Clicky

Kali Linux Practice Lab: Network and System Monitoring for Cybersecurity

Just Tech Me At



Kali Linux Practice Lab:
Network and System Monitoring for Cybersecurity

April 6, 2023
(updated July 10, 2023)

kali

Table of Content

Defensive and Offensive Security: Red and Blue

In the ongoing struggle to defend against cyber attacks, companies are increasingly adopting a proactive approach to security through the use of blue and red teams. Blue team activities involve the defense and protection of a system, network, or application. They are responsible for detecting and mitigating attacks and for identifying and patching vulnerabilities in order to improve the overall security posture. Blue team activities can include monitoring logs, conducting regular vulnerability assessments, updating software and hardware, and implementing security best practices.

On the other hand, red team activities involve simulated attacks on a system, network, or application in order to identify vulnerabilities and weaknesses. Their objective is to identify weaknesses in security controls and to exploit those weaknesses to gain unauthorized access or cause disruption. Red team activities are usually conducted by independent third-party groups. These groups use methods like penetration testing, social engineering, and vulnerability assessments to assess the effectiveness of the security defenses.

Together, red and blue teams play a critical role in protecting the integrity and confidentiality of sensitive data. In this article, we'll explore some of the most commonly used Linux commands and tools employed by blue teams to identify and respond to potential security threats.

This series of articles will cover some of the aspects of blue team operations. While there are many components of blue teams operations, these articles will address 4 key activities of defensive cybersecurity and give you foundational knowlege on the topic. Those activities are as follows:

We'll now explore some of the most commonly used Linux commands and tools employed by blue teams for Network and System Monitoring.


Disclaimer: This site does not any encourage unethical hacking behavior. In fact, the cybersecurity articles posted on the website focus on defensive security (blue team operations). Vulnerability exploitation is not a topic covered on this website. If you haven't already done so, start your cybersecurity journey by reading and understanding ethical hacking concepts.


Network and System Monitoring

The first defensive security topic being covered is network and system monitoring. Below is a description of commands and tools commonly utilized for network and system monitoring


Defensive Activity:
Monitoring the network and system for suspicious activity such as unusual logins or network traffic.

Linux Commands and Tools

There are many commands that can be used for network and system monitoring in Linux. Here are 20 commands that can be useful in accomplishing the task. Each command has many options and variations. Consult the manual pages to determine which ones work best for your needs.

1. ping

ping - test network connectivity and measure round-trip time for packets

ping [address]
Documentation


2. traceroute

traceroute - determine the network path and number of hops between two hosts

traceroute [authorized_address]
Traceroute may need to be installed: sudo apt install traceroute
Documentation


3. netstat

netstat - view network connections, routing tables, and network interface statistics

  • Display network connection


    netstat -ta

  • Display network services


    netstat -pnltu

  • Display routing table


    netstat -r

  • Display all the listening port of TCP and UDP connection


    netstat -a

  • Display all of the listening connections


    netstat -l

  • Display interface statistics


    netstat -i

  • Listing sockets by type


    netstat -at

Documentation


4. ss

ss - similar to netstat, but with faster performance and more detailed output

Current Listing Sockets


ss -l

Documentation


5. tcpdump

tcpdump - capture network traffic in real-time and analyze it using filters

tcpdump -D

Documentation


6. iftop

iftop - view real-time network bandwidth usage by individual connections or interfaces

iftop is not just a linux command. It is a monitoring tool that you will likely need to install: sudo apt install iftop.

Once installed, the tool is launched with the command below.

sudo iftop

Documentation


7. iptraf

iptraf - interactive tool for monitoring network traffic and bandwidth usage.
iptraf is not just a linux command. It is a monitoring tool that you will likely need to install: sudo apt install iptraf.

Once installed, the tool is launched with the command below.

sudo iptraf

Documentation


8. nload

nload - monitor network traffic in real-time with a simple command-line interface. It is a monitoring tool that you will likely need to install: sudo apt install nload.

Once installed, the tool is launched with the command below.

nload

Documentation
     Geeks for Geeks; or
     linux.die.net


9. iostat

iostat - view real-time I/O statistics for system devices and partitions.

iostat

Documentation


10. sar

sar - collect and view system resource usage data over time. There are a few steps that have to be taken in order to use sar.

  • Install sysstat
  • Enable data collection
  • Enable the sysstat service
  • Start the sysstat service
  • Issue the sar command

Install sysstat:
sar is a monitoring tool that you will likely need to install:sudo apt install sysstat.

Enable data collection:
You must be configured to collect data. To enable data collection, mark ENABLED="true" in /etc/default/sysstat

Enable and Start sysstat:
You can now enable and start the sysstat service with the commands provided below.

Enable the Service

sudo systemctl enable sysstat

Start the Service

sudo systemctl start sysstat

Issue the sar command:

You can now launch the tool.

sar

Documentation

Also see,
     TechAdmin.net; and
     Geeks for Geeks


11. mpstat

mpstat - view real-time CPU usage statistics for individual processors and cores. Like sar, the mpstat comman requires sysstat. Refer to sar for installation, enabling, and starting the sysstat service.

Once the sysstat service is installed, configured, enabled, and started, you can launch the tool with the following command:

mpstat

Documentation


12. vmstat

vmstat - view real-time memory, CPU, and I/O statistics

vmstat

Documentation


13. free

free - view real-time memory usage statistics for the system and individual processes.

