Wednesday, October 6, 2010

How to identify Open Ports in Red Hat/CentOS/Fedora/Ubuntu server with nmap

Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and commandline modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.
Install nmap in Fedora /CentOS/ RedHat

#yum install nmap -y
 
Install nmap in ubuntu
$sudo apt-get install nmap

Nmap examples

Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network.. While I don’t think port scanning other networks is or should be illegal, some network administrators don’t appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach.
For testing purposes, you have permission to scan the host scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do not currently exist.
#nmap -v scanme.nmap.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-06 18:02 IST
Initiating Ping Scan at 18:02
Scanning scanme.nmap.org (64.13.134.52) [4 ports]
Completed Ping Scan at 18:02, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:02
Completed Parallel DNS resolution of 1 host. at 18:02, 0.29s elapsed
Initiating SYN Stealth Scan at 18:02
Scanning scanme.nmap.org (64.13.134.52) [1000 ports]
Discovered open port 21/tcp on 64.13.134.52
Discovered open port 143/tcp on 64.13.134.52
Discovered open port 53/tcp on 64.13.134.52
Discovered open port 22/tcp on 64.13.134.52
Discovered open port 443/tcp on 64.13.134.52
Discovered open port 25/tcp on 64.13.134.52
Discovered open port 110/tcp on 64.13.134.52
Discovered open port 80/tcp on 64.13.134.52
Discovered open port 8008/tcp on 64.13.134.52
Discovered open port 8010/tcp on 64.13.134.52
Discovered open port 119/tcp on 64.13.134.52
Completed SYN Stealth Scan at 18:03, 34.78s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.043s latency).
Not shown: 986 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
110/tcp   open   pop3
113/tcp   closed auth
119/tcp   open   nntp
143/tcp   open   imap
443/tcp   open   https
8008/tcp  open   http
8010/tcp  open   xmpp
31337/tcp closed Elite

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 35.48 seconds
           Raw packets sent: 3986 (175.360KB) | Rcvd: 71 (3024B

This option scans all reserved TCP ports on the machine scanme.nmap.org . The -v option enables verbose mode.

#nmap -sS -O scanme.nmap.org/24



Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

#nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127


Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

#nmap -v -iR 100000 -Pn -p 80


Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -Pn since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

Tuesday, October 5, 2010

Cacti Network Graphing Tool RedHat / CentOS / Fedora Install and Configure


Cacti is a network graphing tool similar to MRTG. How do I install and configure common options to collect SNMP data and various other data (such as system load, network link status, hard disk space, logged in users etc) into an RRD?

From the official project site:
Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG.

Required software(s)

You need to install the following software on RHEL / Fedora / CentOS Linux:
  1. MySQL Server : Store cacti data.
  2. NET-SNMP server - SNMP (Simple Network Management Protocol) is a protocol used for network management.
  3. PHP with net-snmp module - Access SNMP data using PHP.
  4. Apache / lighttpd / ngnix webserver : Web server to display graphs created with PHP and RRDTOOL.

Install the software

First  to install mysql, apache and php:
# yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTP php-mysql httpd

Configure MySQL server

First, set root password:
# mysqladmin -u root password NEWPASSWORD

Create cacti MySQL database

Create a database called cacti, enter:
# mysql -u root -p -e 'create database cacti'
Create a user called cacti with a password called catipass, enter:
# mysql -u root -p
mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'catipass;
mysql> FLUSH privileges;
mysql> \q

Install snmpd

Type the following command to install net-snmpd
# yum install net-snmp-utils php-snmp net-snmp-libs
Configure snmpd, open /etc/snmp/snmpd.conf
# vi /etc/snmp/snmpd.conf
Append / modify it as follows (see snmpd.conf man page for details):
com2sec local     localhost           public
group MyRWGroup v1         local
group MyRWGroup v2c        local
group MyRWGroup usm        local
view all    included  .1                               80
access MyRWGroup ""      any       noauth    exact  all    all    none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root  (configure /etc/snmp/snmp.local.conf)
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
Save and close the file. Turn on snmpd service:
# /etc/init.d/snmpd start
# chkconfig snmpd on

Make sure you are getting information from snmpd:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
Sample ouptut:
IP-MIB::ipAdEntIfIndex.10.10.9.108 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.67.yy.zz.eee = INTEGER: 3
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

Install cacti

First, make sure EPEL repo is enabled. Type the following command to install cacti:
# yum install cacti

Install cacti tables

Type the following command to find out cacti.sql path:
# rpm -ql cacti | grep cacti.sql
Sample output:
/var/www/cacti/cacti.sql
Type the following command to install cacti tables (you need to type the cacti user password):
# mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.7g/cacti.sql

Configure cacti

Open /etc/cacti/db.php file, enter:
# vi /etc/cacti/db.php
Make changes as follows:
 
/* make sure these values refect your actual database/host/user/password */
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cacti";
$database_password = "cactipass";
$database_port = "3306";
 
Save and close the file.

