The most overlooked phase of software installation and removal is the monitoring phase. You should frequently monitor your system via the logs, system behavior, or failures in processes to determine if your changes are causing problems. There is no set time frame to check, but you should have a sufficient amount of time to run all major processes through their normal evolution or at a minimum of one full day and night to get a full picture of whether the system needs to be rolled back to its previous state.
Some of the commands you can use to determine your system s state and check for unusual activity are:
netstat “ap Shows any unusual ports that may be open and what programs are using those ports
ps “ef Shows any unusual processes that may be running
last Shows the last users logged into the system
These commands allow you to check for any unusual activity, although there are others as discussed throughout this book. Make sure that you monitor your systems to ensure that you do not have any unusual activity that could signal malicious software. To determine what normal conditions are, you should take a few snapshots of your system throughout the day before installing or removing software. This allows you to get a baseline condition of your system. Your software should document or note if there are any unusual processes or ports associated with the installation or removal of the program. If you see some new ports open, for instance, you can refer to your /etc/services for a listing of common services and their respective ports. You can also visit
http://www.iana.org/assignments/port- numbers /
for a listing of official/ legitimate ports, or
http://www. pestpatrol .com/Support/About/About_Ports_And_Trojans.asp#portlist
for a listing of Trojan ports. You can also refer to the Internet for information on services running or ports open that you are concerned about. For example, let s say you haveto install an old version of sendmail, because you were directed to. You protest installing an outdated version of sendmail, but in the end, you are overridden. One of the senior system administrators has you install version 8.12.6. You were a diligent security administrator and took a baseline of your system before installation. After installation, you continue your monitoring of the system, when you discover that port 6667 is open on your server and connected to a server you have never seen before. You look at your /etc/services file and notice that the port is assigned to ircd, which is the Internet Relay Chat daemon (IRC). You know that you aren t running IRC, and after further investigation it turns out you received a malicious version of sendmail. While this specific exploit is unlikely today, it does illustrate how monitoring can help you find problem software.
By removing unneeded software and installing software in a safe manner, you reduce the overall vulnerabilities to your system and you have the residual effects of reducing the amount of time it takes to update your software and saving disk space. Remember, less is more when it comes to software on your Linux system.