As an administrator it is essential that you correctly manage your services and processes which are running on your server, not only to maintain server integrity so that software doesn’t crash, but also to properly manage security.
Ask yourself, if a hacker was able to gain access to your server and run a remote shell in the background, would you be able to indentify it or would you even realize that it has happened to you? Systems administrators should always be aware of what is happening on their servers, it is a part of the job requirement.
What’s the difference between a service and process?
Let’s start out by discussing first what the difference between a service and a process is. In Linux a service is just another name for a daemon, which is a client / server application that runs in the background. A service is continuously listening for incoming requests and sends a response based on the request given. A process is simply an application or a script which can be running in the foreground or the background.
To start out you can check what services you currently have running by typing:
Service is a command which allows you start, stop or restart services running in the background. In this tutorial we will use the apache service httpd as an example.
To start the apache service type:
Service httpd start
Services can also be found in the /etc/init.d/ directory and can be controlled in the same manner.
Indentifying an unknown service
Apache is a web server which by default runs on port 80 using the service name httpd. Let’s say for the sake of an example we don’t know what httpd is so we want to find out what port it is running on and what data is being sent and received from this service. The first thing we can do to determine what port httpd is running on is to use the netstat command.
Enter the following command to indentify what ports each service is using.
You will notice a series columns containing information such as the protocol, local address, PID and state. Take note of the local address in the column containing httpd “0.0.0.0:80”, using this we can identify that httpd is running on port 80.
Next we want to indentify what is being sent and received from port 80 and we know that httpd is using the TCP protocol, so we can use a packet sniffer called tcpdump to view the raw information being sent from port 80.
Enter the following command in your terminal to sniff the data being sent and received from port 80:
tcpdump port 80 –w dump.txt
Next open up Firefox and browse to your default apache web page by typing in http://127.0.0.1 for the local address of the web server.
If you were able to display the default apache web page, go back to your tcpdump and hit ctrl + c to stop it from running. Now we can take a look at what is being sent and received from this process.
The first thing you will see when you open up dump.txt is the request to display HTML information from the client.
GET / / HTTP/1.1
User-Agent: Mozilla/5.0 Firefox/5.0
Accept-Encoding: gzip, deflate
Below that you will find the servers response.
HTTP/1.1 200 OK
Date: Wed, 29 Jun 2011 14:46:12 GMT
Server: Apache/2.2.13 (Fedora)
Then shortly after the response is the HTML for the web page to be displayed.
So we now know exactly what httpd is sending and receiving to be able to indentify if the service is harmless or malicious.
Linux has two commands which come to mind for managing processes, ps and top. These two commands can be used for displaying process information which can be used to stop unknown processes from running in the background. In this tutorial I will be covering top.
Top is almost like the Windows equivalent to the task manager, it displays a list of information on each process and frequently updates in order to continuously monitor information about each running process. To run the top application simply type in “top” from your terminal.
Top will bring up a list of information about each process including how much CPU and memory each process is using and also the PID or process identifier which we will be using to kill a process. Using top you can indentify a service or process which you don’t want to be running in the background such as our example given before of httpd. Identify what PID httpd or apache is using and use the following command to kill that process or service:
Kill 1234 (1234 in this case being the PID of the running process)
Be careful not to kill and processes which may be important or critical to the running of Linux, I am not responsible for any damage to your server if you decide to kill the wrong process.