Check all connections linux

List all internet connections

I’d like to know all the connections my system is making to the internet. I tried netstat but that shows a lot of connections — all of which aren’t applicable I think. Can it be displayed like top does for processes ? I’m a little security conscious and would like to know all the incoming and outgoing connections happening on my system.

2 Answers 2

Using netstat

netstat by itself monitors all major protocols including TCP and UDP on every port.

If you want to display TCP and UDP connections:

If you want to display that continously:

Similar to top :

1. nethogs — shows a list of the top processes that use bandwidth
2. jnettop — shows list of top connections
3. iftop — shows list of top connections with bandwidth bars

GUI Interface (just in case):

You may try ss as well, it’s more advanced than netstat .

List all TCP connections (including those with non-established state, e.g. SYN-SENT , LISTEN , and TIME-WAIT ). Read more about TCP states transition in RFC793.

State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 4096 127.0.0.1:5672 0.0.0.0:* ESTAB 0 0 192.168.1.4:57310 35.157.63.229:443 ESTAB 0 0 127.0.0.1:43764 127.0.0.1:8080 CLOSE-WAIT 1 0 192.168.1.4:34554 142.250.186.33:443 CLOSE-WAIT 1 0 192.168.1.4:34564 142.250.186.33:443 

Include information about the owner process of the connections (e.g., process name and PID)

Display all established SSH connections.

List all the TCP sockets in state FIN-WAIT-1 for network 193.233.7/24 and look at their timers with —options , which shows timer information.

Источник

6 commands to check and list active SSH connections in Linux

How to check active SSH connections in Linux. Show SSH connection history. How to show active ssh sessions in Linux. List all the active SSH connections in Unix. Find out all the currently active ssh connections on any Linux node. Which all tools can be used to list all the active ssh connections in Linux. Show active SSH sessions. Check ssh connection history using log files in Linux.

Some more more articles you may be interested on similar topics:

Check active SSH connections

There are various commands and tools available in Linux which can be used to check active SSH connections or sessions on your Linux node. In this article I will share a list of tools which can be used to get the list of active SSH connections. If you are aware of any more commands to show active ssh sessions then please let me know via comment section.

1. Using ss command

ss is used to dump socket statistics. It allows showing information similar to netstat . It can display more TCP and state information than other tools. We will use grep function to only get the list of active SSH sessions on our local host

[root@node3 ~]# ss | grep -i ssh tcp ESTAB 0 0 10.0.2.32:ssh 10.0.2.31:37802 tcp ESTAB 0 64 10.0.2.32:ssh 10.0.2.2:49966 tcp ESTAB 0 0 10.0.2.32:ssh 10.0.2.30:56088

From the above example we know that there are three hosts which are currently connected to our node3. We have active SSH connections from 10.0.2.31, 10.0.2.30 and 10.0.2.2

2. Using last command

last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty’s can be given, in which case last will show only those entries matching the arguments.

Using this command you can also get the information about the user using which the SSH connection was created between server and client. So below we know the connection from 10.0.2.31 is done using ‘deepak‘ user, while for other two hosts, ‘root‘ user was used for connecting to node3.

[root@node3 ~]# last -a | grep -i still deepak pts/1 Fri May 31 16:58 still logged in 10.0.2.31 root pts/2 Fri May 31 16:50 still logged in 10.0.2.30 root pts/0 Fri May 31 09:17 still logged in 10.0.2.2

Here I am grepping for a string «still» to get all the patterns with » still logged in «. So now we know we have three active SSH connections from 10.0.2.31, 10.0.2.30 and 10.0.2.2

3. Using who command

who is used to show who is logged on on your Linux host. This tool can also give this information

[root@node3 ~]# who root pts/0 2019-05-31 09:17 (10.0.2.2) root pts/1 2019-05-31 16:47 (10.0.2.31) root pts/2 2019-05-31 16:50 (10.0.2.30)

Using this command we also get similar information as from last command. Now you get the user details used for connecting to node3 from source host, also we have terminal information on which the session is still active.

