Skip to content
/ tifoon Public

Tifoon is an open network ports monitoring application with HTML email and PDF reporting capabilities

License

Notifications You must be signed in to change notification settings

jonfryd/tifoon

Repository files navigation

Java 8 License: MIT Build Status

Tifoon: Open Network Ports Monitoring

This is an attempt to create an application in Java which can effectively monitor and audit open ports in networks of host machines/devices by comparing consecutive scans against a known "good" baseline.

Open services/ports is a significant security threat, which is why monitoring what ports are open and exposed makes it easier to manage this risk and stay alert if something change. This could potentially indicate that a host has been compromised by a trojan/worm, although there could be many benign reasons for such an event, of course.

Currently Tifoon relies on the world class nmap port scanner from which it reads the output, as well as a diff algorithm using JaVers for determining changes to open ports reported in a concise, easy to read manner.

Features

  • Scan a configurable list of networks via nmap for open TCP, UDP and SCTP ports
  • Runs periodic scans using either a local nmap install or Docker (nmap image downloaded automatically)
  • Determine exact changes compared to a configurable baseline
  • Save scan results as YAML or JSON files
  • HTML and PDF report generation
  • Report e-mailing (HTML mails with optional PDF attachment)
  • Optionally pass additional custom arguments to port scanner (e.g. '--defeat-icmp-ratelimit --defeat-rst-ratelimit' for faster UDP and TCP SYN scanning)
  • NEW: Report when the input network configuration has changed (via a hash)
  • NEW: UDP and SCTP protocol scanning

Building

JDK 8 and Maven 3 is required to build Tifoon from command line.

Clone the repository and execute Maven from the root directory:

$ git clone https://github.com/jonfryd/tifoon
$ cd tifoon/
$ mvn clean install

This will build all required modules, installs them in the local Maven repository and create a ZIP file in the tifoon-app/target subdirectory for distribution. If desired, copy the distro to another directory elsewhere on your system and extract it there.

Usage

Ensure you have some flavor of Java 8 Runtime Environment installed before proceeding. Oracle's JRE and OpenJDK have been tested on Windows, Linux and Mac OS X.

Also, either of the following is a prerequisite to perform any port scanning:

  1. A local install of nmap
  2. A working local Docker installation (Tifoon will pull and use an nmap container image automatically)

From command line, Tifoon can be extracted from the ZIP archive and launched via three simple steps:

$ unzip tifoon-app-1.0.2-dist.zip
$ cd tifoon-app-1.0.2/
$ ./run_tifoon.sh

With Tifoon's factory network configuration the local host (IP address 127.0.0.1) is completely TCP scanned every hour. For the second and later scans, the result is automatically checked ("diffed") against the initial scan for any changes compared to the baseline and the specific changes are reported.

This behaviour can, of course, be adjusted to include any number of networks and hosts as described in the configuration section below.

Scans and diffs are saved to the scans/ folder (gets created automatically when needed). YAML output is the current default, but JSON is supported, as well.

A log file tifoon.log is maintained, as well, which contains all standard output produced by Tifoon for auditing and debugging purposes. Sample output:

2017-03-21 17:13:03.800  INFO 35803 --- [Launcher.main()] com.elixlogic.tifoon.TifoonApp           : Starting TifoonApp on imac.jonf with PID 35803 (/Users/jon/Source/tifoon/tifoon-app/target/classes started by jon in /Users/jon/Source/tifoon/tifoon-app)
2017-03-21 17:13:03.804  INFO 35803 --- [Launcher.main()] com.elixlogic.tifoon.TifoonApp           : No active profile set, falling back to default profiles: default
2017-03-21 17:13:18.079  INFO 35803 --- [Launcher.main()] com.elixlogic.tifoon.TifoonApp           : Started TifoonApp in 15.239 seconds (JVM running for 33.741)
2017-03-21 17:13:18.087  INFO 35803 --- [pool-4-thread-1] c.e.t.a.schedulers.PortScanScheduler     : Scanning...
2017-03-21 17:13:18.102  INFO 35803 --- [pool-4-thread-1] c.e.t.d.s.s.impl.PortScannerServiceImpl  : Performing port scan against: Jons network
2017-03-21 17:13:18.116  INFO 35803 --- [pool-4-thread-1] c.e.tifoon.plugin.ProcessExecutorPlugin  : Executing process: [nmap -oX nmap_scan_result_855c46d7-4f92-4c2e-b07e-70edbed56bb1.xml -p 0-1023 127.0.0.1 192.168.84.34]
2017-03-21 17:13:28.495  INFO 35803 --- [pool-4-thread-1] e.t.d.s.s.i.PortScannerFileIOServiceImpl : Loading file: scans/port_scanner_report_20170321_155933.yml
2017-03-21 17:13:28.545  INFO 35803 --- [pool-4-thread-1] e.t.d.s.s.i.PortScannerFileIOServiceImpl : Port scan result loaded.
2017-03-21 17:13:28.660  WARN 35803 --- [pool-4-thread-1] c.e.t.a.schedulers.PortScanScheduler     : One or more changes DETECTED!
2017-03-21 17:13:28.661  INFO 35803 --- [pool-4-thread-1] c.e.t.a.schedulers.PortScanScheduler     : Saving report.
2017-03-21 17:13:28.684  INFO 35803 --- [pool-4-thread-1] e.t.d.s.s.i.PortScannerFileIOServiceImpl : Saving file: scans/port_scanner_report_20170321_171318.yml
2017-03-21 17:13:28.715  WARN 35803 --- [pool-4-thread-1] .t.d.s.s.i.PortScannerLoggingServiceImpl : Change #1 -> Network ids with changes: [Jons network]
2017-03-21 17:13:28.719  WARN 35803 --- [pool-4-thread-1] .t.d.s.s.i.PortScannerLoggingServiceImpl : Change #2 -> Hosts with open port changes: networkId=Jons network, hosts=[127.0.0.1]
2017-03-21 17:13:28.720  WARN 35803 --- [pool-4-thread-1] .t.d.s.s.i.PortScannerLoggingServiceImpl : Change #3 -> Ports no longer open: networkId=Jons network, host=127.0.0.1, protocol=TCP, ports=[88 (kerberos)]
2017-03-21 17:13:28.721  INFO 35803 --- [pool-4-thread-1] e.t.d.s.s.i.PortScannerFileIOServiceImpl : Saving file: scans/port_scanner_report_20170321_155933_diff_20170321_171318.yml
2017-03-21 17:13:28.734  INFO 35803 --- [pool-4-thread-1] c.e.t.a.schedulers.PortScanScheduler     : Scanning completed.

