LSM (Linux Socket Monitor) monitors network sockets on a Linux server and sends you a notification when changes occur. For example, on a webserver, you probably have just a couple of listening ports like:
- Apache: TCP 80
- SSH: TCP 22
- MySQL: TCP 3306
- FTP: TCP 21
- SMTP: TCP 21
- POP3: TCP 110
And perhaps some other applications…when your Linux server suddenly has a new listening port, two things could have happened:
- You started a service that opened a network socket.
- Your server got infected with a script that spawned a malicious service that starts a network socket.
When your server gets infected and suddenly runs a new service you probably want to know about it…that’s what LSM is about. It will record a ‘baseline’ so it knows what network sockets are normally open and notifies you when a new network socket is opened.
Let me demonstrate how to install LSM and show you what the notifications look like. First, we’ll download the latest version:
[root@VPS1 ~]# wget http://www.rfxn.com/downloads/lsm-current.tar.gz
Let’s extract that file:
[root@VPS1 ~]# tar -xzvf lsm-current.tar.gz
Let’s open that folder:
[root@VPS1 ~]# cd lsm-0.6/
Now we only have to run the install.sh installation script:
[root@VPS1 lsm-0.6]# ./install.sh
.: LSM installed
Install path: /usr/local/lsm
Config path: /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL
generated base comparison files
Before we receive any notifications, we need to edit the config file and enter our e-mail address:
[root@VPS1 ~]# vim /usr/local/lsm/conf.lsm
By default, you will find the following line:
USER="root" # Alert email addresses
We’ll change this to the e-mail address where we want to receive notifications. It should look like this:
USER="email@mymailaddress.com" # Alert email addresses
LSM uses a cron to run every 10 minutes. Here’s what the cron file looks like:
[root@VPS1 lsm]# vim /etc/cron.d/lsm
*/10 * * * * root /usr/local/sbin/lsm -c >> /dev/null 2>&1
Every 10 minutes, the script runs, and when it finds a new network socket, it will notify you. The e-mails that you receive will look like this:
This is an automated alert generated from VPS1.RMCS.LOCAL This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.
Following is a summary of new Internet Server Sockets:
> tcp 0 0 0.0.0.0:8447 0.0.0.0:* LISTEN 32574/autoinstaller
Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets
Above, you see that this machine has started a new server on TCP port 8447. This time it’s legit because it’s an auto installer that Plesk uses. When you see a port that you don’t recognize, it’s time to research it!
I hope this has been helpful to you, if you have any questions just leave a comment!