Cool Halo Trick #9: Detecting unexpected process binding on your servers

Problem: You want to ensure legitimate applications are holding open listening ports

Step 1.

Create a “Network Service Processes” configuration check which determines if an open port on a given network interface of the server is bound to a specific software process.

In the check, to uniquely identify a port, specify the network interface, the Internet transport protocol and the port number. For the listening process, list the service name of the process.

Step 2.

Add the check to your policy and anytime a configuration scan is run it should show a “fail” if the interface and port combination in the check is found to be bound to a process other than the one specified.

You can also check the “alert” check box, so if you’ve set up Halo Logging and Alerting, you will receive a alert if the configuration check fails and any unexpected process is bound to the specified port(s).

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts