Hem  |  
Anpassa  |  
Översikt  |  
English  |  
Lunds universitet
 
top image
Om
Utbildning
Kontakt
Forskning
Kalendarium
Intern
Datavetenskap
Peter Möller

open_ports.sh 2.0

Content:

About the script
Installation
Update
Function check
Stop / deinstall
Description of the components
Tested distributions

 

About the Script

The script open_ports.sh shows which currently open network connections your computer has -- both outgoing and incoming.

Fist a note on security: the script must run as root – otherwise it would only see the network connections of the user that is running the script. Also, the previous auto-update of the script has been removed. If you want to play with it, please do so (just don't update since it will “restore” an original copy! :-) I have tried to comment it thoroughly, but if you have questions, please email me!

It works on Linux as well (the same script). For tested distros, see the final point!

On a Mac you can use it with GeekTool (not included) to see the result on the desktop:


(click for a larger image)

This is what it can look like when you are behind a NAT-router:


On a Linux-computer, it looks like this (you can use conky or root tail or something similar to ”smear” the output on the display):

(click for a larger image)

For outgoing traffic, the following information is displayed:
• Program
• Port
• User
• Number of connections
• The server you are connected to
• Where in the world (country and city) this machine is located

It also reports what is running and is waiting for traffic from the outside. For listening ports, the following is reported:
• Protocol (IPv4 or IPv6)
• Program
• User
• Port
• ”Servicerange”, i.e. who are being served (some services only serve the local machine or subnet))

The script is run by the system owner ”root” every other minute (using launchd on the Mac and cron on Linux) and uses the command lsof to gather data in a number of files (see below). When the script is run by a normal user (for instance with GeekTool) the data files are analyzed and the result is presented.

Checks

• every other hour the checksum of the lsof command is checked to detect an intrusion that alters the lsof binary (see this picture)
• the access right of the data files
• that the data files exist (warns otherwise, see this picture)
• that the launchd-component is running (Mac-only, see this picture)
• that the data files are younger than 1 hour (see this picture)
• that we have an IP-adress at all (see this picture)

Once every hour the external IP-address of the computer is checked (if you are behind a NAT-router) and if it changes this is noted in a ”diary” (so that in retrospect, you can see where you have been :-).

Explanation of colors:

red background process is owned by root
red text the IP-number does not have a corresponding DNS-name
blue text the IP-number is being matched by severad DNS-names
green text the protocol is "safe" (ssh, https, imaps, smtps, scp, sftp) or the program is sshd

 

Installation

  1. Fetch the install-script from
    http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install.sh (Mac)
    http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install_linux.sh (Linux)
  2. Start a terminal
  3. Become root:
    Mac: if you are a normal user, type sudo adminusernamne and then sudo -i; if you are an admin-user, type sudo -i.
    Linux: type su -
  4. Set access rights for the install script:
    chmod 755 open_ports_install.sh or open_ports_install_linux.sh (you must locate it)
  5. Run the script:
    ./open_ports_install.sh or open_ports_install_linux.sh
  6. The installation is normally quick. For Linux, that all. On a Mac it ands with GeekTool being opened. To install it, double-click it's .PrefPane
  7. In GeekTool: click the icon named ”Shell” and drag it to an empty part of the desktop (must be free of windows). Size it as well.
  8. A ”Properties”-window opens. What you need to enter is:
    • Command: open_ports.sh
    • Refresh every: 120 s
    • Change font to a monospace-one (I'm using Menlo and white font color)
  9. Now you may close GeekTool

Note that GeekTool doesn't move things around if you change the number of monitors (for instance a portable computer with external displays). It will, however be visible again when you restore the monitor setting!

Also note that the script will start automatically after a reboot!

 

Update the script

The script no longer auto-updates. You must update it manually! (massive feedback from MacOSX Hints about this).

You update the script manually by running, as root, the following command in a terminal window:
open_ports.sh -u

It will fetch the latest version of the script and install it (if it is different that what you have). If you already have the latest version it will tell you!

You can also get it directly:
curl fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports.sh > /usr/bin/open_ports.sh
chmod 755 /usr/bin/open_ports.sh

 

Function check

You can run the script anytime (in a terminal window). What happens depends on who is running it:
• if you are root new data is generated (but now shown)
• for any other user you will see the output

If it doesn't report any connection, you can double check this by running the following (as root):
lsof +c 0 -i 4 -n | grep EST
If that also is empty, the the report is correct.

 

Stop / deinstall

If you don't want to see the data (but continue gathering of data) all you have to do is quit GeekTool.

You stop execution by (as root) issuing the following commands in a terminal window:
launchctl stop se.lth.cs.open_ports
launchctl unload /Library/LaunchDaemons/se.lth.cs.open_ports.plist

You deinstall by also issue::
rm -rf /usr/bin/open_ports.sh  (the script)
rm -rf /Library/LaunchDaemons/se.lth.cs.open_ports.plist  (the gather control)
rm -rf /Library/cs.lth.se/OpenPorts  (the data files)

 

Description of the components

The components are these:

/usr/bin:
open_ports.sh The script that is being used both to gather data and display them
/Library/LaunchDaemons:(only Mac)
se.lth.cs.open_ports.plist Control-script for launchd; makes  open_ports.sh run every 120 second to gather data
/Library/cs.lth.se (Mac)    /usr/share/cs.lth.se (Linux)
ip_cache.txt Growing number of IP-number and their geographical location (to speed up the execution of the script)
This is used by many scripts!!
/Library/cs.lth.se/OpenPorts (Mac)    /usr/share/cs.lth.se/OpenPorts (Linux)
Checksum.txt Checksum for /usr/sbin/lsof. Is checked every 2 hours to detect intrusions
ExternIP.txt The external IP-adress of the computer. Is used if you are behind a NAT-router
ExternIP_history.txt ”Diary” of where the computer has been; IP-number, time and  geographical location (checked once every hour)
ip4.txt Data for ESTABLISHED-IPv4 connections. Updated every 2 minutes
ip6.txt Data for ESTABLISHED-IPv6 connections. Updated every 2 minutes
ip_locate_cache.txt Data for the latest GeoIP-lookup
listen.txt List of LISTEN-ports. Updated every 2 minutes

 

 

Tested distributions

Apart from Mac OS X (on which the script has been developed) the following distros have been tested with open_ports.sh:

• Mandriva 2010
• Kubuntu

Please email me about news from other distros!

Frågor om innehållet: Peter Möller
Webbtekniska frågor: webmaster@lth.se
Senast uppdaterad: 2011-07-13

Institutionen för Datavetenskap Box 118, 221 00 Lund. Telefon: 046-222 80 40