目录
1. 端口
1.1. 查看占用端口的进程
- 方法一 netstat
netstat -an | grep 8080
- 方法二 lsof
lsof -i:80
lsof -i tcp:80
1.2. 查看端口是否连通
1.2.1. nmap
yum -y install nmap
nmap -sU -p 123 10.0.8.7
nmap -sU -p 222 10.0.8.7
nmap 端口扫描的六种状态介绍
nmap 是一种用来发现网络中主机和服务的安全扫描工具, 从而能够产生一个网络"地图", 为了完成这个功能, nmap 会向每个目标主机发送特定的报文, 从而从目标主机返回报文(或者无返回报文)来判断目标主机的属性(如: 开放的端口, 所使用的操作系统, 操作系统的类型等信息)
本文主要讨论 nmap 对端口进行扫描中, 当 nmap 向目标主机发送报文并根据返回报文从而认定端口的 6 种状态的含义(注意: 这六种状态只是 namp 认为的端口状态, 例如: 有些主机或者防火墙会返回一些不可靠的报文从而妨碍 nmap 对端口开放问题的确认)。
Open
: 端口处于开放状态, 例如: 当 nmap 使用 TCP SYN 对目标主机某一范围的端口进行扫描时, 我们知道 TCP SYN 报文是 TCP 建立连接的第一步, 所以, 如果目标主机返回 SYN+ACK 的报文, 我们就认为此端口开放了并且使用了 TCP 服务。Closed
: 端口处于关闭状态。例如: TCP SYN 类型的扫描, 如果返回 RST 类型的报文, 则端口处于管理状态。这里我们值得注意的是关闭的端口也是可访问的, 只是没有上层的服务在监听这个端口, 而且, 只是在我们扫描的这个时刻为关闭, 当我们在另一个时间段进行扫描的时候, 这些关闭的端口可能会处于 open 的状态。Filtered
(过滤的): 由于报文无法到达指定的端口, nmap 不能够决定端口的开放状态, 这主要是由于网络或者主机安装了一些防火墙所导致的。当 nmap 收到 icmp 报文主机不可达报文(例如: type 为 3, code 为 13(communication administratively prohibit) 报文)或者目标主机无应答, 常常会将目标主机的状态设置为 filtered。Unfiltered
(未被过滤的), 当 nmap 不能确定端口是否开放的时候所打上的状态, 这种状态和 filtered 的区别在于: unfiltered 的端口能被 nmap 访问, 但是 nmap 根据返回的报文无法确定端口的开放状态, 而 filtered 的端口直接就没就没能够被 nmap 访问。端口被定义为 Unfilterd 只会发生在 TCP ack 扫描类型时当返回 RST 的报文。而端口被定义为 filtered 状态的原因是是报文被防火墙设备, 路由器规则, 或者防火墙软件拦截, 无法送达到端口, 这通常表现为发送 NMAP 的主机收到 ICMP 报错报文, 如: TYPE 为 3, code 为 13 的报文(通信被认为的禁止 communication administratively prohibited), 或者主机通过多次重复发送没有收到任何回应)。Open|filtered
状态, 这种状态主要是 nmap 无法区别端口处于 open 状态还是 filtered 状态。这种状态只会出现在 open 端口对报文不做回应的扫描类型中, 如: udp, ip protocol , TCP null, fin, 和 xmas 扫描类型。Closed|filtered
状态, 这种状态主要出现在 nmap 无法区分端口处于 closed 还是 filtered 时。此状态只会出现在 IP ID idle scan(这个类型我现在也不太理解, 过段时间进行总结一些)中。
个人经验: 一般带
filtered
的端口基本是关闭的、受阻的。
1.2.2. nc
yum -y install nc
nc -zuv ntp.aliyun.com 123
nc -zuv ntp.aliyun.com 222
关于 nc
用于 udp 端口连通性测试注意点:
- 当 ip 无法连通时, udp 客户端连接时, 通常会显示成功
- 当 udp 服务端程序关闭, 但系统还存在时, 对方系统会
icmp ECONNREFUSE
错误 - 当对方有操作
iptables udp port drop
时, 通常客户端也会显示成功
udp 没有类似 tcp 那样的状态报文, 所以单纯对 UDP 抓包是看不到啥异常信息。
那么当 IP 不通时, 为啥 nc udp 命令显示成功 ?
