Using Nmap results to help harden Linux systems:
System security is not a one-and-done task. Rather, there are numerous layers to an organization's approach to security. Some of those layers are physical security to the datacenters, regular patching and maintenance of the infrastructure, continuing user awareness education, and scanning systems for issues. This article discusses how to use the nmap and nc commands to scan a system so that you can determine the appropriate next steps. I use a few systems in my examples here. The system that does the scanning is my local Red Hat Enterprise Linux (RHEL) 8.3 computer, opendemo.usersys.redhat.com is the Red Hat Satellite 6.8 system used because it has several open ports, and I have various target systems.
[...] Now that you've been able to get a detailed report of what's running on your systems, what do you do next? The first thing is to be sure that there are no unexpected ports open. For this, verify with the applications team, security teams, and your coworkers might be appropriate. Next is to ensure that the exposed services are properly secured. This means taking steps such as making sure that all software is updated, updated ciphers are supported, insecure protocols are not in use, and default passwords for the services have been changed.
[Ed Note - The fine article then walks you through a good, basic auditing of some security issues you can identify using nmap. Some uses include:
- Basic Scans
- Verifying Certificates
- Identifying Services
]
(Score: 2, Informative) by Anonymous Coward on Thursday March 11 2021, @12:01PM (8 children)
Simply run "lsof -i" or similar to find open ports. Scanning with nmap is the wrong approach.
(Score: 2, Insightful) by Anonymous Coward on Thursday March 11 2021, @02:21PM (3 children)
Nmap will find unexpected open ports on non-linux system, where there is no lsof. It will find open ports on IOT garbage that doesn't even have a command line. Nmap will do it all from one box, without needing to SSH into the other boxes in my house.
Nmap will find open ports on my boyfriend's computer, and asking permission to do a "security scan" on the network is easier than asking permission to run stuff directly on his computer.
Nmap will find open ports that are hidden by a rootkit, so they don't show up in `lsof -i -n`
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @06:18PM (1 child)
"Nmap will find unexpected open ports on non-linux system"
yeah, that's not an issue.
(Score: 2) by hendrikboom on Thursday March 11 2021, @09:36PM
Just did lsof on my laptop. Wow! What a huge list.
I suspect a lot of them are things in browser tabs.
-- hendrik
(Score: 0) by Anonymous Coward on Friday March 12 2021, @12:40AM
But your boyfriend's computer is running a VPN and there are open ports but they only listen on the remote IP address. So your nmap will never see them ... it will only see the VPN transport ports. However lsof will see those open ports.
That is why nmap is generally the wrong tool.
(Score: 5, Informative) by DannyB on Thursday March 11 2021, @04:50PM (2 children)
NETSTAT Command: Learn to use netstat with examples
http://linuxtechlab.com/learn-use-netstat-with-examples/ [linuxtechlab.com]
How to list open ports on Linux/Unix server
https://kerneltalks.com/tips-tricks/list-open-ports-linux-server/ [kerneltalks.com]
How To Find Out Which Port Number A Process Is Using In Linux
https://www.2daygeek.com/how-to-find-out-which-port-number-a-process-is-using-in-linux/ [2daygeek.com]
ls /etc/services
ss: ss is used to dump socket statistics.
netstat: netstat is displays a list of open sockets.
lsof: lsof – list open files.
fuser: fuser – list process IDs of all processes that have one or more files open
nmap: nmap – Network exploration tool and security / port scanner
systemctl: systemctl – Control the systemd system and service manager
# ss -tnlp | grep ssh
# ss -tnlp | grep ":22"
# netstat -tnlp | grep ssh
# netstat -tnlp | grep ":22"
# lsof -i -P | grep ssh
# lsof -i tcp:22
# fuser -v 22/tcp
# nmap -sV -p 22 localhost
# systemctl status sshd
3 Simple, Excellent Linux Network Monitors
https://www.linux.com/learn/intro-to-linux/2017/10/3-simple-excellent-linux-network-monitors [linux.com]
iftop, nethogs, vnstat
http://www.ex-parrot.com/pdw/iftop/ [ex-parrot.com]
https://github.com/raboof/nethogs [github.com]
http://humdi.net/vnstat/ [humdi.net]
See also:
nettop
http://srparish.net/scripts/ [srparish.net]
ettercap
http://ettercap.sf.net/ [sf.net]
darkstat
http://purl.org/net/darkstat/ [purl.org]
ifstat
http://gael.roualland.free.fr/ifstat/ [roualland.free.fr]
gnethogs - GTK-based GUI (work-in-progress)
https://github.com/mbfoss/gnethogs [github.com]
nethogs-qt - Qt-based GUI
http://slist.lilotux.net/linux/nethogs-qt/index_en.html [lilotux.net]
hogwatch - A bandwidth monitor(per process) with graphs for desktop/web.
