Hi guys, I’ve decided to write up a brief series of article on how you can monitor your Linux box and check whether it has been compromised. This guide will be brief, straight to the point and geared towards beginner Linux users. It will also state some of the best practices and some good prevention methods that can be used to reduce the security risk of your Linux box.
Note: This guide will be generic and applicable to all Linux distros. I will not bother going into the details on how you can install a particular utility for your distro since there are probably a thousand distros out there. Also the commands that are meant to be executed in terminal are written in bold letters and enclosed in quotes.
First of all security is a pretty broad term, and there’s many aspects of it…so it’s not practical enough for me to cover everything in a single guide. Thus I’ll just focus on the important parts and assume that you are at-least comfortable with the command-line and know the basics of Linux. So, let’s get started.
So first of all we need to monitor our network since from a security perspective, it’s the first thing that comes to mind when we think about a computer connected to the Internet. We have several command-line utilities that can be used, I’ll just stick to some of my favorites for now.
1) Closing unused services/ports and scanning with Nmap
Nmap is an excellent tool to scan our own computer. We can see what ports and services are open, and whether there are any back-doors listening for remote connections. Install nmap from your package manager, and keep reading.
We can do a basic scan on our own computer by typing the following commands below.
To scan for open ports type: “sudo nmap -sS -p 1-65535 -v localhost”
To scan for services running on open ports, type: “sudo nmap -A -p 1-65535 -v localhost”
The commands above scans for open ports and services, you should see something like this:
Note that in my case there are two open ports: 631 and 10,000.
The service ipp is “Internet Printing Protocol” which is used for printing related tasks; I can leave that open since occasionally I do use a printer, etc.
As for port 10,000 it’s a firewall (Shorewall Firewall) running with a front-end called “Web-min”. Webmin and shorewall firewall are great combination that may be you should check out, but for now we’ll just skip that part.
Once you’re done with the scan, you may find a lot of services like cups, avahi-daemon, etc. running on your system. There’s no need to start panicking right now, since some of them are usually installed by default on distros like Ubuntu. If you’re not using a particular service, I would definitely recommend that you remove it since it may pose a security risk in the future.
Consult your distro’s documentation or do a quick search on Google to find out how you can add/remove services specific to your distro. Again for knowing what a particular service is related to and whether you should consider removing it, Google is your best friend.
Let me give an example related to Sabayon Linux (Gentoo based distro):
To remove a service: “rc-update del <service name> default”
To add a new service: “rc-update add <service name> default”
For example if you want to remove avahi-daemon, you can type: “rc-update del avahi-daemon default”
Also in case you want to directly add/remove a particular service you can do something like this:
# Command below lists the scripts/services that are available, not necessarily active
# The command below stops a particular service – cupsd
Note that the “stop” keyword stops the service you can also use other keywords like “status” or “start” to check the status and start the service respectively.
Obviously I expect you to have root level priviledges to successfully carry out the commands.
Closing unused services and open-ports can dramatically reduce the security risk of your Linux box. The more services and open ports you have running, the greater the risk of a security breach.
This concludes the tutorial for today, and I have decided to write the entire guide in parts since I don’t have the time to write everything in a day. If this guide interests you then consider subscribing to my blog through rss or email, which ever is convenient. The next part will focus on network (we still have a lot to talk about) and I’ll discuss other network monitoring tools, so see you soon!