Monitoring Open Ports

[Kevin Keane]

Not sure if my response will help you since I take a slightly different 
approach to monitoring basically the same thing. I am monitoring both 
the ports actually being listened on, and the iptables configuration.

I'm using netstat -ltunp on the monitored server. Below is the plugin 
script I am using. Actually, it really looks for CHANGES in open ports. 
The first time it runs, it creates a file /var/run/checkPorts that 
contains a list of all currently-open ports. Any time a port opens or 
stops listening, the script generates an alert. If you expect a change 
in the list of open ports, simply delete the file /var/run/checkPorts.

I also have a similar script that compares the actual iptables filter 
tables with the ones specified, to see if the firewall may have opened 
some port unexpectedly. That, too, has to run on the monitored machine.

If you want to check from the outside - such as from the nagios server - 
you probably need to use nmap or the like, or you may be able to use an 
SNMP query or similar to your firewall. Be aware that your firewall may 
actually detect that type of probing as an intrusion attempt.

#!/bin/bash

result=0
# the PID in the output of netstat can legitimately change, so
# let's remove it. We also sort to be sure that the ordering
# doesn't cause any headaches later
netstat -ltunp | sed 's;[0-9]*/.*;;' | sort > /tmp/$$.checkPorts
if [ ! -f /var/run/checkPorts ]
then
   cp /tmp/$$.checkPorts /var/run/checkPorts
   echo -n "Created new compare file"
else
   out=$(diff --ignore-all-space /tmp/$$.checkPorts /var/run/checkPorts)
   if [ $? -ne 0 ]
   then
       result=1
       echo "$out" | grep '[<>]' | awk '{ print $1, $5, $8; }' | sed -e 
:a -e '$!N; s/\n/; /; ta'
   else
       echo -n "Only expected ports are open"
   fi
fi
rm -f /tmp/$$.checkPorts
exit $result


Matt Baer wrote:
> Is there a way that Nagios can monitor open ports, even if there isn't 
> anything listening on the destination?  I'd like to monitor my open 
> ports on my firewall JUST to make sure they're open.  I would just 
> specify the port with the normal Nagios command and point it at my 
> public IP address, but obviously, the check will fail unless something 
> is listening on the other end.  Basically I want to port scan specific 
> ports.  Any ideas?

-- 
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null