Configure httpd

Open /etc/httpd/conf.d/cacti.conf file, enter:
# vi /etc/httpd/conf.d/cacti.conf
You need to update allow from line. Either set to ALL or your LAN subnet to allow access to cacti:
 
#
# Cacti: An rrd based graphing tool
#
Alias /cacti    /usr/share/cacti
  Directory /usr/share/cacti 
Order Deny,Allow
        Deny from all
        Allow from 10.0.0.0/8 
Directory
 
Another option is create /usr/share/cacti/.htaccess file and password protect the directory. Finally, restart httpd:
# service httpd restart

Setup cacti cronjob

Open /etc/cron.d/cacti file, enter:
# vi /etc/cron.d/cacti
Uncomment the line:
*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1
Save and close the file.

Run cacti installer

Now cacti is ready to install. Fire a webbrowser and type the url:
http://your.example.com/cacti/
OR
http://your.server.ip.address/cacti/
Just follow on screen instructions. The default username and password for cacti is admin / admin. Upon first login, you will be force to change the default password.

How do I configure SNMP data collection?

SNMP can be used to monitor server traffic. Once installed login to cacti.
=> Click on Devices
=> Select Localhost
=> Make sure SNMP options are selected as follows:
Fig.01: SNMP configuration
Fig.01: SNMP configuration
Finally, click on Save button.

How do I create SNMP graphs?

Click on "Create Graphs for this Host" link on top right side.
Select SNMP - Interface Statistics
Select a graph type (such as In/Out bytes with total bandwidth)
Finally, click on Create button.

How do I view graphs?

To view graphs click on Graphs tab. Here is sample graph from one my own box:
Fig.02: Cacti in Action - Memory, CPU and Network Usage
Fig.02: Cacti in Action - Memory, CPU and Network Usage

(Fig.02: Cacti in action)
Fig.03: Cacti in Action Disk, Load average and User stats
Fig.03: Cacti in Action Disk, Load average and User stats

MySQLTuner - High-performance MySQL optimization script

Running MySQLTuner:

MySQLTuner using the following command
# wget http://mysqltuner.com/mysqltuner.pl
To run the script, simply make it executable and run it:
# chmod +x mysqltuner.pl
# ./mysqltuner.pl
Enter your administrative username and password
Output you can see as follows

Bandwidth Monitoring Tools For CentOS /RHEL / Fedora.


