "$work_dir/scan_source/$b/$i"]; thenecho "add new host $I, here is all the information:" > > $work_dir/scan_diff_result/$time/result.log if [`cat $now_dir/$b/$i | wc-l`-gt 100] "then echo" opens all ports Suspected nat or load balancer! "> > $work_dir/scan_diff_result/$time/result.log else cat $now_dir/$b/$i > > $work_dir/scan_diff_result/$time/result.log fielse if [`diff-u $now_dir/$b/$i $work_dir/scan_source/$b/$i | egrep-v" (\-|\ + | @ @) "| egrep" (Nmap |\-|\ +) "| wc-l`-gt 100] Then head-n 1 $now_dir/$b/$i > > $work_dir/scan_diff_result/$time/result.log echo "all ports are open Suspected nat or load balancer! "> $work_dir/scan_diff_result/$time/result.log else diff-u $now_dir/$b/$i $work_dir/scan_source/$b/$i | egrep-v" (\-|\ + | @ @) "| egrep" (Nmap |\-|\ +) "| sed-e's # Nmap scan report for# scanning host # g' | sed-e's # ^ + # closed # g' -e's # ^-# enabled # g'> > $work_dir/scan_diff_result/$time/result.log fifidonedoneif [`cat $work_dir/scan_diff_result/$time/result.log | wc-l`-eq 0] Thenecho, everything is fine today. No changed port! "| mail-s" [$time] all IDC computer room differential port scan results "$contact_mailelsesed-I" 1i Hello everyone:\ nThe following is the $time day when all IDC computer rooms scan new hosts or existing hosts add or close ports Ask the project leader to claim and confirm in time.\ n "$work_dir/scan_diff_result/$time/result.logcat $work_dir/scan_diff_result/$time/result.log | mail-s" [$time] scan results of all IDC computer room differential ports "$contact_mailfirm-rf $work_dir/scan_source/cp-a $work_dir/scan_result/$time $work_dir/scan_sourceif [$?-eq 0] Thenecho "run completed, operation succeeded!"elseecho" run completed, operation failed! "fi

Please modify IP and contact_mail.

Structure:

12:55:17 # tree / root/nmap_scan//root/nmap_scan/ |-- scan_diff_result # comparison structure between today's scan and yesterday's scan | `--2014-06-23 # directories of the day |`-- result.log # compare results |-- scan_result # store today's scan results |-- scan_shell # store Scan script | `--scan_analyse.sh # secure port scan script`-- scan_source # scan result yesterday As a source of comparison with today, 5 directories, 2 files

How to use it:

1. Run this script first

Create a script directory

Mkdir-p / root/nmap_scan/scan_shell

Then put the script in this directory in order to generate a source file for comparison, and subsequent scans will be compared with this source file.

2. Use crontab to run scripts

30 01 * / bin/bash / root/nmap_scan/scan_shell/scan_analyse.sh > > / tmp/scan.log 2 > & 1

This allows you to run the script at 1:30 every morning.

In this way, you only need to read email every day to know all the IP segments in all IDC rooms, and which hosts have added or closed ports, and solve them in a timely manner.

The script is attached and can be downloaded if necessary.

Attachment: http://down.51cto.com/data/2364564

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.