5

I need to monitor open and closed ports on dozens of hosts. I've found a Nagios plugin that does what I need, but I would have to use this script through NRPE.

Some of the hosts are powered by Linux and they all have Perl installed. But some of them are Windows machines, and it's not convenient for me to install Perl on every one of them. That's why I can not use this plugin.

I hope that there's Nagios plugin that uses Nmap, or something similar, so it could check ports on every host remotely, without installing plugins on remote hosts, only on the server.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Eedoh
  • 171
  • 2
  • 6

5 Answers5

3

This guy has developed a nagios script for linux that does exactly what you are asking:

http://www.altsec.info/check_scan.html

I'm trying now to find a Windows equivalent

Miguel

Miguel
  • 31
  • 1
2

What do you mean to check ports on hosts remotely? Do you just want to connect to the port to see if it is open? The check_tcp plugin will do that, if, that's what you want to do.

Not quite sure what you mean.

Imo
  • 841
  • 5
  • 7
  • Well yes, I want to check for open and closed ports, but I need info for all of them, and I need to get warnings when state is changed. And, before all other things, I have to be able to run checks without plugin installation on remote hosts. check_tcp is not able to scan ALL ports on every host. At least I don't know a way to do it (except creating new command for every port, and that's too much, I'd rather make my own plugin :D) :D – Eedoh Mar 30 '10 at 13:09
  • What lmo suggests is absolutely the correct way to do it. You should be making a check for separate things, not writing a flakey check that will product inconsistent results. check_tcp is the proper way to check if a socket is open or closed. – Warner Mar 30 '10 at 14:12
  • I have to disagree. From a system Administration point of view, perhaps. From a security point of view, I often run point scanners and compare them against a baseline. I also don't quite know what a "flakey check" would be... Seems like a pretty simple check really. Have it do a nmap scan for each host. write to temp, compare against baseline. Error 0 if no changes, error 2 if there is. – breadly Mar 30 '10 at 14:46
  • 2
    Yeah, if you're worried that the machine has been compromised and a backdoor port has been opened a port open count/check would be useful. Infact I recall writing a small nagios plugin for that many years ago. The initial poster is a bit confused... to check a port you don't need to install nrpe or perl on remote machines. Nagios and check_tcp will check the TCP port status on as many remote machines and ports as you care to configure. – Imo Mar 30 '10 at 14:54
  • That configuration of wanted ports for performing check on them is a problem. I need to monitor ALL ports on ALL hosts. With check_tcp I would have to write 65535x4 configuration lines/host, because I need to specify every port with new command with check_tcp. That's something I don't want to do However,I started writing my own plugin that uses nmap and gets port range as a parameter. Because Im in hurry, I will do only basic functionality I need for now, but when I finish my tasks in few weeks, I hope I will improve it and upload on nagios plugins exchange. Maybe even put a link on it here... – Eedoh Mar 31 '10 at 11:49
0

I suppose what you want is to make sure that there is no "positive" response on any port apart from a short whitelist. I can see how you would prefer not to have 65000 check_tcp:s on each host :)

Mind you, I'm not sure nagios is really your best bet for this. Partly, it risks being a test that is always red and also, if you are serious about it, you should not limit the check to hosts that you actually know about. This sits awkwardly with Nagios which expects a host as the basic unit of configuration.

Personally, I would probably have a separate tool that mailed me when something new shows up. In its most trivial form, this would be just a script that reacted to a non-zero diff of nmap output between today and yesterday and mailed me. In more complex form, such software tend to be sorted as IDSes which are not my expertise, but Google may be able to help.

Bittrance
  • 2,970
  • 2
  • 21
  • 27
0

It sounds like you need a nagios check for changes/alerts in pbnj

Use nagios to monitor the tool that tracks the changes, don't try to shim Nagios to track the changes.

Jodie C
  • 733
  • 6
  • 9
-1

i really like nagios. have been using it for years. i even do some oracle database management with it, but what nagios really is is an availability monitoring tool. i think what you are asking for is better fulfilled by another software like openvas or snort.

Peter Carrero
  • 437
  • 2
  • 10
  • Yes, I was already suggesting snort to my chiefs, but they did not agree for some reason. However, meanwhile I wrote my own plugin for monitoring changes on desired range of ports, using nmap. I'm thinking of uploading it to nagios exchange, but it's still rough, it needs some polishing... Maybe I upload it now and update it with new version once it's totally finished (once i have free time:D). – Eedoh Apr 08 '10 at 06:54