A simple script to identify suspicious VMs on your cloud

Operating an Openstack cloud infrastructure is not a trivial task which requires constant oversight of the use of the cloud resources. Sophisticated monitoring is necessary to ensure that the system continues to operate properly and delivers satisfactory performance to the users. One aspect of monitoring a cloud infrastructure pertains to ensuring that the system exposes a minimal attack surface: this means ensuring that a minimum amount of the system is exposed, particularly ports on public IP addresses. We are developing a basic set of monitoring and administration tools, one of which focuses on identifying VMs that may be too exposed. Here, we provide a brief description of this tool.

We developed a python based tool which was inspired by the popular and well known NMap – in fact, it uses the python nmap library which provides essentially the same functions as the nmap tool, except that it is straightforward to integrate into a python script. The python script scans a given range and for each address in the range, identifies which ports are open. The output of this process is then filtered: VMs which have standard open ports (eg ssh and https) are removed and only those VMs which have less standard open ports remain. This information is then combined with information from Openstack nova (user, tenant and VM name) to give the administrator some greater context with which to determine whether the VM is doing as it should, or could be posing a security risk. The output is written in json and we have it emailed to the administrators via cron job every night.

It’s a modest contribution, but does make the job of monitoring your cloud infrastructure less onerous.

The script is available on Github under the Apache license; you just have to modify the openstack credentials variables and the IP range you want to monitor. In case you want to archive the results it is also possible set up a cron task which runs the script every day.

Leave a Reply

Your email address will not be published. Required fields are marked *