There are many applications out there that will enable you to test your system to ensure that it’s secure. Some of these applications will require you to use a remote server to get accurate information, so it might be useful to have a second system handy. In this section, we will discuss some tools such as Nmap, Snort, traceroute and ping.
Nmap
Nmap, an abbreviation for Network Mapper, is a utility that enables system administrators and other curious people to scan large-scale networks to determine which services are accessible through a firewall.
Nmap can support many scanning techniques, such as UDP, TCP connect(), TCP SYN (half open), FTP proxy bounce attack, reverse-ident, ICMP (ping sweep), FIN, ACK sweep, XMAS Tree, SYN sweep, IP protocol, and Null scan. As you can see, this is a valuable tool for seeing how open your network is!
Nmap can be found at www.insecure.org/nmap, and you can compile or install it yourself.
Some systems come with Nmap installed by default, so you might already have it handy. Don’t worry if you do not have another Linux box around. Nmap comes with Windows binaries as well. Browse to the download section of the website and obtain a copy for the operating system you are using.
WARNING Be careful when using Nmap and do not go overboard with your scanning. If you are caught scanning networks other than your own, your activities might reflect that of a hacker, and you could face criminal charges for doing so. The bottom line: if the network is not yours, do not scan it!
Let’s take a look at how to run Nmap on your system. Let’s say your server’s IP address is 192.168.0.15. On a different computer, run the following command:
nmap 192.168.0.15
NOTE If Nmap takes an extremely long time to run, that is a good indicator that your firewall is working well. Alternatively you can use the –F option for fast scan mode.
You should see something similar to the output in Listing 6.6. Keep in mind that you cur-rently have the firewall running on this server.
155
Using Network Monitoring and Testing Applications
➲
Listing 6.6 nmap Output with Firewall Protection[root@central root]# nmap -F 192.168.0.15 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.0.15):
(The 1146 ports scanned but not shown below are in state: filtered) Port State Service
22/tcp open ssh 53/tcp closed domain 80/tcp closed http 443/tcp closed https
Nmap run completed -- 1 IP address (1 host up) scanned in 129 seconds
Notice how port 22 is open for the SSH service. This means that the port was allowed to be opened on the firewall and the service is running. The other ports are closed for their respec-tive services because the port is allowed open on your firewall but the service is not running.
Either way, this is a safe system as far as port scanning goes.
Listing 6.7 depicts what the Nmap output would look like if you were not running a firewall on the machine you are scanning.
➲
Listing 6.7 nmap Output without Firewall Protection[root@central root]# nmap -F 192.168.0.15 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.0.15):
(The 1147 ports scanned but not shown below are in state: closed) Port State Service
22/tcp open ssh 111/tcp open sunrpc 1026/tcp open LSA-or-nterm
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
As you can see in the previous scan, there are a few ports open along with the services. Your firewall, when enabled, does not allow port 111 or port 1026 to be accessed, so these ports are now visible when your firewall is turned off.
If you want to learn more about Nmap, you can read the manual online at www.linuxforum .com/man/nmap.1.php or visit the www.insecure.org/nmap website.
4337Book.fm Page 155 Saturday, June 19, 2004 5:24 PM
Snort
Snort is an excellent program that can report to you in real time what packets are flowing through your Ethernet devices. Basically, it’s a glorified packet sniffer with reporting options, a command-line interface, Web-based interfaces, and more.
Snort can be obtained from www.snort.org, and the documentation can be found on the web-site as well. We recommend that you grab it, read the documentation, and install it. Listing 6.8 shows an example of some output from Snort on one of our routers.
➲
Listing 6.8 snort Output[root@central root]# snort -v -i eth1 Running in packet dump mode
Log directory = /var/log/snort Initializing Network Interface eth1 --== Initializing Snort ==--Initializing Output Plugins!
Decoding Ethernet on interface eth1 --== Initialization Complete ==---*> Snort!
