|
|
@@ -0,0 +1,77 @@
|
|
|
+
|
|
|
+# TCP investigation script
|
|
|
+
|
|
|
+**A bash script to get information about active TCP connections.**
|
|
|
+
|
|
|
+Some relevant key features:
|
|
|
+
|
|
|
+* The script lists the **TCP connections established** at the time it runs.
|
|
|
+* For each connection, it shows some statistics about the process involved, for example the **bytes read and written** by the process.
|
|
|
+* Regarding the process involved, it lists the **files and folders opened** by the process itself.
|
|
|
+* The information obtained is then processed into an **HTML report**, which is sent via **email**.
|
|
|
+* The script is **portable** and can run on any **GNU/Linux** system running [curl](https://curl.se/).
|
|
|
+
|
|
|
+## Screenshots
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+Example of report displayed in Claws Mail.
|
|
|
+
|
|
|
+## Install
|
|
|
+
|
|
|
+### Requirements
|
|
|
+
|
|
|
+* **net-tools**: NET-3 networking toolkit
|
|
|
+* **lsof**: Utility to list open files
|
|
|
+* **sysstat**: system performance tools for Linux
|
|
|
+* **dos2unix**: convert text file line endings between CRLF and LF
|
|
|
+* **curl**: command line tool for transferring data with URL syntax
|
|
|
+
|
|
|
+### Get the code
|
|
|
+
|
|
|
+You can use **git**.
|
|
|
+
|
|
|
+ git clone https://git.lattuga.net/netico/code-library.git
|
|
|
+
|
|
|
+And then look for the script **tcp-investigation.sh**.
|
|
|
+
|
|
|
+### Post installation
|
|
|
+
|
|
|
+Fill in these **configuration variables**, which you can find in the very first part of the script:
|
|
|
+
|
|
|
+ # Sender
|
|
|
+ SENDER="someone@domain.tld"
|
|
|
+ # Recipient
|
|
|
+ RECIPIENT="someone.else@domain.tld"
|
|
|
+ # Mail relay URL
|
|
|
+ RELAY="smtp://powerful.mail.server:587"
|
|
|
+
|
|
|
+If the mail server you have chosen to use requires **SMTP authentication**, you must enter the credentials in **/root/.netrc**. Read [this page](https://everything.curl.dev/usingcurl/netrc) carefully to learn how to do this.
|
|
|
+
|
|
|
+## Usage
|
|
|
+
|
|
|
+The script requires **root privileges**. Run
|
|
|
+
|
|
|
+ sudo ./tcp-investigation.sh
|
|
|
+
|
|
|
+...and wait for the email report.
|
|
|
+
|
|
|
+## Hacking
|
|
|
+
|
|
|
+### Sending e-mail messages
|
|
|
+
|
|
|
+Sending e-mail in a shell environment is not as easy as it sounds. It is even more complicated to send HTML instead of plain text. **mutt** and some versions of **mailx** support sending HTML, but require a working mail server.
|
|
|
+
|
|
|
+To work around these problems, the script attempts to build a standards-compliant message so that it can be passed to a **Sendmail** wrapper (there are wrappers for **Exim**, **Postfix**, **qmail**) or [sent by **curl](https://everything.curl.dev/usingcurl/smtp) (also read [Using curl to send email](https://stackoverflow.com/questions/14722556/using-curl-to-send-email)).
|
|
|
+
|
|
|
+Some recommended reading on email message format: [RFC822](https://datatracker.ietf.org/doc/html/rfc822), [RFC2822](https://www.rfc-editor.org/rfc/rfc2822).
|
|
|
+
|
|
|
+If you want to use the local email system, find the line that invokes **curl**
|
|
|
+
|
|
|
+ curl -s -n --ssl-reqd ...
|
|
|
+
|
|
|
+comment it out, and add something similar
|
|
|
+
|
|
|
+ cat $MSG | /usr/lib/sendmail -t
|
|
|
+
|
|
|
+Otherwise, use **curl**, which however must be configured (as explained) and requires a valid email account and an external mail server (the same one you would use in **Thunderbird** or other MUAs).
|
netico