https://github.com/akshayKMR/hogwatch [github.com]
Linux ss Command Tutorial for Beginners (8 Examples)
https://www.howtoforge.com/linux-ss-command/ [howtoforge.com]
Find Out Which Port Number a Process is Listening on
https://vitux.com/find-out-which-port-number-a-process-is-listening-on-using-linux/ [vitux.com]
$ sudo apt install net-tools
$ sudo netstat -ltnp
$ sudo netstat -ltnp | grep -w ':80'
$ sudo apt install lsof
$ sudo lsof -i :80
$ sudo apt install psmisc
$ sudo fuser 3306/tcp
In order to view which program this process ID corresponds to, run the following command:
$ ps -p [processID] -o comm=
$ ps -p [975] -o comm=
4 Ways to Find Out What Ports Are Listening in Linux
$ sudo netstat -ltup
$ sudo netstat -lntup
$ sudo netstat -lntup | grep "nginx"
$ sudo netstat -lntup | grep ":80"
$ sudo ss -lntu
$ sudo nmap -n -PN -sT -sU -p- localhost
$ sudo lsof -i
$ sudo lsof -i :80
Nutty: GUI Network Monitoring And Information Tool For Ubuntu, Linux Mint And elementary OS
https://www.linuxuprising.com/2018/12/nutty-gui-network-monitoring-and.html [linuxuprising.com]
Top 7 commands for Linux Network Traffic Monitoring
https://linuxtechlab.com/top-7-commands-for-linux-network-traffic-monitoring/ [linuxtechlab.com]
bandwhich Shows What's Taking Up Your Network Bandwidth On Linux And macOS
https://www.linuxuprising.com/2020/01/bandwhich-shows-whats-taking-up-your.html [linuxuprising.com]
How to Watch TCP and UDP Ports in Real-time
https://www.tecmint.com/watch-tcp-and-udp-ports-in-linux/ [tecmint.com]
List All Open Ports in Linux
$ sudo netstat -tulpn
OR
$ sudo ss -tulpn
In the above command, the flag:
-t – enables listing of TCP ports.
-u – enables listing of UDP ports.
-l – prints only listening sockets.
-n – shows the port number.
-p – show process/program name.
Watch TCP and UDP Open Ports in Real-Time
$ sudo watch netstat -tulpn
OR
$ sudo watch ss -tulpn
To exit, press Ctrl+C.
And now for a commercial brake. Be sure to click subscribe. And lick that notifications button.
Why is it so difficult to break a heroine addiction?
(Score: 4, Informative) by DannyB on Thursday March 11 2021, @04:53PM (1 child)
BMON - Monitor Bandwidth from the Linux Command Line
https://www.putorius.net/bmon-monitor-bandwidth-linux-command-line.html [putorius.net]
Linux networking: 13 uses for netstat
Though it's largely been replaced in recent years, netstat is still a powerful tool providing network analytics at your fingertips.
https://www.redhat.com/sysadmin/netstat [redhat.com]
Using ifstat for Linux network statistics
https://www.redhat.com/sysadmin/ifstat-network-statistics [redhat.com]
How to Use the ss Command on Linux
https://www.howtogeek.com/681468/how-to-use-the-ss-command-on-linux/ [howtogeek.com]
The ss command is a modern replacement for the classic netstat.
How to Check for Open Ports on Debian 10
https://vitux.com/find-open-ports-on-debian/ [vitux.com]
$ sudo apt install iproute2
$ sudo ss -tulpn
Where:
-t, –tcp: To see all TCP sockets
-u, –udp: To see all UDP sockets
-l, –listening: To see all listening sockets
-p, processes: To see which processes are using sockets
-n, –numeric: Use this option if you want to see a port number instead of service names
$ sudo apt-get install net-tools
$ sudo netstat –tulnp
Where:
-t, –tcp: To see all TCP sockets
-u, –udp: To see all UDP sockets
-l, –listening: To see all listening sockets
-p, processes: To see which processes are using sockets
-n, –numeric: Use this option if you want to see a port number instead of service names
$ apt-get install lsof
$ sudo lsof -nP -iTCP -sTCP:LISTEN
Check open ports using the Nmap utility
$ sudo apt install nmap
$ sudo nmap –sT –p-65535 ip-address
$ sudo nmap –sT –p-65535 192.168.72.158
How to show dropped packets per interface on Linux
https://www.cyberciti.biz/faq/linux-show-dropped-packets-per-interface-command/ [cyberciti.biz]
How to Monitor Network Usage with nload in Linux
https://www.howtoforge.com/how-to-monitor-network-usage-with-nload-in-linux/ [howtoforge.com]
How to Install vnStat and vnStati to Monitor Network Traffic in Linux
https://www.tecmint.com/install-vnstat-and-vnstati-to-monitor-linux-network-traffic/ [tecmint.com]
Some features:
Statistics remain available even after system reboots
Monitor multiple network interfaces at the same time
Multiple output options
Sort the data by hour, day, month, week or get the top 10 days
Generate png graphic of the output
...more...
