It is also useful to use ss – another utility …

Thursday, 28th March 2024

Comment on rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised by admin.

It is also useful to use ssanother utility to investigate sockets together with netstat. ss just dumps socket statistics.
Some sample use of ss:

# ss -lp
# ss -l | grep 1048


ss tool is part of iproute package which also contains ip command/

admin Also Commented

rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised
Here is more ss usage examples:

ss -t -a
Display all TCP sockets.

ss -u -a
Display all UDP sockets.

ss -o state established ‘( dport = :ssh or sport = :ssh )’
Display all established ssh connections.

ss -x src /tmp/.X11-unix/*
Find all local processes connected to X server.

ss -o state fin-wait-1 ‘( sport = :http or sport = :https )’ dst 193.233.7/24
List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.


rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised
To Auto kill hidden processes with ‘unhide’

for P in `unhide sys | grep -v “*” | grep -i HIDEEN | cut -f2 -d’:’ | awk ‘{print $1}’`; do kill -9 $P; done;


rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised
To display all listening ports on a machine with ss:

# ss -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:spamd *:*
LISTEN 0 128 :::imap2 :::*
LISTEN 0 128 *:sunrpc *:*
LISTEN 0 511 *:www *:*
LISTEN 0 20 *:ssmtp *:*
LISTEN 0 128 *:46962 *:*
LISTEN 0 5 :::ftp :::*
LISTEN 0 20 *:domain *:*
LISTEN 0 128 *:munin *:*
LISTEN 0 128 :::ssh :::*
LISTEN 0 128 *:ssh *:*
LISTEN 0 128 *:8022 *:*
LISTEN 0 512 *:8888 *:*
LISTEN 0 20 *:smtp *:*
LISTEN 0 128 :::2207 :::*
LISTEN 0 128 *:2207 *:*
LISTEN 0 128 :::imaps :::*
LISTEN 0 512 *:9001 *:*
LISTEN 0 50 127.0.0.1:mysql *:*


Recent Comments by admin

Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
       –rwo, –report-warnings-only
              This option causes only warning messages to be displayed. This can be useful when rkhunter is run via cron. Other options may
              be used to force other items of information to be displayed.

       –sk, –skip-keypress
              When  the  –check command option is used, after certain sections of tests, the user will be prompted to press the return key
              in order to continue. This option disables that feature, and rkhunter will run until all the tests have completed.

         


Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
As rkhunter check, can be pretty annoying and ask you to press keypresses multiple times and spit you a lot of unnecessery data a very good useful option arguments are:

–rwo and –sk

# rkhunter -c –rwo –sk
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no


Fix eth changing network interface names from new Linux naming scheme ens, eno, em1 to legacy eth0, eth1, eth2 on CentOS Linux

Sorry for really late reply.

perhaps you have to create it or rename the ifcfg-eno1 to ifcfg-eth1 or you have some old ifcfg-enp1s0f0 or ifcfg-eno still under /etc/sysconfig/network-scripts/ interfering


How to RPM update Hypervisors and Virtual Machines running Haproxy High Availability cluster on KVM, Virtuozzo without a downtime on RHEL / CentOS Linux
if you happen to be missing versionlock plugin and you need to get use of it

yum versionlock capabilities

You will have to install yum-utils package:

For example on CentOS 8 Linux, to enable the yum versionlock plugiun

yum install yum-utils.noarch


How to log every Linux executed command by every running system program to separte log via rsyslog for better server Security and audit trails

In case if by default log is not configured for snoopy,
these are default output locations on various Linux distributions:

Distribution Snoopy output location Notes
CentOS /var/log/secure  
Debian /var/log/auth.log  
Ubuntu /var/log/auth.log  
(others) /var/log/messages (potentially, could be elsewhere)

Share this on:

Comments are closed.