Tuesday, 28 October 2014

Linux socket monitor - monitor network sockets

Earlier, I used to monitor network connections of my linux machine using netstat and ss utilities. Recently, I came across "Linux socket monitor"(LSM) utility from R-fx networks (https://www.rfxn.com/) and installed it on my PC.

"Linux socket monitor(LSM)" monitors network sockets on Linux machines and will send you a mail whenever any changes occur.e.g. on web server you have opened the following ports:

 apache:80
 ssh:22

When you suddenly see a new listening port, you have to be suspicious. It could be either due to:
  • a new service has been configured and installed
  • the server got infected by a malicious script and that in turn opens a new network socket.

This is where linux socket monitor comes in picture. It records a 'baseline' so it knows what are the connections that are normally open and notifies you when a new network socket is opened.

The installation of linux network monitor is simple. Please follow the given steps on linux machine console:
[root@psj ~]# wget -c http://www.rfxn.com/downloads/lsm-current.tar.gz
[root@psj ~]# tar -xzvf lsm-current.tar.gz
[root@psj ~]# cd lsm-0.6/
[root@psj lsm-0.6]# ./install.sh
.: LSM installed
Install path:    /usr/local/lsm
Config path:     /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
              2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files
[root@psj ~]# vim /usr/local/lsm/conf.lsm

Change e-mail address to receive notification:
USER="email@mymail.com"    # Alert email address

LSM uses cron and runs every 10 minutes. So, every 10 minutes, your system will be watched for any new network sockets.

LSM can be extended to include process information and more details are available here - http://www.dynamicnet.net/2012/09/extending-linux-socket-monitor/





Monday, 27 October 2014

Snort compilation errors - error while loading shared libraries: libdnet.1: and libsfbpf.so.0 error

While compiling snort source, you will often encounter the following errors:

 error while loading shared libraries: libdnet.1:

Do this to get rid of the error:


#cp /usr/local/lib/libdnet.1.0.1 /usr/local/lib/libdnet.so.1.0.1
#/sbin/ldconfig

If this does not help, try this:
#ln -sf /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
#/sbin/ldconfig

If that still does not help,
#LD_LIBRARY_PATH=/usr/local/lib
#export LD_LIBRARY_PATH

Another error that is encountered is:

error while loading shared libraries:
libsfbpf.so.0: cannot open shared object file: No such file or directory


To get rid of this error, do:
#/sbin/ldconfig

If this does not help, add '/usr/local/lib' to '/etc/ld.so.conf'

Finally, test the snort instance:
#snort -c /etc/snort.conf -T

These solutions have been tested on CentOS/SL variants and they work well.

Reference links:
http://seclists.org/snort/2014/q1/221

Monday, 20 October 2014

How do I configure inactivity timeout for PuTTy client

Recently, I got flummoxed by the error - "Network error: Connection timed out" for my PuTTy client and finally, solved the issue after a bit of google search. If you happen to be in similar situation, the following set of instructions can be used to set in-activity timeout for PuTTy client.

  1. Open PuTTy application windows and navigate to the Options panel.
  2. Select Connection
  3. On right side of the panel, you will see option fields such as "Sending of null packets to keep sesssion active", "Low-level TCP connection options" etc.
  4. In the field - "Sending null packets to keep session active", change the default value from 0 to say, 1800 (30 minutes)
  5. Also, Check the Enable TCP keepalives (SO_KEEPALIVE option) check box. This option may not be available in the older versions of the PuTTY client.
  6. Then, select Session from the left hand menu.
    1. For all new sessions:
      1. Select "Default settings" in "Load,save or delete a stored sessions pane"
      2. Select "Save"   
    2. For a new session with a particular host:
      1. In the Host Name (or IP Address) field, enter the destination hostname.
      2. In the Saved Sessions box enter a name for the session.
      3. Select Save
If you have access to the server, you can configure ClientAliveInterval, TCPKeepAlive and ClientAliveCountMax options in the ssh configuration file which normally resides in /etc/ssh/sshd_config

ClientAliveInterval 30
TCPKeepAlive yes
ClientAliveCountMax 99999

Do not forget to restart the SSH server for the changes to take effect.

# /etc/init.d/sshd restart