Section 16.11 Monitoring Port Usage | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

16.11 Monitoring Port Usage

Crackers usually break into a system either by finding an error in a system's configuration (frequently incorrect permissions), cracking passwords, or finding a vulnerability in privileged software (usually servers). They recognize that many of these security holes will be fixed in short order so they leave behind Trojan horses that are less likely to be discovered.

A Trojan horse in, say, su which is set-UID to root or ls which will be invoked by root sooner or later both depend on other things. In the first case, a compromised su program depends on the cracker having long-term access to an ordinary account to invoke it from. On large systems this might be a good reason to require passwords to be changed periodically (with exceptions for users with good passwords and careful handling of them). A compromised ls might require waiting for root to invoke it.

Today's cracker tools are more sophisticated. They could compromise a daemon supplying a network service. Thus, a cracker simply contacts it via an appropriate client and is in your system instantly! A vigilant SysAdmin can detect this. A common technique is to start a Trojan program listening on an otherwise unused port and counting on your not noticing. Even the typical laptop might have 20 ports in use at any given time, and an active server might have hundreds.

The solution is to be familiar with what services should be running and to check frequently for what services are running. Either netstat or ports, discussed in "Turn Off Unneeded Services" on page 86, should be used frequently to search for suspicious ports that were not there "yesterday." Their output in a known condition may be saved and compared to periodic invocations.

The ports program will note high numbered ports that are in a listen state that might be Trojans awaiting cracker commands. Also, it knows the default ports of the most popular Trojans and will flag these too. The Ethereal program is my favorite real-time port monitoring program.

Top