open_ports.sh 2.6
NEW! Version 2.3 brings back the geo lookup – yay! :-)
Version 2.4 displays all active network interfaces, in the correct order!
New in version 2.6: open_ports has moved to GitHub: https://github.com/Peter-Moller/open-ports
Content:
About the Script
The script open_ports.sh
shows which currently open network connections your computer has -- both outgoing and incoming.
Fist a note on security: the script must run as root – otherwise it would only see the network connections of the user that is running the script. Also, the previous auto-update of the script has been removed. If you want to play with it, please do so (just don't update since it will “restore” an original copy! :-) I have tried to comment it thoroughly, but if you have questions, please email me!
It works on Linux as well (the same script). For tested distros, see the final point!
On a Mac you can use it with GeekTool (not included) to see the result on the desktop:
This is what it can look like when you are behind a NAT-router:
On a Linux-computer, it looks like this (you can use conky or root tail or something similar to ”smear” the output on the display):
(click for a larger image)
For outgoing traffic, the following information is displayed:
• Program
• Port
• User
• Number of connections
• The server you are connected to
• Where in the world (country and city) this machine is located
It also reports what is running and is waiting for traffic from the outside. For listening ports, the following is reported:
• Protocol (IPv4 or IPv6)
• Program
• User
• Port
• ”Servicerange”, i.e. who are being served (some services only serve the local machine or subnet))
The script is run by the system owner ”root” every other minute (using launchd
on the Mac and cron
on Linux) and uses the command lsof
to gather data in a number of files (see below).
When the script is run by a normal user (for instance with GeekTool) the data files are analyzed and the result is presented.
Checks
• every other hour the checksum of the lsof
command is checked to detect an intrusion that alters the lsof
binary (see this picture)
• the access right of the data files
• that the data files exist (warns otherwise, see this picture)
• that the launchd-component is running (Mac-only, see this picture)
• that the data files are younger than 1 hour (see this picture)
• that we have an IP-adress at all (see this picture)
Once every hour the external IP-address of the computer is checked (if you are behind a NAT-router) and if it changes this is noted in a ”diary” (so that in retrospect, you can see where you have been :-).
Explanation of colors:
red background | process is owned by root |
red text | the IP-number does not have a corresponding DNS-name |
blue text | the IP-number is being matched by severad DNS-names |
green text | the protocol is "safe" (ssh, https, imaps, smtps, scp, sftp) or the program is sshd |
Installation
- Fetch the install-script from
http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install.sh (Mac)
http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install_linux.sh (Linux) - Start a terminal
- Become
root
:
Mac: if you are a normal user, typesudo adminusernamne
and thensudo -i
; if you are an admin-user, typesudo -i
.
Linux: typesu -
- Set access rights for the install script:
chmod 755 open_ports_install.sh
oropen_ports_install_linux.sh
(you must locate it) - Run the script:
./open_ports_install.sh
oropen_ports_install_linux.sh
- The installation is normally quick. For Linux, that all. On a Mac it ands with GeekTool being opened. To install it, double-click it's .PrefPane
- In GeekTool: click the icon named ”Shell” and drag it to an empty part of the desktop (must be free of windows). Size it as well.
- A ”Properties”-window opens. What you need to enter is:
- Command: open_ports.sh
- Refresh every: 120 s
- Change font to a monospace-one (I'm using Menlo and white font color)
- Now you may close GeekTool
Note that GeekTool doesn't move things around if you change the number of monitors (for instance a portable computer with external displays). It will, however be visible again when you restore the monitor setting!
Also note that the script will start automatically after a reboot!
sha1-checksum for open_ports.sh:
Geographical lookup
Previously, I used a site that provided free geo lookup. They have closed, however, and I have found another provider that appears to work well:
(Click the “Free” button to have them send you one through email)
This key, in the form of a long string of letters and numbers, you will have to store in the file:/Library/cs.lth.se/OpenPorts/apidb.key
If there is no such key, open_ports.sh
, will not try to find the geograpical location of the computers you are communicating with.
Update the script
The script no longer auto-updates. You must update it manually! (massive feedback from MacOSX Hints about this).
You update the script manually by running, as root
, the following command in a terminal window:open_ports.sh -u
It will fetch the latest version of the script and install it (if it is different that what you have). If you already have the latest version it will tell you!
You can also get it directly:curl fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports.sh > /usr/bin/open_ports.sh
chmod 755 /usr/bin/open_ports.sh
Function check
You can run the script anytime (in a terminal window). What happens depends on who is running it:
• if you are root
new data is generated (but now shown)
• for any other user you will see the output
If it doesn't report any connection, you can double check this by running the following (as root
):lsof +c 0 -i 4 -n | grep EST
If that also is empty, the the report is correct.
Stop / deinstall
If you don't want to see the data (but continue gathering of data) all you have to do is quit GeekTool.
You stop execution by (as root
) issuing the following commands in a terminal window:launchctl stop se.lth.cs.open_ports
launchctl unload /Library/LaunchDaemons/se.lth.cs.open_ports.plist
You deinstall by also issue::rm -rf /usr/bin/open_ports.sh
(the script)rm -rf /Library/LaunchDaemons/se.lth.cs.open_ports.plist
(the gather control)rm -rf /Library/cs.lth.se/OpenPorts
(the data files)
Description of the components
The components are these:
/usr/bin : | |
open_ports.sh | The script that is being used both to gather data and display them |
/Library/LaunchDaemons : (only Mac) | |
se.lth.cs.open_ports.plist | Control-script for launchd ; makes open_ports.sh run every 120 second to gather data |
/Library/cs.lth.se (Mac) /usr/share/cs.lth.se (Linux) | |
GeoLookup | Directory containing the geo lookup. It is stored in one file per IP-address, named “IP-address.txt ”.This is used by many scripts!! |
/Library/cs.lth.se/OpenPorts (Mac) /usr/share/cs.lth.se/OpenPorts (Linux) | |
apidb.key | If this file exist, and contain a valid key (from http://db-ip.com/api/), geographical lookup will be performed when ≠ root is running the script |
Checksum.txt | Checksum for /usr/sbin/lsof . Is checked every 2 hours to detect intrusions |
Countries.txt | A list of short and long names for countries in the world (from http://www.worldatlas.com/aatlas/ctycodes.htm) |
ExternIP.txt | The external IP-adress of the computer. Is used if you are behind a NAT-router |
ExternIP_history.txt | ”Diary” of where the computer has been; IP-number, time and geographical location (checked once every hour) |
ip4.txt | Data for ESTABLISHED-IPv4 connections. Updated every 2 minutes |
ip6.txt | Data for ESTABLISHED-IPv6 connections. Updated every 2 minutes |
listen.txt | List of LISTEN-ports. Updated every 2 minutes |
Tested distributions
Apart from Mac OS X (on which the script has been developed) the following distros have been tested with open_ports.sh:
• Mandriva 2010
• Kubuntu
Please email me about news from other distros!