Linux Monitoring Tools

From wiki-ben
Revision as of 05:10, 21 October 2015 by Bensoer (talk | contribs) (Created page with "There are a number of tools in Linux that can be used to gather information about your system and determine if it is or has been hacked in some way ==ifconfig/ip address== <c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

There are a number of tools in Linux that can be used to gather information about your system and determine if it is or has been hacked in some way

ifconfig/ip address

ifconfig or ip address can give a summary overview of the network cards on the system

By default ifconfig will report the status of all active network cards. To view all cards, active or inactive include -a

An example of ifconfig -a printout could look like this:

eth0 Link encap:Ethernet HWaddr 00:01:02:45:45:5B
   inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
   UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
   RX packets:1449310 errors:0 dropped:0 overruns:0 frame:0
   TX packets:19866 errors:0 dropped:0 overruns:0 carrier:0
   collisions:232 txqueuelen:100
   Interrupt:5 Base address:0xb400
lo Link encap:Local Loopback
   inet addr:127.0.0.1 Mask:255.0.0.0
   UP LOOPBACK RUNNING MTU:16436 Metric:1
   RX packets:70 errors:0 dropped:0 overruns:0 frame:0 
   TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:0

An important note is to make sure your card is not in PROMISC/code> mode as the sample readout shows for eth0. PROMISC mode means that the card, instead of only listening for packets addressed to it, it is listening to all packets on the network. In terms of hacking, many hackers will do this so as to try to collect important data within your network that the system is connected to. Unless you are running an intrusion detection system on the local system, this mode should not be appearing

Checking Network Connectivity with ping

Ping is commonly disabled on servers as hackers have notoriously used it for simple DOS attacks. It's also used for reconnaissance in mapping out the network they may be interested in. It is not uncommon to ping a destination and get no results back. That being said ping is a useful tool for testing connectivity whether be the end host or interfaces in between

You can execute ping by calling:

ping <ip or domain of destination>

You can also limit how many hops ping will make between it and its destination (TTL - time to live) by using the <code>-t</code flag followed by the number of hops to limit it by

Checking Network Connectivity with traceroute

Traceroute is a tool that shows all of the routers a request went through and thier latencies before arriving at its destination. It can be used to determine why a server may be slow, and if that may be caused by congestion at certain routers in the network

Traceroute also allows use to get an interesting view of how ISP's and the target host are connected to eachother and connected to the internet

You can execute traceroute like this:

traceroute <ip or domain of destination>

[Visual Route](http://www.visualroute.com/) is an interesting tool that lets you visualize with a GUI traceroute and placement of routers (although not 100% accurate)

Checking Network Prrocesses with Netstat

Checking Processes with ps

Monitor System Resources with lsof

Use RSysLogs

See RSysLog