-1

I have pingdom setup to constantly make sure my websites are up and let me know when they are not. Is there a similar service that will constantly monitor my firewall externally, and let me know when the open ports change?

trevdev
  • 59
  • 3
  • 2
    Why would the open ports change? – joeqwerty Jun 02 '12 at 06:04
  • Such a service would have to continually port scan your server; this would appear sketchy to anyone keeping an eye on it (like your ISP) and could result in the IP being blacklisted or blocked at the router level. It's not a good business model. –  Jun 02 '12 at 06:29
  • I want to make sure no one on the infrastructure team makes an incorrect change which goes unnoticed. – trevdev Jun 02 '12 at 06:34
  • 2
    Use rancid. It will pull the configs and email changes. – 3molo Jun 02 '12 at 07:04

2 Answers2

1

You could rig something up yourself. Here's a quick bash script that uses nmap to scan a host for open ports and exits with a non-zero status if the ports have changed from the last run.

#!/bin/sh
nmap -oG - -d0 --open google.com | sed -n -e 3p > ports
NEW_SHA256=$(openssl sha256 ports)
OLD_SHA256=$(cat sha256)

# Output the old and new hash for humans
echo "OLD HASH: $OLD_SHA256"
echo "NEW HASH: $NEW_SHA256"

# Store the new hash in file for next run
echo $NEW_SHA256 > sha256

# Compare the hashes
if [ "$NEW_SHA256" != "$OLD_SHA256" ]; then
    echo "No match!"
    exit 1
fi

echo "Match!"

Example usage:

root@appman:/srv/test# ./checkports.sh 
OLD: SHA256(ports)= 3b144433c06e2ab62de43e544aa78538b3e480aeabe188ec448bde3416afdc89
NEW: SHA256(ports)= 3b144433c06e2ab62de43e544aa78538b3e480aeabe188ec448bde3416afdc89
Match!
root@appman:/srv/test# service znc stop
Stopping ZNC...
root@appman:/srv/test# ./checkports.sh 
OLD: SHA256(ports)= 3b144433c06e2ab62de43e544aa78538b3e480aeabe188ec448bde3416afdc89
NEW: SHA256(ports)= ae46f2a4b68d1529ccdc391e6e9ae9a4cab77a3213870a80003c2525c8841f22
No match!

You could put this in a cron job on another server and have it mail you if the open ports change.

0

Instead of scanning, you would have a better chance with checking the configuration periodically. This could be done through SNMP, or by logging in to the firewall and dumping the configurations. As mentioned in the comments, there are software packages that are intended to serve this purpose. Which one you choose will depend on the type of firewall and your personal preference.

bonsaiviking
  • 4,420
  • 17
  • 26