Network Monitoring - Nmap

Hello hello,

Every day systems are being scanned, compromised and misused. Attackers use all kind of different tools to do this. Nmap is one of the best know tools out there to scan a system for potential open/vulnerable services. Nmap is able to give you very detailed information about a system in a very short time. As a system administrator it is important to know what hackers are looking for. Understanding an attacker is important if it comes to security. Unknown changes (new services, new open ports and so on) is one of the signals a compromised system will show. I wrote a extremely simple shell script that lets you scan your network and look for differences since the last scan.

1
2
3
4
5
6
7
8
9
10
#!/bin/sh
#This script requires nmap (apt-get install nmap) and
#mailutils (apt-get install mailutils)
nmap -T5 -sV -oA scan-$(date +%d-%m-%y) <ip|iprange> > /dev/null
ndiff scan-old.xml scan-$(date +%d-%m-%y).xml > scan-diff_$(date +%d-%m-%y)
cp scan-$(date +%d-%m-%y).xml scan-old.xml
cat scan-diff_$(date +%d-%m-%y) | mail -s "<subject>" <email>
#Remove all created file except scan-old.xml (needed for next scan)
#rm -rfv scan-$(date +%d-%m-%y)*
#rm -rf scan-diff_$(date +%d-%m-%y) #For history tracking

Run this script regularly (once a week, month; based on the size and how important your network is) Does the produced email from this script contains any changes that you are not aware of? This is a reason to investigate!

Cheers, Ruben.

Comments