This site is now 100% read-only, and retired.

Detecting changes to your network services

Posted by Steve on Thu 9 Dec 2004 at 23:52

When you have a large number of machines to look after it can be hard to keep track of changes in the network services you are running upon them. This brief article introduces a few tools and scripts which might make tracking changes easier.

When it comes to scanning machines for potentially dangerous services, or changes in the services which are running upon your LAN the first thing you must have to hand is a list of machines that you expect to find, and the machines they ar running on. This article describes on simple implementation of such a system.

Building up a list of machines can be done in a number of ways:

  • Pinging all the hosts upon your LAN to see which machines respond.
  • Using mapping software.
  • Listing them all by hand.

Pinging all the machines has the advantage of being very simple to automate and run, however it will fail if you have machines which block ICMP packages. Network mapping software suffers from a similar flaw, but as it's usually more interactive you can rerun it regularly.

One of the many mapping tools is cheops.

Cheops scans subnets looking for machines which are up, and attempts to identify their operating systems remotely. It is a GUI application which will show you a list of results, or a small map. This is an example of the GUI mode:

Cheops Graphic Interface

Pinging machines to see if they are up is a common approach, and is usually part of any monitoring solution - If you're looking to monitor availability you should certainly investigate real solutions such as Nagios (formerly known as NetSaint).

The basic approach is to ping every available address upon your subnet and see which ones are up by detecting replies.

If you install the package libperl-net-ping you can use the following script to see which hosts upon your LAN are alive:

#!/usr/bin/perl -w

use strict;
use Net::Ping;

my $LAN = "192.168.1.";

foreach my $octet (1 .. 255)
{
        my $pinger = Net::Ping->new();
        if ( $pinger->ping( $LAN . $octet ) )
        {
                print  $LAN . $octet . "\n";
        }
        $pinger->close();
}

Save the script as /usr/local/bin/scan-lan and make sure it's executable by running chmod 755 /usr/local/bin/scan-lan.

This would give you a list of IP addresses which might look like the following:

192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.50
192.168.1.90

With a list like that saved to text file you can now start scanning your network for services.

nmap is the tool of choice for remotely identifying the services running upon a host.

It allows you to scan a machine in a variety of intereting ways allowing you to identify the services which are running and their versions.

The general usage is:

nmap host

In our case we want to scan a machine for the services which are running, and their version numbers if they can be determined remotely. To do that we use:

nmap -sV host

(If you receive an error because that argument isn't accepted then this means that you're not running the most recent version of nmap. The unstable archive has that. This isn't a problem it just means you need to remove '-sV' from the command line in all the later scripts).

An example usage and output looks like this:

skx@lappy:~$ nmap -sV 192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-12-09 23:52 GMT

Interesting ports on sun (192.168.1.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 3.8.1p1 (protocol 2.0)
53/tcp   open  domain?
68/tcp   open  dhcpclient?
80/tcp   open  http        Apache httpd 1.3.33 ((Debian GNU/Linux) PHP/4.3.9-1 mod_ssl/2.8.22 OpenSSL/0.9.7d)
514/tcp  open  shell?
8080/tcp open  http        Apache httpd 1.3.33 ((Debian GNU/Linux) PHP/4.3.9-1 mod_ssl/2.8.22 OpenSSL/0.9.7d)
8888/tcp open  http        GNUMP3d streaming server 2.8

Nmap run completed -- 1 IP address (1 host up) scanned in 100.270 seconds

In order to detect changes to our network we wish to record all the services on the machines in our LAN then later rescan to detect anything different.

Using the scan-lan and nmap we can create a file for each machine that's up containing its services.

Save this script as /usr/local/bin/make-baseline, and make it executable with "chmod 755 /usr/local/bin/make-baseline":

#!/bin/sh

mkdir -p /var/log/scans

for i in `/usr/local/bin/scan-lan` ; do
    nmap -sV $i | grep ' open ' > /var/log/scans/$i.base
done

This is our baseline scan. With this in hand we have a list of all the hosts upon a lan which are currently up, and the services they are running.

Now we just to write another script to compare the current state to that we recorded in our baseline, this will notify us of changes.

The following script can do that job for us, save it as /usr/local/bin/scan-services:

#!/bin/sh

if [ ! -d /var/log/scans ]; then
   echo "Baseline directory isn't present"
   exit
fi

#
#  Scan all the machines 
#
for i in `/usr/local/bin/scan-lan` ; do
    nmap -sV $i | grep ' open ' > /var/log/scans/$i.log
done


#
# Cleanup
#
rm /var/log/scans/*-added.txt
rm /var/log/scans/*-removed.txt
cd /var/log/scans/

#
# Find new and removed
#
for i in /var/log/scans/*.log; do
  diff --context $i ${i/.log/}.base | grep '^+ ' > `basename $i .log`-added.txt
  diff --context $i ${i/.log/}.base | grep '^- ' > `basename $i .log`-removed.txt
done


#
#  Now show the results
#
for i in /var/log/scans/*-added.txt; do
    if [ -s $i ]; then
      echo " "
      echo "The machine `basename $i -added.txt` has had the following services added:"
      cat $i
      echo " "
    fi
done


for i in /var/log/scans/*-removed.txt; do
    if [ -s $i ]; then
      echo " "
      echo "The machine `basename $i -removed.txt` has had the following services removed:"
      cat $i
      echo " "
    fi
done

If you make this executable and run it you should see no output, as your current network hasn't changed in the past few minutes.

Delete a line or two from one or more of the .base files in the /var/log/scans directory and run it again.

This time you should see output like this:

The machine 192.168.1.1 has had the following services added:
+ 8889/tcp open  http        GNUMP3d streaming server 2.9


The machine 127.0.0.1 has had the following services removed:
- 19/tcp   open  discard?

If you schedule this to run regularly you will should receive notification when a machine changes.