文档结构  
翻译进度:25%     翻译赏金:0 元 (?)    ¥ 我要打赏

应用上云是一个不可阻挡的趋势,但是安全问题是我们不能忽视的。我们非常讨厌而已访问,所以定期的检查所有已开的 TCP 端口是确保系统安全一个比较好的习惯。很明显,数据库的端口是不应该暴露在互联网上的,而我们内部的 REST API 同样需要进行保护。

首先我们需要检查防火墙的配置是否正确,但更重要的是努力最小化安全漏洞的影响。因此我们需要定期自动的审计非安全的 TCP 端口。

1. 识别服务器上哪些端口是不安全的

第 1 段(可获 1.29 积分)

Here are general principles for firewall configuration. 

  • Only allow public access to very few ports, like http(80), https(443), etc.
  • For sshd(22), only selective source ip can connect.
  • For DB ports, like mysql(3306), elasticsearch(9200), we don’t expose them directly. Key members can connect through ssh protocol by ssh tunnel.
  • For traffic within the cluster, the default policy is always accept. If we can configure them with more limited privilege, that’s nice but not always pratical. Developers are usually too busy to list all traffic rules correctly and precisely. Even if they do, the rules will change constantly from time to time.

Our first step is listing all TCP ports which are open to the world. If some are against above principles, we raise an alert. Here we can use Nmap, which is an open source tool for network exploration and security auditing.

# Install Nmap package
sudo apt-get install nmap
# Scan all TCP ports for a given host
sudo nmap -sS -PN 192.168.0.164
# === Run: sudo nmap -sS -PN 192.168.0.164
#
# Starting Nmap 6.40 ( http://nmap.org )
# Nmap scan report for 192.168.0.164
# Host is up (0.00051s latency).
# Not shown: 997 filtered ports
# PORT    STATE SERVICE
# 22/tcp  open  ssh
# 80/tcp  open  http
# 443/tcp open  https


第 2 段(可获 1.85 积分)

In this post, we won’t introduce the detail usage of Nmap, which is definitely a versatile tool. We want to run the check as fast as possible. Thus we use TCP SYN(-sS) to test. And skip host discovery (-PN), assuming the sever is up.

By default Nmap scans the top 1000 most popular ports, according to the statistics generated from Internet-wide scans and large internal network scans from the summer of 2008. We may have some extra ports to scan. Here is how:

# Check certain TCP ports
sudo nmap -p T:9200-9500,8090-8100 \
    -sS 192.168.0.164

Episode 2: Automate Check Process And Get Alerts Automatically.

Now we can list all open Ports. Mostly there are a bunch of servers to check. And we need to check the output careful to detect potential issues. Definitely we don’t want to do that manually. What’s more, things will change all the time This means we will have to do it again and again. It’s way too much for human. Boring and error-prone!

第 3 段(可获 2.01 积分)

To automate the process, we need to provide 3 things:

  • Sever list to check. The list might be stable or dynamic which can be retrieved from other systems.
  • Whitelist for open ports. The rule may apply to all servers or only certain servers.
  • Extra ports to scan, other than the default 1000 ports.

Put It All Together.

Here comes Jenkins job (TCPScanReport), which runs daily. If it fails, we will be notified by emails or slacks!

tcp_scan_report.png

第 4 段(可获 0.95 积分)

文章评论

访客
hi there, I'm DennyZhang.

Thanks a lot for the translation. Updated original post, adding your link of translation.
http://www.dennyzhang.com/nmap_port_scan

Feel free to contact me by email or subscribe to our weekly newsletter.

I'd love to hear your feedback and valuable input.