Your IP : 52.15.42.61
#!/bin/bash
################################
# check iptables for open port #
# #
# Created by Bogdan Kukharskiy #
# Namecheap #
################################
# This script is for testing IPTABLES if the specified port is open (with the possibility to exclude users)
#
# Usage: "check_openport.sh [-x eXclude users(can be as a list separated by ',')] -p Port to check"
#
# Returns the Nagios native status codes:
# Nagios Status
# 0 = OK (Specified port is NOT open or opened only for users from excluded list)
# 1 = WARNING NO Warning states
# 2 = CRITICAL (Specified port is OPENED, additionally shows users list OR specified port is not closed globally)
# 3 = UNKNOWN (Wrong usage)
#
# Speed optimized version
# Declaring arrays
DEFAULT_EXCLUDE_ARRAY=('root' 'cpanel' 'mailman' 'mailnull')
EXCLUDE_ARRAY=()
PORTS_ARRAY=()
OPEN_PORTS=()
UNPRIV_PORTS=()
## USAGE MESSAGE
usage() {
cat << EOF
usage: $0 options
This script is for testing IPTABLES if the specified port(s) is(are) open (with the possibility to exclude users).
Default excluded users: ${DEFAULT_EXCLUDE_ARRAY[@]}
OPTIONS:
-h Show this message
-x eXclude users (optional, string (can be as a list separated by ',')
-p Ports to check, integer number (can be as a list separated by ','), mandatory parameter
EOF
}
# Generate a mapping of UID to username
declare -A UID_TO_USERNAME
while IFS=: read -r uid username; do
UID_TO_USERNAME["$uid"]="$username"
done < <(getent passwd)
function check_open_ports() {
# let's check if the requested port is opened for someone (in ACCEPT dest)
IS_ACCEPT=0
for ARRSTR in "${ACCSTR_ARRAY[@]}"; do
#PORTSTR=$(echo "$ARRSTR" | awk '{split($0,array,"--dports|--dport")} END{print array[2]}' | awk '{print$1}')
IFS=' ' read -ra array <<< "${ARRSTR}" unset IFS
array_index=0
PORTSTR=""
OWNER=""
for a in "${array[@]}"; do
if [[ ${a} =~ "--dport" ]]; then
PORTSTR=${array[array_index+1]}
fi
if [[ ${a} =~ "id-owner" ]]; then
OWNER=${array[array_index+1]}
fi
array_index=$((array_index+1))
done
if [[ ${#OWNER} -ne 0 ]]; then #owner of the rule is not empty
if [[ $OWNER =~ ^[0-9]+$ ]]; then #if iptables returned number uid
# OWNER=$(id -u -n $OWNER 2>/dev/null)
OWNER="${UID_TO_USERNAME[$OWNER]}"
fi
if [[ ${PORTSTR} == *":"* ]]; then #result contains ":" what means we have to check the range of ports
RANGESTART=$(echo "${PORTSTR}" | cut -d":" -f1)
RANGEEND=$(echo "${PORTSTR}" | cut -d":" -f2)
if ((PORT >= RANGESTART && PORT <= RANGEEND)); then
if ! [[ "${EXCLUDE_ARRAY[@]}" =~ ${OWNER} ]]; then #checking that user is NOT in excluded array
ALLOWED_ARRAY+=("${OWNER}") #adding to array
IS_ACCEPT=1
fi
fi;
elif [[ ${PORTSTR} =~ ${RX} ]]; then
if ! [[ "${EXCLUDE_ARRAY[@]}" =~ ${OWNER} ]]; then #checking that user is NOT in excluded array
ALLOWED_ARRAY+=("${OWNER}") #adding to array
IS_ACCEPT=1
fi
fi
fi
done
if [[ ${IS_ACCEPT} -eq 1 ]]; then
return 5
fi
# let's check if the requested port is closed totally (in REJECTED dest)
for REJECTSTR in "${REJECTSTR_ARRAY[@]}"; do
#PORTSTR=$(echo "$REJECTSTR" | awk '{split($0,array,"--dports|--dport")} END{print array[2]}' | awk '{print$1}')
IFS=' ' read -ra rarray <<< "${REJECTSTR}" unset IFS
array_index=0
PORTSTR=""
for a in "${rarray[@]}"; do
if [[ ${a} =~ "--dport" ]]; then
PORTSTR=${rarray[array_index+1]}
break
else
array_index=$((array_index+1))
fi
done
if [[ ${PORTSTR} == *":"* ]]; then #result contains ":" what means we have to check the range of ports
RANGESTART=$(echo "${REJECTSTR}" | cut -d":" -f1)
RANGEEND=$(echo "${REJECTSTR}" | cut -d":" -f2)
if ((PORT >= RANGESTART && PORT <= RANGEEND)); then
#OK, the port is blocked globally (at least in the REJECTed range ${REJECTSTR})
return 0
fi;
elif [[ ${PORTSTR} =~ ${RX} ]]; then
#OK, the port is blocked globally (at least in the REJECTed array ${RESULTSTR})
return 0
fi
done
return 1
}
## FETCH ARGUMENTS
while getopts ":hx:p:" OPTION; do
case "${OPTION}" in
h)
usage
exit 3
;;
x)
IFS=, read -r -a EXCLUDE_ARRAY <<< "$OPTARG" unset IFS
;;
p)
IFS=, read -r -a PORTS_ARRAY <<< "$OPTARG" unset IFS
;;
?)
