Q One of our Linux servers was hacked recently and a backdoor shell installed. This resulted in considerable downtime as our co-location provider, with whom we host a rack of eight servers, unplugged the compromised server until it was repaired by our engineers over a remote console. The compromise had gone undetected for over a week until a third party filed a complaint, which prompted the hosting provider to pull our server offline. We adopted ideas for looking for signs of a compromise and since the incident we have scripted various checks to run daily on each server. Could you please recommend an easy way of monitoring which ports are open on each of our servers to help alert us of any unwanted listening processes on any of our servers?
A A hardware firewall or an Iptables configuration on each host should be your first line of defence, configured to block traffic to all ports on a server except for the services a particular host is configured to listen on. Instead of having each server portscan itself, it may be a good idea to designate one of the servers on the network switch to do all the scanning, thus giving a true third party perspective. Nmap (www.insecure.org/nmap), would be my tool of choice for, among other things, scanning an IP for listening ports. For example, a basic scan to 192.168.100.100 for all listening TCP ports in the range 1-8,000 could be:
$ nmap -p 1-8000 192.168.100.100
To simplify handling the results, you could use a script such as
nmap-audit', http://heavyk.org/nmap-audit/
In conjunction with Cron, nmap-audit can be used to email the administrator details of just those ports that have been newly opened.