How to Install LSM (Linux Socket Monitor)

LSM (Linux Socket Monitor) is a valuable tool that monitors network sockets on a Linux server, sending notifications whenever changes occur. For example, on a web server, you typically have a few listening ports in active states, such as:

• Apache: TCP 80

• SSH: TCP 22

• MySQL: TCP 3306

• FTP: TCP 21

• SMTP: TCP 25

• POP3: TCP 110

You might also have other applications listening on various ports. If your Linux server suddenly has a new listening port established, it could indicate one of two scenarios:

1. You started a service that opened a new network socket.

2. Your server has possibly been infected with a script that spawned a malicious service and opened a new network socket.

In the case of an infection, it's crucial to be notified about any new services running on your server. That's where LSM comes into play: it essentially establishes a 'baseline' of the network sockets that are normally open and alerts you when a new socket has been established.

Let's go through the installation process for LSM, starting with downloading the latest version:

[root@VPS1 ~]# wget http://www.rfxn.com/downloads/lsm-current.tar.gz

Let’s extract that file:

[root@VPS1 ~]# tar -xzvf lsm-current.tar.gz

Now, let’s open that folder:

[root@VPS1 ~]# cd lsm-0.6/

Now, we only have to run the install.sh installation script:

[root@VPS1 lsm-0.6]# ./install.sh 
.: LSM installed
Install path:    /usr/local/lsm
Config path:     /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
              2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files

Before we receive any notifications, we need to edit the config file and enter our e-mail address:

[root@VPS1 ~]# vim /usr/local/lsm/conf.lsm

By default, you will find the following line:

USER="root"    # Alert email addresses

We’ll change this to the e-mail address where we want to receive notifications. It should look like this:

USER="email@mymailaddress.com"    # Alert email addresses

LSM uses a cron to run every 10 minutes. Here’s what the cron file looks like:

[root@VPS1 lsm]# vim /etc/cron.d/lsm 

*/10 * * * * root /usr/local/sbin/lsm -c >> /dev/null 2>&1

Every 10 minutes, the script runs, and when it finds a new network socket, it will notify you. The e-mails that you receive will look like this:

This is an automated alert generated from VPS1.RMCS.LOCAL This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp        0      0 0.0.0.0:8447               0.0.0.0:*                   LISTEN      32574/autoinstaller

Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

Above, you see that this machine has started a new server on TCP port 8447. This time it’s legit because it’s an auto installer that Plesk uses. When you see a port that you don’t recognize, it’s time to research it! I hope this has been helpful to you, if you have any questions just leave a comment!

Happy LSM'ing!

Rate This Article

Thanks for reading: How to Install LSM (Linux Socket Monitor), Sorry, my English is bad:)