How to Use lsof Command in Security Analysis – Linux

Hi all,

Server security is very important when we run important applications or websites on servers. As a Linux systems administrator enhancing security or finding intruders, hackers etc and block them from taking or destroying our data is inevitable.

Security features can be added, there are many applications, tools for this which can alert us when something suspicious happens, at the same time by spending some little amount of time, we can manually check something and can find attacks, security issues etc with the server.

let’s check some simple methods we can probably use to find the same on a Linux server with the help of lsof command:

Trace malicious programs on server using lsof:

How to find which processes have highest number of opened files:
lsof | awk ‘{printf(“%s (%s)\n”, $1, $2)}’ |sort -n|uniq -c|sort -n|tail

The above command will give you the number of opened files for each processes and list 10 processes with highest number of connections. You can append “-20” at the end of the above command if you want to list 20 processes with highest number of opened files.

Locate unused open ports on your server:

– Run netstat command to check if there are any suspicious ports:

netstat -an
The output of the above command will look like:
udp 0 0*

udp 0 0*

udp 0 0*

udp 0 0*

In the above example, say if you found an unknown port 41713, run the following command to locate the program using that port.

lsof -i udp:41713

Locate if any files are opened by a program which doesn’t exist in file system:

lsof | grep deleted

The output of the above command will contain some opened files used by processes and the files will not be present in the file system. You can manually kill/terminate these processes to free up the memory, otherwise the memory allotted for these files wont be freed.

That’s all, check another methods also, thanks for reading! Share and help if you felt this helpful!

Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *