Hi, and welcome back to another edition of Hacks From Pax. Today we'll discuss hardening Linux servers by scanning for unnecessarily open network ports, and we'll show you how to automate port scanning so you can easily monitor your network for vulnerabilities.

Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first.

Any open ports that are unnecessary for proper system operation should be closed. Every open port is a possible access point for an unauthorized user, and every service accepting connections from the world could have a vulnerability. Even if you are diligent about applying patches, any unnecessarily running service is still a window an attacker could possibly climb through.

One way of viewing open ports on your Linux system is with the netstat command. Issue the command netstat --inet -a to view both your established connections and open listening network ports. This command reads from your /etc/services file to determine the service name for a given port number, so seeing *:www under the Local Address heading indicates your server's port 80 is open and listening, not that there is necessarily a webserver running on that port. You should check the list and ensure that the servers listening are indeed desired, and if they are not, they should be disabled. For example, this output shows me that my system is accepting connections on the ports for www, ssh, smtp and https. 

[root@frylock /root]# netstat --inet -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address
State

tcp        0      0 *:www                   *:*
LISTEN
tcp        0      0 *:ssh                   *:*
LISTEN
tcp        0      0 *:smtp                  *:*
LISTEN
tcp        0      0 *:https                 *:*
LISTEN
The best way of viewing open ports on a remote server is to use the nmap network scanning tool. It's recommended to use nmap from a system that is outside any firewall protecting your network, since the goal is to determine what network ports are visible and listening from a hypothetical attacker's point of view.

Running the command nmap -vv -sS 192.168.1.1 would perform a SYN scan of only the common ports on the given ip address. 

[root@frylock ~]# nmap -vv -sS 192.168.1.65

Starting nmap 3.81 ( https://nmap.org/ ) at 2005-07-02 13:17 EDT
Initiating SYN Stealth Scan against meatwad.linuxsecurity.com
(192.168.1.65) [1663 ports] at 13:17
Discovered open port 22/tcp on 192.168.1.65
Discovered open port 25/tcp on 192.168.1.65
Discovered open port 443/tcp on 192.168.1.65
Discovered open port 80/tcp on 192.168.1.65
Discovered open port 1022/tcp on 192.168.1.65
Discovered open port 8080/tcp on 192.168.1.65
The SYN Stealth Scan took 0.24s to scan 1663 total ports.
Host meatwad.linuxsecurity.com (192.168.1.65) appears to be up ... good.
Interesting ports on meatwad.linuxsecurity.com (192.168.1.65):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
1022/tcp open  unknown
8080/tcp open  http-proxy
MAC Address: 00:03:47:EF:42:42 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 0.514 seconds
               Raw packets sent: 1665 (66.6KB) | Rcvd: 1670 (76.9KB)
We can see that ports 22, 25, 80, 443, 1022 and 8080 are open and accepting connections. If we aren't using one or more of these services the unused ones should be disabled to lessen our security liabilities.

This scan operates by sending a single SYN packet to each port, and listening for a returned SYN|ACK which indicates an open port. Consult the nmap website for further information on the particulars of nmap usage. Nmap is an indispensable security tool that you should make a place for in your sysadmin toolbox.

Nmap can be very useful for determining the outward facing open ports on your network when you remember to check, but with a little perl magic it can be useful for keeping an ongoing eye on your network as well. I've written a perl utility called NetDiff that scans a given network or multiple networks with nmap, stores the results in a database and then invokes diff on the result set to find newly opened and closed ports on a daily basis. NetDiff also will detect any systems newly added to or removed from the network, which can be useful for spotting, for example, that rogue wireless access point surreptitiously plugged into your network by the marketing department.

NetDiff packages and documentation can be found on ftp.engardelinux.org. For those running EnGarde Secure Linux, I've written a WebTool module and packaged NetDiff rpm packages so you can simply install the packages and their required prerequisites and then configure your networks and later view the reports from within the EnGarde WebTool environment.

NetDiff reports will display any network changes in a diff style format, prepending newly added lines with a '+' and removed lines with a '-'. For example, in the following NetDiff report we can see that the host at 192.168.42.64 was disconnected since the last scan, a host at 192.168.42.127 was connected, and a telnet service was started on 192.168.42.1. Investigating these results against preplanned administration work is an exercise for the sysadmin reading the report. Perhaps the telnet port was opened for a reason, but perhaps a hacker has penetrated that system and opened the port for nefarious purposes. 

#
# NetDiff Report
#
# Networks scanned :
# 192.168.42.0/24
#
# Last scan completed :    2005-07-03 02:05:43
# Scan started :    2005-07-04 01:00:01
# Scan completed :    2005-07-04 02:06:31
# Hosts Scanned/Found :    35/35
#

192.168.42.64        ** MISSING **
192.168.42.64        ** CHANGED **
-192.168.42.64        Status    up
-192.168.42.64        Extra Ports    filtered 1662
-192.168.42.64        Port 80        http closed table 3
----------------------------------------------------------------------------192.168.42.127        ** NEW HOST **
192.168.42.127        ** CHANGED **
+192.168.42.127        Status    up
+192.168.42.127        Extra Ports    filtered 1662
+192.168.42.127        Port 80        http closed table 3
----------------------------------------------------------------------------192.168.42.1        ** CHANGED **
-192.168.42.1        Extra Ports    closed 1663
+192.168.42.1        Extra Ports    closed 1662
+192.168.42.1        Port 23        telnet open table 3
----------------------------------------------------------------------------
Setting up netdiff to run daily will allow you a quick and easy way to view your recent network changes. Discovering an newly opened port on your network can be a telltale sign of a hacker's penetration or simply another sysadmin's mistake, but you'll know about it immediately and can take action to investigate the offending port and server. No scanning or reporting tool can replace a competent sysadmin, but a good reporting tool can guide a sysadmin towards anomalies on his or her network that require further sleuthing.

Until next time, stay secure, and know your network like the back of your hand. I'll see you again soon, in the next episode of Hacks From Pax.
--
Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian Life Insurance, Philips Electronics and a wide variety of small business consulting roles.