因为 nc
默认的探测逻辑很简单, 只要在 2 秒钟内没有收到 icmp ECONNREFUSED
异常报文, 那么就认为 UDP 连接成功。
所以, UDP 客户端给无法连通的地址发 UDP 报文时, 其实也不会报错, 这时候通常会认为发送成功。
UDP 没有 TCP 那样的握手步骤, 像 TCP 发送 syn 总得不到回报时, 协议栈会在时间退避下尝试 6 次, 当 6 次还得不到回应, 内核会给与错误的 errno 值。
所以如果要用 nc
测试 目标 upd 端口的连通性, 先测试下到目标 ip 网络是否通畅。
ping xx.xx.xx.xx
echo > /dev/tcp/xx.xx.xx.xx/22
nc is toolkit in Linux.
语法: nc -vuz [IP] [PORT]
$ nc -vuz 103.218.243.55 22
1.2.3. curl 命令
语法: curl [IP]:[PORT]
下面这种情况说明端口是 关闭 的:
$ curl 192.168.1.16:8888
curl: (7) Failed connect to 192.168.1.16:8888; Connection refused
下面这种情况说明端口是 打开 的:
$ curl 192.168.1.16:1080
Invalid header received from client.
1.2.4. wget 命令
语法: wget [IP]:[PORT]
下面这种情况说明端口是 关闭 的:
$ wget 192.168.1.16:8888
--2018-07-26 15:34:25-- http://192.168.1.16:8888/
Connecting to 192.168.1.16:8888... failed: Connection refused.
下面这种情况说明端口是 打开 的:
$ wget 192.168.1.16:1080
--2018-07-26 15:34:18-- http://192.168.1.16:1080/
Connecting to 192.168.1.16:1080... connected.
HTTP request sent, awaiting response... 400 Invalid header received from client
2018-07-26 15:34:18 ERROR 400: Invalid header received from client.
1.2.5. ssh 命令
语法: ssh -v -p [PORT] username@[IP]
如果端口是打开的, 可以看到打出的信息中包含有: Connection established.
1.2.6. telnet 命令
语法: telnet [IP] [PORT]
显示连接被拒接就说明端口是关闭的。
1.3. 查看端口状态
Linux 查看端口占用情况命令, 比如查看 80 端口占用情况使用如下命令:
sudo lsof -i tcp:80
sudo lsof -i:8000
ss -tlnp | grep -E "22|2022"
列出所有端口
sudo netstat -ntlp
sudo netstat -tunlp |grep 8000
RedHat 系
/etc/init.d/iptables status
或者:
service iptables status
Debian 系
sudo iptables -L -v
默认情况下, Ubuntu 下的 iptables 是允许任意流量进入的。所以刚开始时会看到如下的表项:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1.3.1. View established port usage => ESTABLISHED
netstat -a
1.3.2. View all port usage => LISTEN, ESTABLISHED
netstat -ap
netstat -anp | more
分页查看端口使用情况
1.3.3. View specific port usage
netstat -ap | grep 8080
or
lsof -i:8888
1.3.4. Kill specific program occupied port
kill -9 [PID]
kill
sends a signal to the PID process.
The signal is SIGTERM by default.
However, kill -9
sends SIGKILL which cannot be blocked by system, so it will kill process smoothly.
1.4. 开启端口(以 80 端口为例)
方法一:
写入修改:
/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
保存修改:
/etc/init.d/iptables save
重启防火墙, 修改生效:
service iptables restart
方法二:
打开配置文件加入如下语句:
vi /etc/sysconfig/iptables
重启防火墙, 修改完成:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
方法三:
打开配置文件: vi /etc/sysconfig/iptables
按快捷键 yy
复制 SSH 端口 22
那一行, 再按键 p
粘贴一行, 再将粘贴的行里面的 22 改成你想要的 TCP 端口, 然后重启 iptables 即可。
如果是要开放 UDP 端口呢? 很简单, 把那一行的 tcp
全改成 udp
就可以了。
1.5. 关闭端口
方法一:
写入修改:
/sbin/iptables -I INPUT -p tcp --dport 80 -j DROP
保存修改:
/etc/init.d/iptables save
重启防火墙, 修改生效:
service iptables restart
方法二:
打开配置文件:
vi /etc/sysconfig/iptables
加入如下语句:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
重启防火墙, 修改生效:
service iptables restart
2. check if a Port is open on a remote Linux PC
2.1. TCP and UDP ports
TCP stands for Transmission Control Protocol. In this method, the computers get connected directly until the data transfer is taking place. Therefore, with this method, the data transfer is guaranteed and is reliable but puts a higher load on the server as it has to monitor the connection and the data transfer too.
