Service Auditing on Linux

Think of your server as a building, and each service as a door. If you are protecting your front door, and were not aware of a door in the back, you may not know to lock it.

In order to protect against someone breaking into your server, you have to know what services are open to the internet.

This is extremely simple, just one command:

sudo netstat -plnt

(if you are using CentOS 7 minimal, you will need to install net-tools sudo yum install net-tools)

The server will reply with a list:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 486/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 396/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 459/mysqld
tcp6 0 0 :::22 :::* LISTEN 396/sshd

In this instance, we can recognize Apache, SSH and MySQL listening on ports 80, 22 and 3306 respectively. The (local) ip address of 0.0.0.0 is all interfaces, meaning it is open to the internet.

The last entry is for SSH listening on Port 22, on IPv6

We see SSH and Apache listening on 0.0.0.0, and MySQL listening on 127.0.0.1 (localhost).


Since we have identified these ports and programs, we can take steps to harden security for each of these. We might remove the ability to login as root from SSH in (Ubuntu) or (CentOS), and install fail2ban on (Ubuntu) so we defend against brute force attacks against SSH and Apache (if we had an application requiring logins).

The instructions were verified on InterServer`s OpenVZ VPS Hosting service, utilizing Ubuntu 14.04 64-bit, and CentOS 7.

This website is supported by our affiliation with web hosting companies. We encourage you to visit our friends at Interserver. They really do offer $6 per month VPS Hosting. Linux, windows and cpanel available, have super fast service, and they care about their customers!

See more articles in: Instructions, Security

comments powered by Disqus