Bandwidthd
BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address’s utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.
Project Home Page :- http://bandwidthd.sourceforge.net/
Bmon
bmon is a portable bandwidth monitor and rate estimator running on various operating systems. It supports various input methods for different architectures. Various output modes exist including an interactive curses interface,lightweight HTML output but also formatable ASCII output.
Bwbar
bwbar is a small C-based program for Linux-based machines which produces bandwidth usage statistics for a network interfaces. It was originally written by H. Peter Anvin, and I (Brian Towne) modified it somewhat to better suit my needs. The original program was released under the GPL. A number of people have asked for the modified program and its source, so I have created this page.
bwm
This is a very tiny bandwidth monitor (not X11). Can monitor up to 16 interfaces in the in the same time, and shows totals too.
bwm-ng
small and simple console-based bandwidth monitor.Bandwidth Monitor NG is a small and simple console-based live bandwidth monitor.
Project Home Page :- http://www.gropp.org/?id=projects&sub=bwm-ng
Cacti
Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices.
Project Home Page :- http://cacti.net/
cbm
cbm — the color bandwidth meter — is a small program to display the traffic currently flowing through your network devices.
dstat
Dstat is a versatile replacement for vmstat, iostat, netstat, nfsstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting.
Project Home Page :- http://dag.wieers.com/home-made/dstat/
EtherApe
EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
Project Home Page :- http://etherape.sourceforge.net/
gdesklets
gDesklets is a system for bringing mini programs (desklets), such as weather forecasts, news tickers, system information displays, or music player controls, onto your desktop, where they are sitting there in a symbiotic relationship of eye candy and usefulness. The possibilities are really endless and they are always there to serve you whenever you need them, just one key-press away. The system is not restricted to one desktop environment, but currently works on most of the modern Unix desktops (including GNOME, KDE, Xfce).
Project Home Page :- http://www.gdesklets.de/
GKrellM
GKrellM is a single process stack of system monitors which supports applying themes to match its appearance to your window manager, Gtk, or any other theme.
Project Home Page :- http://members.dslextreme.com/users/billw/gkrellm/gkrellm.html
ipband
ipband is a pcap based IP traffic monitor. It tallies per-subnet traffic and bandwidth usage and starts detailed logging if specified threshold for the specific subnet is exceeded. If traffic has been high for a certain period of time, the report for that subnet is generated which can be appended to a file or e-mailed. When bandwidth usage drops below the threshold, detailed logging for the subnet is stopped and memory is freed.
Project Home Page :- http://ipband.sourceforge.net/
iftop
iftop does for network usage what top does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. Handy for answering the question “why is our ADSL link so slow”.
Project Home Page :- http://www.ex-parrot.com/pdw/iftop/
iperf
Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss.
ipfm
IP Flow Meter (IPFM) is a bandwidth analysis tool, that measures how much bandwidth specified hosts use on their Internet link.
Project Home Page :- http://robert.cheramy.net/ipfm/
ifstat
ifstat is a tool to report network interfaces bandwith just like vmstat/iostat do for other system counters.
Project Home Page :- http://gael.roualland.free.fr/ifstat/
ibmonitor
ibmonitor is an interactive linux console application which shows bandwidth consumed and total data transferred on all
interfaces.
Project Home Page :- http://ibmonitor.sourceforge.net/
ipaudit
IPAudit monitors network activity on a network by host, protocol and port.IPAudit listens to a network device in promiscuous mode, and records every connection between two ip addresses. A unique connection is determined by the ip
addresses of the two machines, the protocol used between them, and the port numbers (if they are communicating via udp or tcp).
Project Home Page :- http://ipaudit.sourceforge.net/
IPTraf
IPTraf is a console-based network statistics utility for Linux. It gathers a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
Project Home Page :- http://iptraf.seul.org/
IFStatus
IFStatus was developed for Linux users that are usually in console mode. It is a simple, easy to use program for displaying commonly needed / wanted statistics in real time about ingoing and outgoing traffic of multiple network interfaces that is usually hard to find, with a simple and effecient view. It is the substitute for PPPStatus and EthStatus projects.
jnettop
Jnettop is a traffic visualiser, which captures traffic going through the host it is running from and displays streams sorted by bandwidth they use.
Project Home Page :- http://jnettop.kubs.info/wiki/
MRTG
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network links. MRTG generates HTML pages containing PNG images which provide a LIVE visual representation of this traffic.
Project Home Page :- http://oss.oetiker.ch/mrtg/
moodss
moodss is a graphical monitoring application. It is modular so that the code accessing the monitored objects is completely separate from the application core. The core takes care of managing modules (loading and unloading),displaying modules data through sortable tables and diverse graphical viewers, handling user set threshold conditions with email alerts, recording and browsing data history from a database.moodss can even predict the future, using sophisticated statistical methods and artificial neural networks, and therefore be used for capacity planning.
Project Home Page :- http://moodss.sourceforge.net/
monitord
A lightweight (distributed?) network security monitor for TCP/IP+Ethernet LANs. It will capture certain network events and record them in a relational database. The recorded data will be available for analysis through a CGI based interface.
Project Home Page :- http://sourceforge.net/projects/monitord/
Netmrg
NetMRG is a tool for network monitoring, reporting, and graphing. Based on RRDTOOL, the best of open source graphing
systems, NetMRG is capable of creating graphs of any parameter of your network.
Project Home Page :- http://www.netmrg.net
nload
nload is a console application which monitors network traffic and bandwidth usage in real time. It visualizes the in-and outgoing traffic using two graphs and provides additional info like total amount of transfered data and min/max network usage.
