Nmap is a powerful scanning and auditing utility that can help
diagnose problems with systems, particular in terms of firewall settings. With
nmap, you can determine whether or not your firewall rules are working as they should,
make sure you’ve got everything locked down the way you want it, and so forth. Every
Linux distribution comes with nmap; it’s too indispensable not to.

To do a quick scan of a remote host, use:

# nmap -sT host

This will execute a TCP connect() port scan on the remote host
and report on open ports. Another similar scan is to use the -sS option, which does a TCP SYN stealth
port scan, but this scan requires root privileges. This accomplishes roughly
the same thing as using -sT but there
is less of a chance that the remote system will log the connection.

Other features include using the -O option to tell nmap to try to determine the remote operating
system by fingerprinting it using various techniques.

You can also do “sweep” scans by telling nmap a
range of IPs to scan which can be a great way of determining what IPs are being
used by what hosts. For instance:

# nmap -sP '192.168.0.*'

This will do a quick ping scan to determine if any of the IP’s
in the range are available, and will report those
that respond to pings.

Another option is to use the -sV option, which will attempt to obtain version numbers for
applications on any open ports:

# sudo nmap -sV remote.host.com
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-02-28 15:08 MST
Interesting ports on remote.host.com (
(The 1652 ports scanned but not shown below are in state: closed)
21/tcp   open  ftp     ProFTPD 1.2.9
22/tcp   open  ssh     OpenSSH 3.6.1p2 (protocol 1.99)
25/tcp   open  smtp    Exim smtpd 4.43
111/tcp  open  rpcbind 2 (rpc #100000)
804/tcp  open  rpc
1000/tcp open  status  1 (rpc #100024)
1022/tcp open  ssh     OpenSSH 3.6.1p2 (protocol 1.99)
2049/tcp open  nfs     2-4 (rpc #100003)
6002/tcp open  X11:2?
6003/tcp open  X11:3?
6667/tcp open  irc?
Nmap run completed -- 1 IP address (1 host up) scanned in 107.364 seconds

As you can see, nmap is quite versatile and extremely useful
for helping determine what information is publicly accessible from your system
by remote.

Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!