How to Install LSM (Linux Socket Monitor)

LSM (Linux Socket Monitor) monitors network sockets on a linux server and sends you a notification when changes occur. For example on a webserver you probably have just a couple of listening ports like:

  • Apache: TCP 80
  • SSH: TCP 22
  • MySQL: TCP 3306
  • FTP: TCP 21
  • SMTP: TCP 21
  • POP3: TCP 110

And perhaps some other applications…when your linux server suddenly has a new listening port, two things could have happened:

  • You started a service that opened a network socket.
  • Your server got infected with a script that spawned a malicious service that starts a network socket.

When your server gets infected and suddenly runs a new service you probably want to know about it…that’s what LSM is about. It will record a ‘baseline’ so it knows what network sockets are normally open and notifies you when a new network socket is opened.

Let me demonstrate how to install LSM and show you what the notifications look like. First we’ll download the latest version:

[root@VPS1 ~]# wget http://www.rfxn.com/downloads/lsm-current.tar.gz

Let’s extract that file:

[root@VPS1 ~]# tar -xzvf lsm-current.tar.gz

Let’s open that folder:

[root@VPS1 ~]# cd lsm-0.6/

Now we only have to run the install.sh installation script:

[root@VPS1 lsm-0.6]# ./install.sh 
.: LSM installed
Install path:    /usr/local/lsm
Config path:     /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
              2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files

Before we receive any notifications we need to edit the config file and enter our e-mail address:

[root@VPS1 ~]# vim /usr/local/lsm/conf.lsm

By default you will find the following line:

USER="root"    # Alert email addresses

We’ll change this to the e-mail address where we want to receive notifications. It should look like this:

USER="email@mymailaddress.com"    # Alert email addresses

LSM uses cron to run every 10 minutes, here’s what the cron file looks like:

[root@VPS1 lsm]# vim /etc/cron.d/lsm 
*/10 * * * * root /usr/local/sbin/lsm -c >> /dev/null 2>&1

Every 10 minutes the script runs and when it finds a new network socket it will notify you. The e-mails that you receive will look like this:

This is an automated alert generated from VPS1.RMCS.LOCAL This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp        0      0 0.0.0.0:8447               0.0.0.0:*                   LISTEN      32574/autoinstaller

Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

Above you see that this machine has started a new server on TCP port 8447. This time it’s legit because it’s an autoinstaller that Plesk uses. When you see a port that you don’t recognize it’s time to research it!

I hope this has been helpful to you, if you have any questions just leave a comment!