usage
exit 3
;;
*) echo "No reasonable options found!"
exit 3
;;
esac
done
## CHECK ARGUMENTS
if ! [[ ${#PORTS_ARRAY[@]} -eq 0 ]]; then
for PORT in "${PORTS_ARRAY[@]}"; do
if [ -z "${PORT}" ] || ! [[ ${PORT} =~ ^[0-9]+$ ]] ; then
usage
exit 3
fi
done
else
usage
exit 3
fi
## MAIN ROUTINE
EXCLUDE_ARRAY=("${DEFAULT_EXCLUDE_ARRAY[@]}" "${EXCLUDE_ARRAY[@]}") #combine default exclude array with readed
IPTABLES_OUTPUT=$(iptables -S)
RESULTSTR=$(echo "${IPTABLES_OUTPUT}" |grep -i "\-j REJECT")
if [ -z "${RESULTSTR}" ]; then
echo "No REJECTs were found in IPTABLES"
exit 2
fi
RESULTSTR=$(echo "${IPTABLES_OUTPUT}" |grep -i "\-j ACCEPT")
if [ -z "${RESULTSTR}" ]; then
echo "No ACCEPTs were found in IPTABLES"
exit 2
fi
REJECTSTR_ARRAY=()
ACCSTR_ARRAY=()
# Loop through the iptables output and filter relevant rules
while read -r line; do
if [[ $line == *"-j REJECT"* && $line == *"dport"* ]]; then
REJECTSTR_ARRAY+=("$line")
elif [[ $line == *"-j ACCEPT"* && $line == *"dport"* ]]; then
ACCSTR_ARRAY+=("$line")
fi
done <<< "${IPTABLES_OUTPUT}"
if [[ ${#REJECTSTR_ARRAY[@]} -eq 0 ]]; then
echo "No destination ports in REJECTs were found in IPTABLES"
exit 2
elif [[ ${#ACCSTR_ARRAY[@]} -eq 0 ]]; then
echo "No destination ports in ACCEPTs were found in IPTABLES"
exit 2
fi
UNPRIV_DATA="CRITICAL! Unprivileged users with opened: "
for PORT in "${PORTS_ARRAY[@]}"; do
ALLOWED_ARRAY=()
RX="^${PORT}$|^${PORT},|,${PORT}$|,${PORT},"
check_open_ports "${PORT}"
RESULT=$?
if [[ "${RESULT}" -eq 1 ]]; then
OPEN_PORTS+=("${PORT}")
elif [[ "${RESULT}" -eq 5 ]]; then
UNPRIV_PORTS+=("${PORT}")
USERS=$(echo "${ALLOWED_ARRAY[@]}" | tr ' ' ,)
UNPRIV_DATA+="port: ${PORT} - ${USERS}. "
unset ALLOWED_ARRAY
fi
done
if ! [[ "${#UNPRIV_PORTS[@]}" -eq 0 ]]; then
echo "${UNPRIV_DATA}"
exit 2
elif ! [[ ${#OPEN_PORTS[@]} -eq 0 ]]; then #some ports are not blocked globally (not in any of REJECTs)
echo "CRITICAL! Ports ${OPEN_PORTS[*]} are NOT blocked globally (not in any of REJECTs)"
exit 2
else #there are no common users who have specified port opened and port is blocked globally
echo "OK! Ports ${PORTS_ARRAY[*]} are closed globally and opened only for privileged users:"
echo "${EXCLUDE_ARRAY[@]}"
exit 0
fi