How to Find What IP Addresses are Connected to Linux
https://www.linuxshelltips.com/find-ip-addresses-are-connected-to-linux/ [linuxshelltips.com]
To get the list of IP addresses connected to your Linux server
$ ss -tun state connected
The 't' implies TCP connections, 'u' implies UDP connections and the 'n' implies that the command should display IP addresses in a numerical format, without name resolution.
If 'n' is not specified, the command will display the protocol name instead of its port number
How to Find and Close Open Ports in Linux
https://www.linuxshelltips.com/find-and-close-open-ports-in-linux/ [linuxshelltips.com]
run the ss command with the following syntax, to get all listening TCP sockets:
$ ss -tl
the 't' stands for TCP and the 'l' stands for Listening sockets.
to get all listening UDP ports, run:
$ ss -ul
we only need the ports which are actively listening, we pipe the output and filter it with the grep command.
$ ss -ul | grep LISTEN
We can also combine the TCP and UDP output together.
$ ss -tul | grep LISTEN
With the argument '-n' it just shows the port number which is listening.
$ ss -tuln | grep LISTEN
call ss with another argument, '-p' to list the process which is using each port (run the command as a sudo user).
$ sudo ss -tulnp | grep LISTEN
ss command examples
https://www.linuxshelltips.com/tag/ss-command-examples/ [linuxshelltips.com]
And last but not least . . .
Refresh Your Basic Maths Addition and Subtraction Skills
https://www.dummies.com/education/math/numeracy-tests/refresh-your-basic-maths-addition-and-subtraction-skills/ [dummies.com]
Why is it so difficult to break a heroine addiction?
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @11:01PM
Thank you.
(Score: 1, Insightful) by Anonymous Coward on Friday March 12 2021, @04:16AM
lsof won't show all open ports all the time, surprisingly enough. It is actually best to use a combination of tools working at different layers to have any assurance you got them all. One additional thing we do is run through a list of all possible ports and attempt to bind them. More than once that has turned up ports that are listening but not found by nmap, lsof, or other tools.
(Score: 5, Informative) by mmh on Thursday March 11 2021, @04:17PM
That was a VERY basic blog article, showing about the bare minimum NMAP is capable of.
For anyone that doesn't know, NMAP is SUPER well documented and has a 500 page book you can buy that details how and why you'd use most of the scan types. Most of the book is available to read for free here:
https://nmap.org/book/toc.html [nmap.org]
Buy the book here:
https://www.amazon.com/dp/0979958717 [amazon.com]
(Score: 3, Interesting) by crafoo on Thursday March 11 2021, @04:19PM (3 children)
Call be a dirty uncultured animal, but I like messing with zenmap. The color coding is nice. Not like I have any idea what I am doing, which makes it all the more fun.
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @06:21PM
well enjoy it while you can on your slow ass distro. the dev has failed to migrate zenmap to python 3 last i checked.
(Score: 3, Insightful) by PartTimeZombie on Thursday March 11 2021, @08:29PM
You're a dirty uncultured animal, as am I. Both for my use of zenmap and love of Emerson, Lake & Palmer.
(Score: 0) by Anonymous Coward on Friday March 12 2021, @04:24AM
A nice thing zenmap does is combine the output of multiple scans to show the aggregate result. It can greatly speeds things up since you can run the scans in parallel and then analyze the results all at once.
(Score: 2) by DannyB on Thursday March 11 2021, @04:54PM (1 child)
There are three different brands of pills that can harden Linux systems.
Why is it so difficult to break a heroine addiction?
(Score: 1, Funny) by Anonymous Coward on Thursday March 11 2021, @05:34PM
Hardening is sort of useless if no open ports are available.
--
cf. ...any port in a storm.
(Score: 1, Touché) by Anonymous Coward on Thursday March 11 2021, @05:55PM
It should really be the first step in hardening your Linux system.