To see the totals, issue the following command:

free -t

Documentation


14. ps

ps - view real-time information about running processes, including CPU and memory usage.

ps

Documentation


15. pstree

pstree - view a hierarchical tree structure of running processes

pstree

Documentation


16. lsof

lsof - list open files and the processes that are using them.

lsof

Documentation


17. strachtope

strace - trace system calls and signals for a running process.

strace

Documentation



18. htop

htop - interactive process monitoring tool with real-time CPU and memory usage statistics. It is a monitoring tool that you will likely need to install: sudo apt install htop.

Once instatoplled, the tool is launched with the command below.

htop

Documentation


19. top

top - similar to htop, but with a simpler interface and fewer features.

The following command will quit showing stats automatically after refreshing them for a specified number of times. Here we specify 10 refreshes.

top -n 10

Documentation


20. tail

tail - view the last few lines of a file in real-time. By default, without any options, the last 10 lines are given.

The following command will display the last 20 lines of the file named myFile.

tail -n 20 myFile.txt

Documentation



Conclusion

Network and system monitoring are critical tasks that enable us to detect and prevent security threats in our digital infrastructure. By leveraging powerful Linux commands like those covered in this article, we can proactively monitor and protect our networks and systems against unauthorized access, malicious activity, and other potential cybersecurity risks. Whether you're a system administrator, IT professional, or security analyst, implementing a robust monitoring strategy can help you stay ahead of threats and ensure the security and integrity of your organization's digital assets.


Frequently Asked Questions (FAQ)


Q1: What is network and system monitoring?

A1: Network and system monitoring involves the continuous monitoring and analysis of network infrastructure, devices, and systems to ensure their availability, performance, and security. It provides real-time visibility into network traffic, system health, and potential security incidents.

Q2: Why is network and system monitoring important for cybersecurity?

A2: Network and system monitoring is crucial for cybersecurity for several reasons:

  • Early threat detection: Monitoring allows the identification of suspicious activities, anomalies, and potential security breaches, enabling timely response and mitigation.

  • Performance optimization: Monitoring helps identify network bottlenecks, resource utilization issues, and system vulnerabilities, allowing for proactive optimization and better overall performance.

  • Compliance requirements: Many regulations and standards mandate regular monitoring and log retention to ensure compliance with security and data protection requirements.

Q3: What are the key benefits of network and system monitoring?

A3: The key benefits of network and system monitoring include:

  • Improved security: Monitoring helps detect and respond to security incidents promptly, reducing the potential impact of attacks and minimizing data breaches.

  • Enhanced system performance: Monitoring enables proactive identification and resolution of performance issues, improving network speed, reliability, and uptime.

  • Better resource allocation: Monitoring provides insights into resource utilization, allowing for efficient allocation and optimization of network and system resources.

  • Compliance adherence: Monitoring facilitates meeting regulatory and compliance requirements by generating audit trails, logs, and reports.

Q4: What are some common network and system monitoring tools?

A4: There are various network and system monitoring tools available, including:

  • Nagios: A widely-used open-source monitoring tool that offers comprehensive monitoring and alerting capabilities for networks, systems, and applications.

  • Zabbix: An enterprise-grade monitoring solution that provides real-time monitoring, alerting, and visualization features for networks, servers, and applications.

  • SolarWinds Network Performance Monitor: A commercial solution for monitoring network infrastructure, providing deep insights into network performance and traffic analysis.

  • Prometheus: An open-source monitoring and alerting toolkit focused on gathering metrics and event data from various systems.

  • Splunk: A powerful log management and analysis platform that allows organizations to monitor and gain insights from logs generated by various systems and applications.

Q5: What should be monitored in network and system monitoring?

A5: Key elements to monitor in network and system monitoring include:

  • Network traffic and bandwidth utilization

  • System and server performance metrics (CPU, memory, disk usage)

  • Security events and logs (firewall logs, intrusion detection system alerts)

  • Application performance and availability

  • Network devices (routers, switches) and their configurations

  • User activity and access logs

Q6: What are some best practices for network and system monitoring?

A6: Best practices for network and system monitoring include:

  • Defining monitoring objectives and requirements based on business needs.

  • Selecting appropriate monitoring tools and technologies that align with organizational requirements.

  • Implementing proactive alerting and notification mechanisms for timely incident response.

  • Regularly reviewing and analyzing monitoring data to identify trends, patterns, and potential issues.

  • Conducting regular audits and assessments of monitoring systems to ensure their effectiveness and accuracy.

Q7: Is network and system monitoring only relevant for large organizations?

A7: Network and system monitoring is beneficial for organizations of all sizes. While larger organizations may have more complex environments and higher volumes of data to monitor, even small and medium-sized businesses can benefit from monitoring to enhance security, performance, and compliance.

Q8: Can network and system monitoring be automated?

A8: Yes, network and system monitoring can be automated using various tools and technologies. Automation enables continuous monitoring, alerting, and reporting, reducing manual efforts and ensuring timely detection and response to potential issues or threats.

Q9: Are there any certifications available for network and system monitoring?

A9: While there may not be certifications specifically dedicated to network and system monitoring, certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) cover topics related to monitoring as part of broader cybersecurity domains.

Q10: What are some considerations for privacy and data protection in network and system monitoring?

A10: When conducting network and system monitoring, it is important to consider privacy and data protection regulations. Ensure that monitoring practices comply with applicable laws, protect sensitive information, and adhere to privacy guidelines to maintain data confidentiality and user privacy.






   Copyright © 2023 Informatics Publications LLC