Keep an Eye on Your Linux Systems with Netstat
Using Netstat For Surveillance And Troubleshooting
Two of the
fundamental aspects of Linux system security and troubleshooting are
knowing what services are running, and what connections and services
are available. We're all familiar with
ps for viewing active services.
netstat goes a couple of steps further, and displays all available connections,
services, and their status. It shows one type of service that
does not: services run from inetd or xinetd, because inetd/xinetd start
them up on demand. If the service is available but not active, such as
telnet, all you see in
ps is either inetd or xinetd:
$ ps ax | grep -E 'telnet|inetd' 520 ? Ss 0:00 /usr/sbin/inetd
netstat shows telnet sitting idly, waiting for a connection:
$ netstat --inet -a | grep telnet tcp 0 0 *:telnet *:* LISTEN
netstat invocation shows all activity:
$ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:ipp *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 192.168.1.5:32851 nest.anthill.echid:ircd ESTABLISHED udp 0 0 *:ipp *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 1065 /tmp/ksocket-carla/klaunchertDCh2b.slave-socket unix 2 [ ACC ] STREAM LISTENING 1002 /tmp/ssh-OoMGfFm666/agent.666 unix 2 [ ACC ] STREAM LISTENING 819 private/smtp
Your total output will probably run to a couple hundred lines. (A fun and quick way to count lines of output is
netstat -a | wc -l.)
You can ignore everything under "Active UNIX domain sockets." Those are
local inter-process communications, not network connections. To avoid
displaying them at all, do this:
$ netstat --inet -a
This will display only network connections, both listening and established. Already
has earned its keep--both the telnet and smtp services are running.
This is bad, because I don't want to have either a telnet or smtp
server running on this machine. So now I know I need to turn them off,
and re-configure my startup files so they won't start at boot.
How do you know what
services you want running? That is a mondo subject for another day, and
an important one. For example, if your system has been compromised,
this is one place to find evidence of a Trojan horse or other malware
phoning home. In this example, ipp is Internet Printing
Protocol, which belongs to CUPS (Common Unix Printing System.) If you
want your printer to work, this needs to be here. The connection on
192.168.1.5:32851 is my active IRC (Internet Relay Chat) connection.
Refer to your
/etc/services file to learn more about TCP and UDP ports, and the services assigned to them.
- Skip Ahead
- 1. Using Netstat For Surveillance And Troubleshooting
- 2. Using Netstat For Surveillance And Troubleshooting
- 3. Using Netstat For Surveillance And Troubleshooting
Sponsored by BlackBerry
BlackBerry® Enterprise Server Express enables businesses of any size to quickly and easily get started with the BlackBerry solution. It provides advanced BlackBerry smartphone features with no additional software or user license fees, and works with any Internet-enabled BlackBerry data plan or a BlackBerry enterprise data plan. Download now!