Network Scanningby Chris Coleman
By design, the Internet is made up of clients and servers. The client needs the information, and the server has it. An Internet server is made up of several services that can all accept requests from clients and deliver requested data. Web and e-mail are popular examples of these types of services; however, there are many others such as telnet, time, and SSh.
While all of the services live at the same host address, each service has a unique identifier on the server called a "port." The port is a number from 1 thru 65535 and many of the ports are registered. The file
/etc/services contains a list of the well-known ports. I pulled this bit of info from it:
- The Well-Known Ports are those from 0 through 1023.
- The Registered Ports are those from 1024 through 49151
- The Dynamic and/or Private Ports are those from 49152 through 65535
Each service is handled by a program called a "daemon." The daemon listens on, or is bound to, a specific port to receive incoming requests from clients. When a request comes to the server, it is routed to the port requested and the daemon listening on that port sends back the reply.
Desktop Unix systems, and now Microsoft systems, come with several of these services turned on by default. Hackers have utilities that allow them to scan a server and discover which ports have daemons listening on them. Many Internet daemons, and especially IIS servers, have security vulnerabilities that can allow hackers to gain control of your computer.
If your workstation has services running, even if you are unaware of them, hackers can still find them and possibly use them against you. It has been a long-standing rule for Unix system administrators to turn off any services that aren't in use. However many of us aren't sysadmins, and don't think to check this on our personal workstations.
Hackers have access to utilities to scan your servers, but so do you. We know that hackers are scanning our servers for open ports. We can scan our servers first, and know what the hackers will see and close any ports that shouldn't be open. The two tools we need are
nmap is a utility that scans a particular server and informs us which ports are open.
ethereal is a utility that will scan network traffic and help us decode what is going on. We can watch our network traffic and find out if hackers can see anything that will help them break into our systems.
Both utilities are used by hackers to see what is going on in your network. Here are some articles we have published on using
Scanning Your Network -- Dru Lavigne shows us how to use nmap, a port scanning utility, to secure Unix servers and workstations.
Using Ethereal -- Wondering what's going on with your network? Dru explains how to use Ethereal, a graphical network monitoring package that is easy to use and understand. Learn how to capture packets and monitor network traffic.
Linux Tools For Network Analysis -- Spector finds two tools for watching traffic: Ethereal and Netwatch.
Tools of the Trade: Part 1 -- In this first of a three-part series, Carl Constantine covers tools and techniques that system administrators can use to protect their networks, including discussion of nmap, Ethereal, and how to set up honey pots.
Linux for Security Applications -- David Spector explains basic Firewall and network security techniques. He also lists the basic tools that can be used, such as NMAP and IP Chains.
Chris Coleman is the Open Source Editor for the O'Reilly Network and is actively involved with community projects such as OpenPackages.org and Daemon News.
Return to ONLamp.com.