portscanyourself.sh

#!/bin/sh
# This is a script that checks to see if the open ports on a host are what you expect them to be.
# If your firewall isn't doing what it's supposed to, it will post a message to Slack to alert you.
# Intended to be run as a cron job.
#
# Requires nmap to be installed
#
# Invoke as
#  ./portscanyourself example.com 80 443
# To alert you if any ports other than 80 and 443 are listening on a host
# By default it scans the top 1000 ports. To scan all ports do
#./portscanyourself -all-ports example.com 80 443

SLACK_WEBHOOK="xxx" # Your slack webhook here!

while getopts "f:" opt; do
  case $opt in
    f)
      cat $2 | xargs -n 1 ./portscanyourself.sh
      exit
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      ;;
  esac
done

PORTS_FLAG="-p-"
HOST=$1

DESIRED_PORTS=$(printf '%s\n' "$@" | sort | tr '\n' ' ')

function scanHost {
  OPEN_PORTS=$(nmap -open-ports $PORTS_FLAG $HOST | grep "^[0-9].*open" | sed 's/^\([0-9][0-9]*\).*$/\1/' | sort | tr '\n' ' ')

  if [ "$OPEN_PORTS" = "$DESIRED_PORTS" ]
  then
    echo "All good"
  else
    curl -X POST --data-urlencode "payload={'username': 'portscanyourself', 'text': 'Firewall rule mismatch on $HOST Open Ports (${OPEN_PORTS% }) do not match desired ports (${DESIRED_PORTS% })', 'icon_url': 'https://appcanary.com/assets/appcanary.rect-379a1b2e906a1dd3cd807f2d64b48d4520f17efbb05649deefd0513682208080.png'}" $SLACK_WEBHOOK
  fi
}

echo "Scanning all ports on $HOST"
scanHost $HOST

An improvement of the script at https://blog.appcanary.com/2017/improve-security-port-scan-yourself.html

By passing -f it will take a file listing of hosts
Normally will take a single host