Linux Socket Monitor
Detect unauthorized network connections in real time
Documentation is being modernized. Expanded guides, configuration references, and usage examples are on the way.
On this page
Overview
Linux Socket Monitor (LSM) is a network socket monitor designed to track changes to both network sockets and Unix domain sockets, effectively serving as a port monitor.
LSM works by performing differential-based comparison of current and new server sockets — it records a base set of active sockets on install, then compares current socket information against these base comparison files. It uses cron to schedule scans at configurable intervals and sends email alerts when differences are detected, highlighting otherwise unknown services.
Features
Monitoring
- Differential comparison of both network sockets and Unix domain sockets
- Base set recording with comparison against current socket state
- Highlights otherwise unknown services on the system
- Events only trigger for new sockets — ignores services already holding sockets open
Operation
- Configurable alerting system via email when new ports activate
- Lightweight compact bash script with minimal configuration
- Scans current ports and sockets on install to create base comparison files
- Cron-based scheduling at configurable intervals (default every 10 minutes)
Installation
Install from tarball:
$ wget https://www.rfxn.com/downloads/lsm-current.tar.gz $ tar xfz lsm-current.tar.gz $ cd lsm-*/ $ sudo ./install.sh
Verify download integrity:
$ wget https://www.rfxn.com/downloads/lsm-current.tar.gz.md5 $ md5sum -c lsm-current.tar.gz.md5
Resources
Download: https://www.rfxn.com/downloads/lsm-current.tar.gz