Auditing your network periodically is crucial as it helps you identify critical areas in your network, that posses a security threat.
In this article, we will be using Nmap as a network monitor, which helps you detect a potential security breach by identifying the hosts connected to your network and the services running on them, such as the file transfer protocol (FTP) and hypertext transfer protocol (HTTP).
Coming to Nmap, It is a popular open-source software for Network discovery and Security auditing It was developed by Gordon Lyon around 1997.
This nmap based monitoring solution uses tools from the Nmap project that will detect changes on the network by comparing the results of two port scans. We will be using the ndiff tool to accomplish this. Once a change is detected a mail is triggered to the network administrator notifying the changes.
This monitoring system uses bash script, Cron, Nmap, and Ndiff.
Installation:
Ubuntu:
$ sudo apt-get update
$ sudo apt-get install nmap ndiff bsd-mailx
Centos:
$ sudo yum install nmap ndiff mailx
To set up this monitoring system we are going to need to do a few things:
1) Firstly, we will be creating a directory to store all the files required for our monitoring system.
$ mkdir /usr/local/monitoring-nmap/
2) Next, we scan our target machines and save the results in XML format in the same directory we created earlier.
$ cd /usr/local/monitoring-nmap/
$ nmap -oX nmap_base_scan.xml -sV -Pn <target>
NOTE: You should never scan IP addresses that do not belong to you unless you have explicit permissions stated as per IDrive Compute's Acceptable Use Policy ('AUP').
If you want to have a test run, you can use scanme.nmap.org which is a server provided for practicing Nmap by the nmap creators.
3) Now we will create a shell script nmap-mon.sh and paste the following code:
#!/bin/bash
NETWORK="YOURTARGET"
ADMIN=YOUR@EMAIL.COM
NMAP_FLAGS="-n -sV -Pn -p- -T4"
BASE_PATH=/usr/local/monitoring-nmap/
BIN_PATH=/usr/bin/
BASE_FILE=nmap_base_scan.xml
NDIFF_FILE=ndiff.log
NEW_RESULTS_FILE=nmap_new_scan.xml
BASE_RESULTS="$BASE_PATH$BASE_FILE"
NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE"
NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE"
if [ -f $BASE_RESULTS ]
then
echo "Checking host $NETWORK"
${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK
${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS
if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ]
then
echo "Network changes detected in $NETWORK"
cat $NDIFF_RESULTS
echo "Alerting admin $ADMIN"
mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS
fi
fi
Update the below configuration values as per your system.
NETWORK="YOURTARGET"
ADMIN=YOUR@EMAIL.COM
NMAP_FLAGS="-sV -Pn -p- -T4"
BASE_PATH=/usr/local/monitoring-nmap/
BIN_PATH=/usr/local/bin/
BASE_FILE=nmap_base_scan.xml
NDIFF_FILE=ndiff.log
NEW_RESULTS_FILE=nmap_new_scan.xml
4) Make nmap-mon.sh executable by entering the following command:
$ chmod +x /usr/local/monitoring-nmap/nmap-mon.sh
5) Now we will run the nmap-mon.sh script to make sure it is working as expected.
$ bash /usr/local/monitoring-nmap/nmap-mon.sh
6) To make the monitoring script run periodically we will be launching a crontab editor.
# crontab -e
7) We will be adding the following command.
0 * * * * /usr/local/monitoring-nmap/nmap-mon.sh
This will make sure the shell script runs every 1 hour. You can tweak the crontab execution schedule as per your liking.
You should now receive e-mail alerts when Ndiff detects a change in your network.
Reference: