rpcinfo -p | awk -F " " '{print $3 ", " $4 ", " $5}' | sort | uniq

Notice!
Since portmap assigns ports on random this example is only valid as long as you don’t restart your NFS.

On my system, a RedHat Enterprise Linux WS 4, the result was

proto, port,
tcp, 111, portmapper
tcp, 2049, nfs
tcp, 32771, nlockmgr
tcp, 768, rquotad
tcp, 782, mountd
udp, 111, portmapper
udp, 2049, nfs
udp, 32768, nlockmgr
udp, 765, rquotad
udp, 779, mountd

This gave me a nice overview of protocols (tcp/udp) and ports used.

Now the rules

iptables -A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m state --state NEW -m multiport --dports 111,2049,32771,768,782 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -m multiport --dports 111,2049,32768,765,779 -j ACCEPT

You see that the multiport statement is just like the result of my rpcinfo command above.

Remember to save your new rules, othervise they will disappear the next time the iptables rules are being loaded.

In addition to this rule you should add the iptables rule for ssh access I wrote about earlier.

Another way to determine the ports

nmap -sC -p 111 localhost

Notice!
This solution won’t work after a reboot of the server since NFS changes ports. One way to overcome this problem is to follow the instructions in a newer post I’ve made about RedHat and NFS.

Newer versions of nmap skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc. This behavior can be changed by modifying or removing the Exclude directive in nmap-service-probes, or you can specify –allports to scan all ports regardless of any Exclude directive.

If you install the package libperl-net-ping you can use the following script to see which hosts upon your LAN are alive:

#!/usr/bin/perl -w

use strict;
use Net::Ping;

my $LAN = "192.168.1.";

foreach my $octet (1 .. 255)
{
	my $pinger = Net::Ping->new();
	if ( $pinger->ping( $LAN . $octet ) )
	{
		print  $LAN . $octet . "\n";
	}
	$pinger->close();
}

Save the script as /usr/local/bin/scan-lan and make sure it’s executable by running chmod 755 /usr/local/bin/scan-lan.

This would give you a list of IP addresses which might look like the following:

192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.50
192.168.1.90

With a list like that saved to text file you can now start scanning your network for services.

In order to detect changes to our network we wish to record all the services on the machines in our LAN then later rescan to detect anything different.

Using the scan-lan and nmap we can create a file for each machine that’s up containing its services.

Save this script as /usr/local/bin/make-baseline, and make it executable with “chmod 755 /usr/local/bin/make-baseline”:

#!/bin/sh

mkdir -p /var/log/scans

for i in `/usr/local/bin/scan-lan` ; do
    nmap -sV $i | grep ' open ' > /var/log/scans/$i.base
done

This is our baseline scan. With this in hand we have a list of all the hosts upon a lan which are currently up, and the services they are running.

Now we just to write another script to compare the current state to that we recorded in our baseline, this will notify us of changes.

The following script can do that job for us, save it as /usr/local/bin/scan-services:

#!/bin/sh

if [ ! -d /var/log/scans ]; then
   echo "Baseline directory isn't present"
   exit
fi

#
#  Scan all the machines
#
for i in `/usr/local/bin/scan-lan` ; do
    nmap -sV $i | grep ' open ' > /var/log/scans/$i.log
done

#
# Cleanup
#
rm /var/log/scans/*-added.txt
rm /var/log/scans/*-removed.txt
cd /var/log/scans/

#
# Find new and removed
#
for i in /var/log/scans/*.log; do
  diff --context $i ${i/.log/}.base | grep '^+ ' > `basename $i .log`-added.txt
  diff --context $i ${i/.log/}.base | grep '^- ' > `basename $i .log`-removed.txt
done

#
#  Now show the results
#
for i in /var/log/scans/*-added.txt; do
    if [ -s $i ]; then
      echo " "
      echo "The machine `basename $i -added.txt` has had the following services added:"
      cat $i
      echo " "
    fi
done

for i in /var/log/scans/*-removed.txt; do
    if [ -s $i ]; then
      echo " "
      echo "The machine `basename $i -removed.txt` has had the following services removed:"
      cat $i
      echo " "
    fi
done

If you make this executable and run it you should see no output, as your current network hasn’t changed in the past few minutes.

Delete a line or two from one or more of the .base files in the /var/log/scans directory and run it again.

This time you should see output like this:

The machine 192.168.1.1 has had the following services added:
+ 8889/tcp open  http        GNUMP3d streaming server 2.9

The machine 127.0.0.1 has had the following services removed:
- 19/tcp   open  discard?

#!/bin/bash
# filename: iplist.sh
# usage: ./iplist.sh 192.168.1.0/24 > iplist.txt

nmap -sL $1 --randomize_hosts | grep '^Host' | cut -d '(' -f 2 | cut -d
')' -f 1

Output

192.168.1.215
192.168.1.39
192.168.1.168
192.168.1.11
192.168.1.225

Lim inn følgende script kode i fila portLookup.sh

#!/bin/bash
NETWORKTARGET=$1
PORT=$2
FN="port"

# Scan Network Input File for active hosts saving IPS to $FNips.txt
nmap -sS -p $PORT -n -iL $NETWORKTARGET -oG - | grep open | awk '/[1-9].[1-9]/ {print $2}' > ${FN}ips.txt

# use nbtscan to find hostnames and generate the ip to name $FNlookup file
nbtscan -f ${FN}ips.txt | awk '/[1-9].[1-9]/ {print $1 " " $2}' > ${FN}lookup.txt

echo "Scan Complete"
echo "Port Scanned: "$PORT
NUMIPS=`cat ${FN}ips.txt | wc -l`
NUMHOSTS=`cat ${FN}lookup.txt | wc -l`
echo "Number of IPs Found: "$NUMIPS " See file ${FN}ips.txt"
echo "Number of Netbios Names Found: "$NUMHOSTS " See file ${FN}lookup.txt"

Scriptet henter data/IP-adresser fra ei tekstfil og du angir hvilken port som skal scannes på følgende måte:

portLookup.sh tekstfil portnr
portLookup.sh hosts.txt 80

Eksemplet ovenfor henter ut IP-adresser fra fila hosts.txt og scanner etter PCer med port 80 åpen.

En enkel måte å generere ei slik fil kan leses på generate a list of target hosts to nmap scan/

Resultatet legges i filene portips.txt og portlookup.txt