9.13. Testing for Open Ports

Problem

You want a listing of open network ports on your system.

Solution

Probe your ports from a remote system.

To test a specific TCP port (e.g., SSH):

$ telnet target.example.com ssh
$ nc -v -z target.example.com ssh

To scan most of the interesting TCP ports:

# nmap -v target.example.com

To test a specific UDP port (e.g., 1024):

$ nc -v -z -u target.example.com 1024

To scan most of the interesting UDP ports (slowly!):

# nmap -v -sU target.example.com

To do host discovery (only) for a range of addresses, without port scanning:

# nmap -v -sP 10.12.104.200-222

To do operating system fingerprinting:

# nmap -v -O target.example.com

For a handy (but less flexible) GUI, run nmapfe instead of nmap.

Discussion

When attackers observe your systems from the outside, what do they see? Obviously, you want to present an image of an impenetrable fortress, not a vulnerable target. You’ve designed your defenses accordingly: a carefully constructed firewall, secure network services, etc. But how can you really be sure?

You don’t need to wait passively to see what will happen next. Instead, actively test your own armor with the same tools the attackers will use.

Your vulnerability to attack is influenced by several interacting factors:

The vantage point of the attacker

Firewalls sometimes make decisions based on the source IP address (or the source port).

All intervening firewalls

You have your own, of course, but your ISP might impose additional restrictions on incoming or even outgoing ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.