UDP stands for User Datagram Protocol. Using this method, the data is sent in the form of little packages into the network with the hope that it reaches the final destination. It means the two computers are not connected directly to each other. This method does not provide any guarantee that the data you send will ever reach its destination. Load on the server is less, and so this method is used commonly by the system administrators first to try something that’s not so important.
Now that you know the types are ports on a Linux system, let’s get started with ways of finding the ones that are open.
2.2. Best ways to check if a Port is open on a Linux PC
2.2.1. netcat command
netcat is a simple Unix utility that can be used to write and read data using UDP and TCP protocol across network connections.
The primary reason for its design is to provide a back-end tool that works with the scripts and programs. It is also an exploration and network debugging tool that offers tons of features.
To use it, you need to install it in your distro using the respective installation commands.
For Ubuntu/Debian:
sudo apt-get install netcat
For Fedora 22+
dnf install nc
For RHEL/CentOS
yum install nc
By doing so, you can do the following operations with it.
- send UDP packets
- listen to arbitrary UDP and TCP ports
- Use IPv4 and IPv6 to do port scanning
Moreover, it also has three modes
The syntax of the command is as follows.
nc [-options] host-ip-adress port-number
Let’s try to use it on a remote computer.
$ nc -zvw10 192.168.0.1 22
As you can see, the connection succeeded. This means that port 22 is open. If the connection fails, then you will get an error message of “failed: Connection refused”
In the above command, we also used different options. Let’s list them below.
z
: zero-I/O mode which is used for scanningv
: for verbose outputw10
: timeout wait seconds
2.2.2. nmap command
Nmap command is popular network security, auditing, and exploration command. Nmap stands for Network Mapper.
It also has a way to check for open ports. To do so, it utilizes a novel approach to using IP packets. It can also be used to learn about the services the host is providing. Other vital aspects that it can detect include operating system version, packet firewalls/filters, and so on! It is a useful tool.
Let’s see the nmap syntax below.
nmap [-options] [IP or Hostname] [-p] [PortNumber]
As you can see, its syntax matches that of the nc command. Let’s run it to get a better understanding.
nmap 192.168.0.1 -p 22
If the port is closed, then it will show status is closed.
$ nmap 192.168.0.2 -p 103
2.2.3. telnet command
The next command that we will go through is the telnet command. It is an old interactive communication command.
It is specially created for the remote computer interaction, and that’s why we are going to use it to check for open ports on a remote computer. The command is available on both Windows and Linux systems, but on a Windows system, it needs to be enabled before use. It runs over a TCP/IP network. Also, it connects over a remote computer or network equipment over port 23.
One more thing that you need to know is that it is not a secure protocol and must be used with SSH if you want to be encrypted and secure.
To install telnet in RHEL 7 or CentOS 7, you need to use the following command.
yum install telnet telnet-server -y
For Ubuntu, use the following command
$ sudo apt install telnetd -y
The syntax of the command is as below.
$ telnet [IP or Hostname] [PortNumber]
If the connection fails, then the port is not open, and you will get the following output.
2.2.4. echo > /dev/tcp/…
There is another way to check for open ports. In Linux, everything is a file, including the host status and its port availability. This can come handy in cases where no commands are working on the remote host.
The syntax of the command is as below
echo > /dev/tcp/[host]/[port] && echo "Port is open"
or
echo > /dev/udp/[host]/[port] && echo "Port is open"
2.2.5. netstat -tuplen
The last command that we are going to discuss is the netstat command. It is a network utility TCP/IP command. It is used to print connections, interface statistics, multicast membership, and other network-related tasks.
The syntax of the command is as below.
netstat -tuplen
It will output the whole list of the IP addresses. The entries that have “Listen” in the “State” column are the open ports.
