{"id":8085,"date":"2015-05-04T13:32:28","date_gmt":"2015-05-04T11:32:28","guid":{"rendered":"http:\/\/blog.zhaw.ch\/icclab\/?p=8085"},"modified":"2015-05-04T13:59:43","modified_gmt":"2015-05-04T11:59:43","slug":"a-simple-script-to-identify-suspicious-vms-on-your-cloud","status":"publish","type":"post","link":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/","title":{"rendered":"A simple script to identify suspicious VMs on your cloud"},"content":{"rendered":"

Operating an Openstack<\/a> cloud infrastructure is not a trivial task which requires constant oversight of the use of the cloud resources. Sophisticated monitoring is necessary to ensure that the system continues to operate properly and delivers satisfactory performance to the users. One aspect of monitoring a cloud infrastructure pertains to ensuring that the system exposes a minimal attack surface: this means ensuring that a minimum amount of the system is exposed, particularly ports on public IP addresses. We are developing a basic set of monitoring and administration tools, one of which focuses on identifying VMs that may be too exposed. Here, we provide a brief description of this tool.<\/p>\n

<\/p>\n

We developed a python based tool which was inspired by the popular and well known NMap <\/a>– in fact, it uses the python nmap<\/a> library which provides essentially the same functions as the nmap tool, except that it is straightforward to integrate into a python script. The python script scans a given range and for each address in the range, identifies which ports are open. The output of this process is then filtered: VMs which have standard open ports (eg ssh and https) are removed and only those VMs which have less standard open ports remain. This information is then combined with information from Openstack nova<\/a> (user, tenant and VM name) to give the administrator some greater context with which to determine whether the VM is doing as it should, or could be posing a security risk. The output is written in json and we have it emailed to the administrators via cron job every night.<\/p>\n

It\u2019s a modest contribution, but does make the job of monitoring your cloud infrastructure less onerous.<\/p>\n

The script<\/a> is available on Github under the Apache license<\/a>; you just have to modify the openstack credentials variables and the IP range you want to monitor. In case you want to archive the results it is also possible set up a cron<\/a> task which runs the script every day.<\/p>\n","protected":false},"excerpt":{"rendered":"

