LSM (Linux Socket Monitor) monitors network sockets on a linux server and sends you a notification when changes occur. For example on a webserver you probably have just a couple of listening ports like:
- Apache: TCP 80
- SSH: TCP 22
- MySQL: TCP 3306
- FTP: TCP 21
- SMTP: TCP 21
- POP3: TCP 110
And perhaps some other applications…when your linux server suddenly has a new listening port, two things could have happened:
- You started a service that opened a network socket.
- Your server got infected with a script that spawned a malicious service that starts a network socket.
When your server gets infected and suddenly runs a new service you probably want to know about it…that’s what LSM is about. It will record a ‘baseline’ so it knows what network sockets are normally open and notifies you when a new network socket is opened.
Let me demonstrate how to install LSM and show you what the notifications look like. First we’ll download the latest version:
[root@VPS1 ~]# wget http://www.rfxn.com/downloads/lsm-current.tar.gz
Let’s extract that file:
[root@VPS1 ~]# tar -xzvf lsm-current.tar.gz
Let’s open that folder:
[root@VPS1 ~]# cd lsm-0.6/
Now we only have to run the install.sh installation script:
[root@VPS1 lsm-0.6]# ./install.sh .: LSM installed Install path: /usr/local/lsm Config path: /usr/local/lsm/conf.lsm Executable path: /usr/local/sbin/lsm LSM version 0.6 <firstname.lastname@example.org> Copyright (C) 2004, R-fx Networks 2004, Ryan MacDonald This program may be freely redistributed under the terms of the GNU GPL generated base comparison files
Before we receive any notifications we need to edit the config file and enter our e-mail address:
[root@VPS1 ~]# vim /usr/local/lsm/conf.lsm
By default you will find the following line:
USER="root" # Alert email addresses
We’ll change this to the e-mail address where we want to receive notifications. It should look like this:
USER="email@example.com" # Alert email addresses
LSM uses cron to run every 10 minutes, here’s what the cron file looks like:
[root@VPS1 lsm]# vim /etc/cron.d/lsm
*/10 * * * * root /usr/local/sbin/lsm -c >> /dev/null 2>&1
Every 10 minutes the script runs and when it finds a new network socket it will notify you. The e-mails that you receive will look like this:
This is an automated alert generated from VPS1.RMCS.LOCAL This alert is to notify the addressed users of new server sockets. New server sockets can indicate server-software that has been started on your host, or otherwise be an indication to malicious activity. It is advised to review this alert and investigate if needed. Following is a summary of new Internet Server Sockets: > tcp 0 0 0.0.0.0:8447 0.0.0.0:* LISTEN 32574/autoinstaller Following is a summary of a new Unix Domain Sockets: no changes to Unix Domain Sockets
Above you see that this machine has started a new server on TCP port 8447. This time it’s legit because it’s an autoinstaller that Plesk uses. When you see a port that you don’t recognize it’s time to research it!
I hope this has been helpful to you, if you have any questions just leave a comment!