Tifoon runs forever until stopped (CTRL + C) or killed. It might be a good idea to launch Tifoon within a Linux/UNIX screen so it runs in the background in a way that is detached from your terminal.

TCP SYN stealth scanning is used by default when executing Tifoon with root privileges on Unix, Linux and Mac OS X. Unprivileged execution results in TCP connect() scanning being used, which generates more "noise" in log files. Run Tifoon as root if this is an issue. Note that root is required anyway for UDP or SCTP scanning.

It is also possible to run the application directly with Maven's Exec plugin. From the root of the cloned GIT project:

$ cd tifoon-app/
$ mvn exec:java

Configuration

Three configuration files are used to define the behaviour of Tifoon. All files are in YAML format and should be easy to modify with any text editor. These files are loaded once and for all startup. Config changes while the application is running are not detected.

config/application.yml

Defines the behaviour of the application. The config file includes a comment at the end of each property line which briefly explains the purpose of each option. The output format can be set to either YAML or JSON, nmap can be executed by either local process or Docker, and a number of options controls how Tifoon deals with the baseline, like whether it is created on the initial scan or loaded from a previous scan file.

This is a Spring Boot application which means that Tifoon inherits a bunch of customisation options. One example is related to logging and you will see a few properties related to logging already exposed, namely the name of the log file and log levels for various packages.

config/network.yml

This is list of networks and hosts to be monitored. Each network consists of an arbitrary number of host addresses (i.e. DNS host names or IP addresses), and the set of ports to be scanned for every host in this network. Example:

- networkId: LAN
  addresses:
    - rasputin.mylan
    - 192.168.0.2
  ports:
    - A:20-25
    - T:153
    - TCP:400-450
    - U:900-999
    - SCTP:20

This configuration defines TCP, UDP and SCTP ports 20 to 25, TCP port 153, TCP ports 400-450, UDP ports 900 to 999 and SCTP port 20 being scanned on the target hosts "rasputin.mylan" and 192.168.0.2. The supported protocol prefixes are:

  • "T" and "TCP" (TCP)
  • "U" and "UDP" (UDP)
  • "S" and "SCTP" (SCTP)
  • "A" and "ALL" (implies all protocols will be scanned on the specified ports, i.e. TCP, UDP and SCTP)

If a host name (instead of an IP address) is provided for any host, the IP address is resolved on startup by DNS lookup on startup (resolution is final and not redone on consecutive scan).

Target hosts might exist on the same actual physical network, but Tifoon allows grouping hosts into several logical networks if so desired.

Ranges of hosts in CIDR or IP interval notation can not be specified, yet.

config/docker.yml

This config file is only used when the docker command executor enabled. It specifies how commands for scanner plugins (currently only nmap is supported) are mapped to Docker containers. A default mapping specifies a fallback container image to be used if no mapping is found in the customImages list.

Design

Tifoon is based on an open source technologies, domain-driven design, a flexible core and designed with extendability in mind by programming against abstractions. Plugins for I/O, scanning and command execution are created as Spring Boot "uber jars", loaded and registered on startup from files in the plugins subdirectory via a special class loader. This approach is preferred over "shaded jars" in order to avoid making license infringements.

3rd party libraries used

Tifoon stands on the shoulders of giants. The key libraries used are:

Check the pom.xml files for an exhaustive list.

Acknowledgements

Thanks to the open source community for sharing their work with the world. More power to you guys!

Also, big props to JetBrains for making the wonderful IntelliJ IDEA Community available to developers for free, making Java coding productive and a lot of fun.

TODO

Tifoon is production ready in terms of critical features, but I do have some additional ideas for how this baby might grow in the future:

  • Support for specifying ranges of hosts
  • Define pre-defined sets of "top ports" for fast scanning of the most critical services
  • IPv6 support
  • Banner grabbing and OS detection
  • Optionally save scans and diffs to a database instead of as local files (JPA mapping is done already)
  • Add the option of defining sets of ports which can be easily referred to in scan targets
  • Alternative scanner plugins, e.g. Robert David Graham's masscan looks like an excellent addition
  • REST web application
  • A proper frontend (AngularJS?)

How to contribute

All contributions are greatly appreciated; i.e. bug reports, feature suggestions, grammar corrections, whatever.

You are welcome to tag along for the ride by creating pull-requests, but please keep these common sense coding guidelines in mind:

  • Clean, maintainable and readable code, please
  • Embrace the beauty of simplicity in design
  • Think in terms of generic solutions
  • Try to apply well-known design principles and patterns where applicable
  • Write testable code and unit tests for critical functionality

We want to ensure robust software, which relies on reasonable defaults and behaves in ways that are "unsurprising" to the general audience.

Author

This application created by Jon Frydensbjerg - email: [email protected]