Project Home Page :- http://www.roland-riegel.de/nload/index.html
ntop
ntop shows the current network usage. It displays a list of hosts that are currently using the network and reports information concerning the IP (Internet Protocol) and Fibre Channel (FC) traffic generated by each host. The traffic is sorted according to host and protocol. Default protocol list (this is user configurable).
Project Home Page :- http://www.ntop.org
netspeed
Netspeed is just a little GNOME-applet that shows how much traffic occurs on a specified network device (for example eth0). You get the best impression of it, if you look at the screenshots below.
Netwatch
Netwatch is a Linux program created to aid in monitoring Network Connections. It is based on a program called “statnet” but has been substantially modified for its Ethernet emphasis. It is a dynamic program which displays the Ethernet status based each the connection’s activity. It has the capability of monitoring hundreds of site statistics simultaneously. The connection’s port number (Well Known Service) and destination address are available as well. There are options which allow router statistics to be measured on simple networks (with one router). External network communication is counted and transfer rates are displayed.
Project Home Page :- http://www.slctech.org/~mackay/netwatch.html
NOCOL
NOCOL is a popular system and network monitoring (network management) software that runs on Unix systems and can
monitor network and system devices. It uses a very simple architecture and is very flexible for adding new network management modules
Project Home Page :- http://www.netplex-tech.com/nocol/
NeTraMet
NeTraMet is an open-source (GPL) implementation of the RTFM architecture for Network Traffic Flow Measurement,
developed and supported by Nevil Brownlee at the University of Auckland. Nevil also developed a version of NeTraMet
which uses the CoralReef library to read packet headers. This ‘CoralReef NeTraMet meter’ can work with any CoralReef
data source; it has been tested on both CAIDA and NLANR trace files, and on DAG and Apptel ATM interface cards.
Project Home Page :- http://freshmeat.net/projects/netramet/
NetPIPE
NetPIPE is a protocol independent performance tool that visually represents the network performance under a variety of
conditions. It performs simple ping-pong tests, bouncing messages of increasing size between two processes, whether
across a network or within an SMP system. Message sizes are chosen at regular intervals, and with slight perturbations, to provide a complete test of the communication system. Each data point involves many ping-pong tests to provide an accurate timing. Latencies are calculated by dividing the round trip time in half for small messages ( <64 Bytes ).
Project Home Page :- http://www.scl.ameslab.gov/netpipe/
netperf
Netperf is a benchmark that can be use to measure various aspect of networking performance. The primary foci are bulk
(aka unidirectional) data transfer and request/response performance using either TCP or UDP and the Berkeley Sockets interface. As of this writing, the tests available either unconditionally or conditionally
Project Home Page :- http://www.netperf.org/netperf/
potion
This is a console utility which will listen on an interface using libpcap, aggregate the traffic into flows and display the top (as many as can fit on your screen) flows with their average throughput. A flow is identified ip protocol, source ip, source port, destination ip, destination port, and type of service flag.
pktstat
Display a real-time list of active connections seen on a network interface, and how much bandwidth is being used by what. Partially decodes HTTP and FTP protocols to show what filename is being transferred. X11 application names are also shown. Entries hang around on the screen for a few seconds so you can see what just happened. Also accepts filter expressions รก la tcpdump.
Project Home Page :- http://www.adaptive-enterprises.com.au/~d/software/pktstat/
RTG
RTG is a flexible, scalable, high-performance SNMP statistics monitoring system. It is designed for enterprises and service providers who need to collect time-series SNMP data from a large number of targets quickly. All collected data is inserted into a relational database that provides a common interface for applications to generate complex queries and reports. RTG includes utilities that generate configuration and target files, traffic reports, 95th percentile reports and graphical data plots. These utilities may be used to produce a web-based interface to the data.
Project Home Page :- http://rtg.sourceforge.net/
speedometer
Monitor network traffic or speed/progress of a file transfer. The program can be used for cases like: how long it will take for my 38MB transfer to finish, how quickly is another transfer going, How fast is the upstream on this ADSL line and how fast can I write data to my filesystem.
Project Home Page :- http://excess.org/speedometer/
Spong
Spong is a simple system-monitoring package written in Perl. It features client based monitoring, monitoring of network services, results displayed via the Web or console, history of problems, and flexible messaging when problems occur.
Project Home Page :- http://spong.sourceforge.net/
slurm
slurm started as a pppstatus port to FreeBSD. As I ripped off several functions
SNIPS
SNIPS (System & Network Integrated Polling Software) is a system and network monitoring software that runs on Unix systems and can monitor network and system devices. It is capable of monitoring DNS, NTP, TCP or web ports, host performance, syslogs, radius servers, BGP peers, etc. New monitors can be added easily (via a C or Perl API).
Project Home Page :- http://www.navya.com/software/snips/
tcpflow
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way
that is convenient for protocol analysis or debugging. A program like tcpdump shows a summary of packets seen on the
wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.
Project Home Page :- http://www.circlemud.org/~jelson/software/tcpflow/
vnstat
vnStat is a network traffic monitor for Linux that keeps a log of daily network traffic for the selected interface(s).vnStat isn’t a packet sniffer. The traffic information is analyzed from the /proc -filesystem, so vnStat can be used without root permissions. However at least a 2.2.x kernel is required.
Project Home Page :- http://humdi.net/vnstat/
WMND
Shows a graph of incoming/outgoing traffic, activity indicators for rx/tx and current/maximum rate for rx/tx in bytes or packets.Tailored for use with WindowMaker, it will as well work with any other window manager though.
Project Home Page :- http://dockapps.org/file.php/id/178