Earlier, I used to monitor network connections of my linux machine using netstat and ss utilities. Recently, I came across "Linux socket monitor"(LSM) utility from R-fx networks (https://www.rfxn.com/) and installed it on my PC.
"Linux socket monitor(LSM)" monitors network sockets on Linux machines and will send you a mail whenever any changes occur.e.g. on web server you have opened the following ports:
apache:80
ssh:22
When you suddenly see a new listening port, you have to be suspicious. It could be either due to:
This is where linux socket monitor comes in picture. It records a 'baseline' so it knows what are the connections that are normally open and notifies you when a new network socket is opened.
The installation of linux network monitor is simple. Please follow the given steps on linux machine console:
[root@psj ~]# wget -c http://www.rfxn.com/downloads/lsm-current.tar.gz
[root@psj ~]# tar -xzvf lsm-current.tar.gz
[root@psj ~]# cd lsm-0.6/
[root@psj lsm-0.6]# ./install.sh
.: LSM installed
Install path: /usr/local/lsm
Config path: /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL
generated base comparison files
[root@psj ~]# vim /usr/local/lsm/conf.lsm
Change e-mail address to receive notification:
USER="email@mymail.com" # Alert email address
LSM uses cron and runs every 10 minutes. So, every 10 minutes, your system will be watched for any new network sockets.
LSM can be extended to include process information and more details are available here - http://www.dynamicnet.net/2012/09/extending-linux-socket-monitor/
"Linux socket monitor(LSM)" monitors network sockets on Linux machines and will send you a mail whenever any changes occur.e.g. on web server you have opened the following ports:
apache:80
ssh:22
When you suddenly see a new listening port, you have to be suspicious. It could be either due to:
- a new service has been configured and installed
- the server got infected by a malicious script and that in turn opens a new network socket.
This is where linux socket monitor comes in picture. It records a 'baseline' so it knows what are the connections that are normally open and notifies you when a new network socket is opened.
The installation of linux network monitor is simple. Please follow the given steps on linux machine console:
[root@psj ~]# wget -c http://www.rfxn.com/downloads/lsm-current.tar.gz
[root@psj ~]# tar -xzvf lsm-current.tar.gz
[root@psj ~]# cd lsm-0.6/
[root@psj lsm-0.6]# ./install.sh
.: LSM installed
Install path: /usr/local/lsm
Config path: /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL
generated base comparison files
[root@psj ~]# vim /usr/local/lsm/conf.lsm
Change e-mail address to receive notification:
USER="email@mymail.com" # Alert email address
LSM uses cron and runs every 10 minutes. So, every 10 minutes, your system will be watched for any new network sockets.
LSM can be extended to include process information and more details are available here - http://www.dynamicnet.net/2012/09/extending-linux-socket-monitor/