nmap is a tool that every system adminstrator should use unto themselves before someone else does the same unto them.
nmap's primary idea, like with all port scanners, is to find out what TCP/UDP ports are available on target host - in other words, what services target hosts are running. This can be used for good (seeing that you aren't running any unexpected stuff) or bad (seeing if someone else has l33t ports open).
(sKr1pT k1dd13z probably like this tool so much that there's even an output switch, -oS, to output results in l33tsp3ak...)
Why this tool is important?
It makes securing your machine much easier - it shows what your computer looks like from the host you run it on. Run it on localhost, see what services you have. Run it on another host outside your firewall, see what it looks like from there. It's an invaluable tool for making your firewall more secure.
nmap is my favorite because it can see stuff so clearly - it is the most feature-packed port scanner out there. It's also GPLed.
Here's an example that shows what my own home machine runs:
# nmap -sT xxx.xxx.xxx.xxx | less
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on xxxx.xxxx.xxxxxx.fi (xxx.xxx.xxx.xxx):
(The 1021 ports scanned but not shown below are in state: filtered)
(Also removed zillions of ports listed as "closed" =)
Port State Service
22/tcp open ssh
80/tcp open http
2001/tcp open dc
Nmap run completed -- 1 IP address (1 host up) scanned in 334 seconds
As indicated above, my own machine runs ssh server (so I can connect from elsewhere), a web server (for display of uncontrolled ugliness), and another server on port 2001 - which turns out to be Alicebot. (since then, I've limited SSH to certain addresses and closed alicebot...)
However, when I run nmap on my own machine, the results are quite different:
nighthowl:~$ nmap -sT localhost
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1531 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
119/tcp open nntp
631/tcp open cups
2001/tcp open dc
2002/tcp open globe
3128/tcp open squid-http
6000/tcp open X11
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
So I have successfully closed
- Postfix (It's only for local delivery and outgoing mail)
- Noffle (I can only read my own cached copy of Usenet groups)
- CUPS (Only I can print to my printer, no one else from the internet =)
- Alicebot control port (Only I can shut her down)
- Squid (so no one else can get to my web cache)
- X11 (so only I can draw stuff to my screen...)
- Freenet FProxy (Go set up your own node if you want to leech stuff from Freenet...)
using iptables - and believe me, without nmap, I would probably forget to do that.
I can heartily recommend this program to any Linux newbie. Point that to your own machine, get a nice long list of ports, and if the first thought that crosses your mind isn't "How the heck I close them all?", it should be.
It should be run periodically (preferrably always after installing something) from some other host, to see that you're not running any services you're unaware of.
(Surprisingly many Linux setups still have sun rpc stuff open by default...)
In closing, I'd like to say that some other security tools complement nmap nicely: Nessus is good for finding out if you have Really Common Vulnerabilities in your system...