Operating an Openstack cloud infrastructure is not a trivial task which requires constant oversight of the use of the cloud resources. Sophisticated monitoring is necessary to ensure that the system continues to operate properly and delivers satisfactory performance to the users. One aspect of monitoring a cloud infrastructure pertains to ensuring that the system exposes […]<\/p>\n","protected":false},"author":92,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[],"features":[],"class_list":["post-8085","post","type-post","status-publish","format-standard","hentry","category-allgemein"],"yoast_head":"\nA simple script to identify suspicious VMs on your cloud - Service Engineering (ICCLab & SPLab)<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A simple script to identify suspicious VMs on your cloud\" \/>\n<meta property=\"og:description\" content=\"Operating an Openstack cloud infrastructure is not a trivial task which requires constant oversight of the use of the cloud resources. Sophisticated monitoring is necessary to ensure that the system continues to operate properly and delivers satisfactory performance to the users. One aspect of monitoring a cloud infrastructure pertains to ensuring that the system exposes […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\" \/>\n<meta property=\"og:site_name\" content=\"Service Engineering (ICCLab & SPLab)\" \/>\n<meta property=\"article:published_time\" content=\"2015-05-04T11:32:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2015-05-04T11:59:43+00:00\" \/>\n<meta name=\"author\" content=\"Sean Murphy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sean Murphy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\"},\"author\":{\"name\":\"Sean Murphy\",\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/#\/schema\/person\/c87a6eef7e1f4a152aeec5f8b9527b8d\"},\"headline\":\"A simple script to identify suspicious VMs on your cloud\",\"datePublished\":\"2015-05-04T11:32:28+00:00\",\"dateModified\":\"2015-05-04T11:59:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\"},\"wordCount\":342,\"commentCount\":0,\"articleSection\":[\"*.*\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\",\"url\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\",\"name\":\"A simple script to identify suspicious VMs on your cloud - Service Engineering (ICCLab & SPLab)\",\"isPartOf\":{\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/#website\"},\"datePublished\":\"2015-05-04T11:32:28+00:00\",\"dateModified\":\"2015-05-04T11:59:43+00:00\",\"author\":{\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/#\/schema\/person\/c87a6eef7e1f4a152aeec5f8b9527b8d\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\/\/blog.zhaw.ch\/icclab\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A simple script to identify suspicious VMs on your cloud\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/#website\",\"url\":\"https:\/\/blog.zhaw.ch\/icclab\/\",\"name\":\"Service Engineering (ICCLab & SPLab)\",\"description\":\"A Blog of the ZHAW Zurich University of Applied Sciences\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.zhaw.ch\/icclab\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.zhaw.ch\/icclab\/#\/schema\/person\/c87a6eef7e1f4a152aeec5f8b9527b8d\",\"name\":\"Sean Murphy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/4514cb0ddfe236fd05d5ddb715bc19e1e1e35dafa16bb1b911e6094d278211d6?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4514cb0ddfe236fd05d5ddb715bc19e1e1e35dafa16bb1b911e6094d278211d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4514cb0ddfe236fd05d5ddb715bc19e1e1e35dafa16bb1b911e6094d278211d6?s=96&d=mm&r=g\",\"caption\":\"Sean Murphy\"},\"url\":\"https:\/\/blog.zhaw.ch\/icclab\/author\/murp\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"A simple script to identify suspicious VMs on your cloud - Service Engineering (ICCLab & SPLab)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/","og_locale":"en_US","og_type":"article","og_title":"A simple script to identify suspicious VMs on your cloud","og_description":"Operating an Openstack cloud infrastructure is not a trivial task which requires constant oversight of the use of the cloud resources. Sophisticated monitoring is necessary to ensure that the system continues to operate properly and delivers satisfactory performance to the users. One aspect of monitoring a cloud infrastructure pertains to ensuring that the system exposes […]","og_url":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/","og_site_name":"Service Engineering (ICCLab & SPLab)","article_published_time":"2015-05-04T11:32:28+00:00","article_modified_time":"2015-05-04T11:59:43+00:00","author":"Sean Murphy","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sean Murphy","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#article","isPartOf":{"@id":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/"},"author":{"name":"Sean Murphy","@id":"https:\/\/blog.zhaw.ch\/icclab\/#\/schema\/person\/c87a6eef7e1f4a152aeec5f8b9527b8d"},"headline":"A simple script to identify suspicious VMs on your cloud","datePublished":"2015-05-04T11:32:28+00:00","dateModified":"2015-05-04T11:59:43+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/"},"wordCount":342,"commentCount":0,"articleSection":["*.*"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/","url":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/","name":"A simple script to identify suspicious VMs on your cloud - Service Engineering (ICCLab & SPLab)","isPartOf":{"@id":"https:\/\/blog.zhaw.ch\/icclab\/#website"},"datePublished":"2015-05-04T11:32:28+00:00","dateModified":"2015-05-04T11:59:43+00:00","author":{"@id":"https:\/\/blog.zhaw.ch\/icclab\/#\/schema\/person\/c87a6eef7e1f4a152aeec5f8b9527b8d"},"breadcrumb":{"@id":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.zhaw.ch\/icclab\/a-simple-script-to-identify-suspicious-vms-on-your-cloud\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/blog.zhaw.ch\/icclab\/"},{"@type":"ListItem","position":2,"name":"A simple script to identify suspicious VMs on your cloud"}]},{"@type":"WebSite","@id":"https:\/\/blog.zhaw.ch\/icclab\/#website","url":"https:\/\/blog.zhaw.ch\/icclab\/","name":"Service Engineering (ICCLab & SPLab)","description":"A Blog of the ZHAW Zurich University of Applied Sciences","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.zhaw.ch\/icclab\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.zhaw.ch\/icclab\/#\/schema\/person\/c87a6eef7e1f4a152aeec5f8b9527b8d","name":"Sean Murphy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4514cb0ddfe236fd05d5ddb715bc19e1e1e35dafa16bb1b911e6094d278211d6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4514cb0ddfe236fd05d5ddb715bc19e1e1e35dafa16bb1b911e6094d278211d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4514cb0ddfe236fd05d5ddb715bc19e1e1e35dafa16bb1b911e6094d278211d6?s=96&d=mm&r=g","caption":"Sean Murphy"},"url":"https:\/\/blog.zhaw.ch\/icclab\/author\/murp\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/posts\/8085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/users\/92"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/comments?post=8085"}],"version-history":[{"count":9,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/posts\/8085\/revisions"}],"predecessor-version":[{"id":8109,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/posts\/8085\/revisions\/8109"}],"wp:attachment":[{"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/media?parent=8085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/categories?post=8085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/tags?post=8085"},{"taxonomy":"features","embeddable":true,"href":"https:\/\/blog.zhaw.ch\/icclab\/wp-json\/wp\/v2\/features?post=8085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}