2.3. lsof command
The syntax is:
sudo lsof -i -P -n
sudo lsof -i -P -n | grep LISTEN
doas lsof -i -P -n | grep LISTEN # OpenBSD #
sshd
is the name of the application.10.86.128.138
is the IP address to which sshd application bind to (LISTEN)22
is the TCP port that is being used (LISTEN)85379
is the process ID of the sshd process
2.3.1. Viewing the Internet network services list
The /etc/services
is a text file mapping between human-friendly textual names for internet services and their underlying assigned port numbers and protocol types. Use the cat
command or more
command/less
command to view it:
less /etc/services
2.4. ss command
The netstat command deprecated for some time on Linux. Therefore, you need to use the ss command as follows:
sudo ss -tulw
sudo ss -tulwn
sudo ss -tulwn | grep LISTEN
Where, ss command options are as follows:
-t
: Show only TCP sockets on Linux-u
: Display only UDP sockets on Linux-l
: Show listening sockets. For example, TCP port 22 is opened by SSHD server.-p
: List process name that opened sockets-n
: Don’t resolve service names i.e. don’t use DNS
3. 网速
3.1. NetHogs – Check bandwidth utilization per program basis
sudo apt install nethogs
To run it, simply use:
sudo nethogs
Conveniently, you can specify devices after the command (such as sudo nethogs eth0
). You also have additional parameters, such as choosing a delay for the refresh rate (-d
), version info (-V
), tracemode (-t
) and a few others which you can check out in the man pages (man nethogs
).
3.2. iftop – The ‘top’ of Network Usage
4. 防火墙
4.1. 查看防火墙状态
- CentOS 6
service iptables status
- CentOS 7
从 CentOS 7 开始使用 systemctl 来管理服务和程序, 包括了 service 和 chkconfig。
启动一个服务: systemctl start firewalld.service
关闭一个服务: systemctl stop firewalld.service
重启一个服务: systemctl restart firewalld.service
显示一个服务的状态: systemctl status firewalld.service
在开机时启用一个服务: systemctl enable firewalld.service
在开机时禁用一个服务: systemctl disable firewalld.service
查看服务是否开机启动: systemctl is-enabled firewalld.service; echo $?
查看已启动的服务列表: systemctl list-unit-files|grep enabled
systemctl status firewalld
or
firewall-cmd --state
查看防火墙规则:
firewall-cmd --list-all
# 查询端口是否开放:
firewall-cmd --query-port=8080/tcp
查看已经开放的端口:
firewall-cmd --list-ports
4.2. 关闭防火墙
systemctl status firewalld.service
systemctl stop firewalld.service
systemctl start firewalld.service
systemctl disable firewalld.service
4.3. 关闭 selinux
# setenforce 0 临时设置 SELinux 成为 permissive 模式
# setenforce 1 临时设置 SELinux 成为 enforcing 模式
setenforce 0
vi /etc/selinux/config
将 SELINUX=enforcing 改为 SELINUX=disabled
查看
$ getenforce
Disabled
$ /usr/sbin/sestatus -v
SELinux status: disabled
4.4. 控制防火墙
- CentOS 7
systemctl stop firewalld.service # 停止 firewall
systemctl disable firewalld.service # 禁止 firewall 开机启动
# 开启
service firewalld start
# 重启
service firewalld restart
# 关闭
service firewalld stop
# 开放 80 端口
firewall-cmd --permanent --add-port=80/tcp
