lu.se

Datavetenskap

Lunds Tekniska Högskola

Denna sida på svenska This page in English

open_ports.sh 2.6

NEW! Version 2.3 brings back the geo lookup – yay! :-)
Version 2.4 displays all active network interfaces, in the correct order!
New in version 2.6: open_ports has moved to GitHub: https://github.com/Peter-Moller/open-ports

About the Script

The script open_ports.sh shows which currently open network connections your computer has -- both outgoing and incoming.

Fist a note on security: the script must run as root – otherwise it would only see the network connections of the user that is running the script. Also, the previous auto-update of the script has been removed. If you want to play with it, please do so (just don't update since it will “restore” an original copy! :-) I have tried to comment it thoroughly, but if you have questions, please email me!

It works on Linux as well (the same script). For tested distros, see the final point!

On a Mac you can use it with GeekTool (not included) to see the result on the desktop:


(click for a larger image)

This is what it can look like when you are behind a NAT-router:


On a Linux-computer, it looks like this (you can use conky or root tail or something similar to ”smear” the output on the display):

(click for a larger image)

For outgoing traffic, the following information is displayed:
• Program
• Port
• User
• Number of connections
• The server you are connected to
• Where in the world (country and city) this machine is located

It also reports what is running and is waiting for traffic from the outside. For listening ports, the following is reported:
• Protocol (IPv4 or IPv6)
• Program
• User
• Port
• ”Servicerange”, i.e. who are being served (some services only serve the local machine or subnet))

The script is run by the system owner ”root” every other minute (using launchd on the Mac and cron on Linux) and uses the command lsof to gather data in a number of files (see below). When the script is run by a normal user (for instance with GeekTool) the data files are analyzed and the result is presented.

Checks

• every other hour the checksum of the lsof command is checked to detect an intrusion that alters the lsof binary (see this picture)
• the access right of the data files
• that the data files exist (warns otherwise, see this picture)
• that the launchd-component is running (Mac-only, see this picture)
• that the data files are younger than 1 hour (see this picture)
• that we have an IP-adress at all (see this picture)

Once every hour the external IP-address of the computer is checked (if you are behind a NAT-router) and if it changes this is noted in a ”diary” (so that in retrospect, you can see where you have been :-).

Explanation of colors:

red backgroundprocess is owned by root
red textthe IP-number does not have a corresponding DNS-name
blue textthe IP-number is being matched by severad DNS-names
green textthe protocol is "safe" (ssh, https, imaps, smtps, scp, sftp) or the program is sshd

 

Installation

  1. Fetch the install-script from
    http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install.sh (Mac)
    http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install_linux.sh (Linux)
  2. Start a terminal
  3. Become root:
    Mac: if you are a normal user, type sudo adminusernamne and then sudo -i; if you are an admin-user, type sudo -i.
    Linux: type su -
  4. Set access rights for the install script:
    chmod 755 open_ports_install.sh or open_ports_install_linux.sh (you must locate it)
  5. Run the script:
    ./open_ports_install.sh or open_ports_install_linux.sh
  6. The installation is normally quick. For Linux, that all. On a Mac it ands with GeekTool being opened. To install it, double-click it's .PrefPane
  7. In GeekTool: click the icon named ”Shell” and drag it to an empty part of the desktop (must be free of windows). Size it as well.
  8. A ”Properties”-window opens. What you need to enter is:
    • Command: open_ports.sh
    • Refresh every: 120 s
    • Change font to a monospace-one (I'm using Menlo and white font color)
  9. Now you may close GeekTool

Note that GeekTool doesn't move things around if you change the number of monitors (for instance a portable computer with external displays). It will, however be visible again when you restore the monitor setting!

Also note that the script will start automatically after a reboot!

 

sha1-checksum for open_ports.sh:

Geographical lookup

Previously, I used a site that provided free geo lookup. They have closed, however, and I have found another provider that appears to work well:

http://db-ip.com/api/

(Click the “Free” button to have them send you one through email)

This key, in the form of a long string of letters and numbers, you will have to store in the file:
/Library/cs.lth.se/OpenPorts/apidb.key

If there is no such key, open_ports.sh, will not try to find the geograpical location of the computers you are communicating with.

 

Update the script

The script no longer auto-updates. You must update it manually! (massive feedback from MacOSX Hints about this).

You update the script manually by running, as root, the following command in a terminal window:
open_ports.sh -u

It will fetch the latest version of the script and install it (if it is different that what you have). If you already have the latest version it will tell you!

You can also get it directly:
curl fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports.sh > /usr/bin/open_ports.sh
chmod 755 /usr/bin/open_ports.sh

 

Function check

You can run the script anytime (in a terminal window). What happens depends on who is running it:
• if you are root new data is generated (but now shown)
• for any other user you will see the output

If it doesn't report any connection, you can double check this by running the following (as root):
lsof +c 0 -i 4 -n | grep EST
If that also is empty, the the report is correct.

 

Stop / deinstall

If you don't want to see the data (but continue gathering of data) all you have to do is quit GeekTool.

You stop execution by (as root) issuing the following commands in a terminal window:
launchctl stop se.lth.cs.open_ports
launchctl unload /Library/LaunchDaemons/se.lth.cs.open_ports.plist

You deinstall by also issue::
rm -rf /usr/bin/open_ports.sh  (the script)
rm -rf /Library/LaunchDaemons/se.lth.cs.open_ports.plist  (the gather control)
rm -rf /Library/cs.lth.se/OpenPorts  (the data files)

 

Description of the components

The components are these:

/usr/bin:
open_ports.shThe script that is being used both to gather data and display them
/Library/LaunchDaemons: (only Mac)
se.lth.cs.open_ports.plistControl-script for launchd; makes  open_ports.sh run every 120 second to gather data
/Library/cs.lth.se (Mac)    /usr/share/cs.lth.se (Linux)
GeoLookupDirectory containing the geo lookup. It is stored in one file per IP-address, named “IP-address.txt”.
This is used by many scripts!!
/Library/cs.lth.se/OpenPorts (Mac)    /usr/share/cs.lth.se/OpenPorts (Linux)
apidb.keyIf this file exist, and contain a valid key (from http://db-ip.com/api/), geographical lookup will be performed when ≠ root is running the script
Checksum.txtChecksum for /usr/sbin/lsof. Is checked every 2 hours to detect intrusions
Countries.txtA list of short and long names for countries in the world (from http://www.worldatlas.com/aatlas/ctycodes.htm)
ExternIP.txtThe external IP-adress of the computer. Is used if you are behind a NAT-router
ExternIP_history.txt”Diary” of where the computer has been; IP-number, time and  geographical location (checked once every hour)
ip4.txtData for ESTABLISHED-IPv4 connections. Updated every 2 minutes
ip6.txtData for ESTABLISHED-IPv6 connections. Updated every 2 minutes
listen.txtList of LISTEN-ports. Updated every 2 minutes

 

Tested distributions

Apart from Mac OS X (on which the script has been developed) the following distros have been tested with open_ports.sh:

• Mandriva 2010
• Kubuntu

Please email me about news from other distros!