Hi everybody,

I guess many of you had the situation where you inherit a linux (centos) server that someone else set up, without additional documentation...
My question is - what is the best way to analyze this server - the software that is installed and prevent possible issues?
Is there a tool that can scan the server and give you an overview of the linux server?

Thank you in advance.

format it.

I'll give you some questions to ponder like I would inspect a "suspect" machine, but IMHO the single most efficient way ultimately is having it combed over manually by a seasoned admin, period.

- Where does the machine reside ownership, network, monitoring and IDS-wise?
- What's the type (phys. HW, VM, other).
- What's the role of this machine?
- What's this machines relationship with adjacent machines (as you should never assume those are clean too).
- Is the machine subject to any form of monitoring / auditing and what do those log entries say?
- Are there any documented past problems?
- What's the system and daemon log retention?
- Same for backups?
- What's the Linux release and Update version?
- What's the last time updates were installed?
- Which kernel, kernel modules, subsystems, files are not part of RPM?

Answering those questions in detail may help paint a picture of how much effort should be invested. If you post detailed information here I'm sure we can help suggest a course of action.


Depending on what's installed and running, log retention, availability of backups etcetera I'd at least run '/bin/rpm --nodeps --noscripts --notriggers -Vva 2>&1|/bin/grep -v "\.\{8\}";' # (You may want to first run 'rpm -V' on init, procutils, openssh-server and such before continuing.) Run all system and daemon logs through Logwatch with the "--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log" args. (If the first rpm command made you suspicious by all means siphon all logs off of the system and continue on a known clean machine.) And some std commands like:

/bin/ps axfwwwe -opid,ppid,gid,uid,args
/usr/sbin/lsof -Pwln
/bin/netstat -anTpe
/usr/bin/lastlog
/usr/bin/last -wai
/usr/bin/who -a
/sbin/iptables-save

Next to Logwatch you could, depending on machine role, exposure, suspicion and where applicable also run LMD (Linux Malware Detect), Rootkit Hunter and other tools.



There is no single tool that will efficiently provide you with all-encompassing nfo you seek. I emphasise the single most efficient way ultimately is having it combed over manually by a seasoned admin.

1 members found this post helpful.

With all due respect on what information provided to you base your opinion? Besides one does not learn anything from doing that...

My answer was flip and perhaps shallow.
If it were me?
I'd off-line the original, dd image the disk and load that resulting image into a controlled environment,
Then analyze the controlled environment.

Failing that
will show him what's installed.
shows him what's in the file.

How to use RPM Commands

Sorry, I'm an ass sometimes.

unSpawn gave good advice. There is no single tool to give you an overview of a Linux server, anymore than there is for a Windows or Mac machine. That said, the first step I'd take, would be to see what network ports are open and listening. This will tell you what services are running on the box:
From there, you can see the services, like ntpd, dhcpd, CUPS, httpd, etc. After that, you have a starting point...since you know what version/distro of Linux you're running, you could look up how to configure such services as NTP, HTTPD, etc., and find out where the config files are, and start building your reference guide.

EDIT: Upon further thought, I'll add one more thing to this. Do NOT power it off or reboot it, if you can help it, until you *KNOW* what's going on. Sometimes, other servers/services depend on that box. For example, you may only see a single database instance running, but that may drive 5 other web servers for a variety of different things. And for all you know at this point, the DB mounts are on some network share, that does NOT remount automatically. Get a good look at what drives are mounted where (type in "mount") and do an "ifconfig -a" to see all of the network address(es) and interfaces. Sadly, the best way to tinker with such a box is usually after working hours on a Friday night.

If you step in something, you have a LOT of time to make it right again, before Monday morning....

Check packages installed.
Check running services.
Check firewall for open ports.
Ask the people in your environment, what they benefit from your using the CentOS. I'm sure someone knows about it, so roughly you will have an idea.

Or clone the server, load the copy of the clone to a virtual machine, then mess it up. So you will know what's inside the server.