# 移除端口
firewall-cmd --permanent --remove-port=8080/tcp
# 重启防火墙(修改配置后要重启防火墙)
firewall-cmd --reload
# 参数解释
firwall-cmd: 是 Linux 提供的操作 firewall 的一个工具;
--permanent: 表示设置为持久;
--add-port: 标识添加的端口;
5. CentOS Minimal 网络配置详细解读
5.1. CentOS Server Minimal
在虚拟机上安装发现默认是命令行界面一路进行下去, 最后发现是 Minimal 的安装, 并且网卡也没有默认启动。
Centos 6 的 Minimal 下, 网卡默认 onboot="no"
, 并且设置了依赖 NetworkManager 的选项, NM_CONTROLLED="yes"
, 因为 Minimal 的情况下并没有安装系统默认提供的网络管理工具 NetworkManger, 所以我们需要修改。
手工编辑网卡的配置文件 (vi /etc/sysconfig/network-scripts/ifcfg-eth0
) 原来格式如下:
ONBOOT=no
NM_CONTROLLED=yes
BOOTPROTO=dhcp
需要我们修改成:
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=dhcp
这是自动获取 IP, 也可以自己手动设置 IP 格式如下:
ONBOOT="yes"
NM_CONTROLLED="no"
IPADDR=192.168.1.4
BOOTPROTO=none
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=223.5.5.5
DNS2=119.29.29.29
USERCTL=yes
保存, 现在重启网络服务: service network restart
然后输入 ifconfig
。
5.2. CentOS Desktop Minimal
刚装好的 CentOS Minimal Desktop 开机是不会自动开启网络的, 为了开机自动启动网络, 我们需要设置配置文件。
切换到网卡配置文件的目录, 找到网卡的配置文件:
cd /etc/sysconfig/network-scripts
CentOS6 的话一般是叫 ifcfg-eth0
, CentOS7 修改了网卡的命名规则, 不再是我们熟悉的 eth0
了, 而是 ifcfg-eno+随机字符
。编辑网卡配置文件, 将里面的 ONBOOT=no
改成 ONBOOT=yes
即可。
注意: Desktop 在这里配置和纯 Server(即不含桌面的系统)的区别是
NM_CONTROLLED
选项,NM_CONTROLLED
的意思是配置网络是否被 NetworkManager 管理, 由于在纯 Server 的情况下, NetworkManager 是没有安装的, 但在 Desktop 情况下是默认安装的, 如果没有开启则会报出wired network device not managed
的错误, 所以在 Desktop 情况下一定要启用:NM_CONTROLLED=yes
.
重启 NetworkManager 相关命令:
## service NetworkManager restart
## service network restart
6. Linux 之 ip 扫描工具之 traceroute/nmap/fping
一、traceroute
1. 如下 Log:
# traceroute to www.baidu.com (220.181.38.150), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
第一、二、三、四跳都为空
2. 解决关闭本机或虚拟机系统防火墙
# traceroute www.baidu.com -I
注意: -I 使用 ICMP 回应取代 UDP 资料信息
二。nmap 使用
# nmap -sP 192.168.2.* //-sP 是使用 ICMP 协议发送 echo 请求数据包, 但是很容易被防火墙过滤掉
or
# nmap -sP 192.168.2.* -vv
三、fping
-a 只显示存活主机
-u 只显示相反的参数
-g 支持主机段的方式 192.168.1.1 192.168.1.255 192.168.1.0/24
-f 读取文件里面的 IP 进行 ping。
ping 192.168.88.111 到 192.168.88.132, 并显示存活主机:
# fping -a -g 192.168.88.111 192.168.88.132
读取文件里的 IP 进行 ping, 并显示不存活主机:
# fping -u -f ./ip_list.txt
***************************************************************************************
小白科普:
ICMP: 当传送 IP 数据包发生错误--比如主机不可达等等, ICMP 协议会把错误信息封包, 然后传送回给主机。
给主机一个处理错误的机会, 这也就是为什么说建立在 IP 层以上的协议是可能做到安全的原因。
ICMP 数据包由 8bit 的错误类型和 8bit 的代码和 16bit 的校验和组成。而前 16bit 就组成了 ICMP 所要传递的信
息。
Ping: 给我们一个看主机到目的主机的路由的机会。这是因为, ICMP 的 ping 请求数据报在每经过一个路由器的
时候, 路由器都会把自己的 ip 放到该数据报中。而目的主机则会把这个 ip 列表复制到回应 icmp 数据包中发回给
主机。但是, 无论如何, ip 头所能纪录的路由列表是非常的有限。
Traceroute: 首先给目的主机发送一个 TTL=1(IP 协议)的 UDP 数据包, 而经过的第一个路由器收到这个数据包
以后, 就自动把 TTL 减 1, 而 TTL 变为 0 以后, 路由器就把这个包给抛弃了, 并同时产生一个主机不可达的 ICMP 数
据报给主机。主机收到这个数据报以后再发一个 TTL=2 的 UDP 数据报给目的主机, 然后刺激第二个路由器给主机
发 ICMP 数据报。如此往复直到到达目的主机。这样, traceroute 就拿到了所有的路由器 ip。从而避开了 ip 头只
能记录有限路由 IP 的问题。
***************************************************************************************