<*-Version 2.0.4 (Build 96)
By Martin Roesch (roesch@sourcefire.com, www.snort.org) 02/04-14:01:53.910324 99.999.99.99:445 -> 99.999.99.99:3514 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0 Ack: 0xED1F9F76 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/04-14:01:53.913537 99.999.99.99 -> 99.999.99.99:3515 TCP TTL:64 TOS:0x10 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x6E6A222 Ack: 0xED203090 Win: 0x400 TcpLen: 28 TCP Options (4) => MSS: 256 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/04-14:01:53.993511 99.999.99.99 -> 99.999.99.99:3515 TCP TTL:64 TOS:0x10 ID:641 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x6E6A223 Ack: 0xED2030D8 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
===============================================================================
Snort analyzed 7 out of 7 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats:
TCP: 6 (85.714%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 1 (14.286%) PASSED: 0
157
This listing illustrates how Snort will provide a large amount of information about what packets are coming in and going out, and what ports they are trafficking on.
If you would like to learn more configuring and running Snort, check out the online docu-mentation located at: www.snort.org/docs.
Ping
The almighty Ping utility is the simplest and sometimes the most effective utility to use. It can indicate whether the server is up or responsive and can provide the general state of the con-nection. However, keep in mind that ping requests can be blocked by firewalls, so it might not always be as handy as it was intended.
Simply run ping linuxforum.com and check the output. It should be similar to Listing 6.9.
➲
Listing 6.9 ping output[root@central root]# ping linuxforum.com
PING linuxforum.com (66.98.196.36) 56(84) bytes of data.
4337Book.fm Page 157 Saturday, June 19, 2004 5:24 PM
64 bytes from smeagol.thewebfreaks.com (66.98.196.36): icmp_seq=1
➥ttl=54 time=29.4 ms
64 bytes from smeagol.thewebfreaks.com (66.98.196.36): icmp_seq=2
➥ttl=54 time=27.0 ms
64 bytes from smeagol.thewebfreaks.com (66.98.196.36): icmp_seq=3
➥ttl=54 time=33.4 ms
linuxforum.com ping statistics
---3 packets transmitted, ---3 received, 0% packet loss, time 202---3ms rtt min/avg/max/mdev = 27.062/29.972/33.408/2.617 ms
This tells you that the server is responding to your requests and that the average ping time for each of the responses is about 29 milliseconds.
We have seen times when a server is not responding to HTTP, SSH, or any other requests, but the ping time is good. This could mean that your server is under serious load and it cannot process much more than a ping. In this case, it would be a good idea to reboot it or hope that the load lifts and lets you back in within a few minutes.
Traceroute
The Traceroute utility is a lifesaver when trying to figure out routing problems. Sometimes you might have problems with your Internet connection and your ISP tells you that the problem is not on their end. The best way to tell who is not telling the truth is to pull up Traceroute and analyze the results. If you have five-millisecond route times to the first four routers, chances are your trusty ISP was telling you the truth. Let’s test this out. Listing 6.10 shows a traceroute to yahoo.com.
➲
Listing 6.10 traceroute to yahoo.com[root@lightning root]# traceroute yahoo.com
traceroute to yahoo.com (66.218.71.198), 30 hops max,
➥38 byte packets
1 207.44.240.1 (207.44.240.1) 0.465 ms 0.433 ms 0.320 ms 2 ivhou-207-218-245-48.ev1.net (207.218.245.48) 0.480 ms
➥0.622 ms 0.487 ms
3 ge-1-0-0.r00.hstntx01.us.bb.verio.net (129.250.10.145) 1.316
➥ ms 1.131 ms 1.153 ms
4 p16-1-1-1.r21.dllstx09.us.bb.verio.net (129.250.5.42) 11.646
➥ms 11.712 ms 11.641 ms
5 p16-7-0-0.r01.dllstx09.us.bb.verio.net (129.250.2.195) 9.309
➥ms 9.212 ms 9.140 ms