4. Using w command

w displays information about the users currently on the machine, and their processes. This gives more information than who and last command and also serves our purpose to get the list of active SSH connections. Additionally it also gives us the information of the running process on those sessions.

Using w command you will also get the idle time details, i.e. for how long the session is idle. If the SSH session is idle for long period then it is a security breach and it is recommended that such idle SSH session must be killed, you can configure your Linux host to automatically kill such idle SSH session.

[root@node3 ~]# w 17:01:41 up 7:44, 3 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.0.2.2 09:17 9:41 0.31s 0.00s less -s deepak pts/1 10.0.2.31 16:58 3:06 0.03s 0.03s -bash root pts/2 10.0.2.30 16:50 5.00s 0.07s 0.02s w

5. Using netstat command

Similar to ss we have netstat command to show active ssh sessions. Actually we can also say that ss is the new version of netstat. Here we can see all the ESTABLISHED SSH sessions from remote hosts to our localhost node3. it is also possible that one or some of these active ssh connections are in hung state so you can configure your host to automatically disconnect or kill these hung or unresponsive ssh sessions in Linux.

[root@node3 ~]# netstat -tnpa | grep 'ESTABLISHED.*sshd' tcp 0 0 10.0.2.32:22 10.0.2.31:37806 ESTABLISHED 10295/sshd: deepak tcp 0 0 10.0.2.32:22 10.0.2.2:49966 ESTABLISHED 4329/sshd: root@pts tcp 0 0 10.0.2.32:22 10.0.2.30:56088 ESTABLISHED 10125/sshd: root@pt

6. Using ps command

Now to show active ssh sessions, ps command may not give you accurate results like other commands we discussed in this article but it can give you some more additional information i.e. PID of the SSHD process which are currently active and connected.

# ps auxwww | grep sshd: | grep -v grep root 4329 0.0 0.1 154648 5512 ? Ss 09:17 0:00 sshd: root@pts/0 root 10125 0.0 0.1 154648 5532 ? Ss 16:50 0:00 sshd: root@pts/2 root 10295 0.0 0.1 154648 5480 ? Ss 16:58 0:00 sshd: deepak [priv] deepak 10301 0.0 0.0 156732 2964 ? S 16:58 0:00 sshd: deepak@pts/1

Check ssh connection history

To get the ssh connection history you can always check your SSHD logs for more information on connected or disconnected SSH session. Now the sshd log file may vary from distribution to distribution. On my RHEL 7.4 my sshd logs are stored inside /var/log/sshd

Lastly I hope the steps from the article to check active SSH connections and ssh connection history in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Источник

How can I monitor all outgoing requests/connections from my machine?

My machine is a server so I want to ignore connections being made to my server (e.g. when someone visits my website). I want to see only connections/requests being made by my server to other places. How do I see only those outgoing connections? EDIT: I’m new to these type of things. What I’m trying to do is just see if anything from my server is being sent out other than data for my web apps. For example, if someone visits my websites, then obviously my server will send out data to the client’s browser. But suppose there’s also code somewhere in my web app’s framework that sends statistical data to somewhere else I’m not aware of. I’d like to see those places my server is sending data to, if any. It’s probably not likely, but suppose you decide to use a php or nodejs framework that you didn’t write: there’s a small chance it may send some type of data somewhere. If so, that’s what I’d like to see.

7 Answers 7

$ netstat -nputw Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name [. ] tcp 0 0 192.168.25.222:22 192.168.0.134:42903 ESTABLISHED 32663/sshd: gert [p 

lists all UDP ( u ), TCP ( t ) and RAW ( w ) outgoing connections (not using l or a ) in a numeric form ( n , prevents possible long-running DNS queries) and includes the program ( p ) associated with that.

Consider adding the c option to get output being updated continuously.

Completely inappropriate hijack (except that this answer googled well): This answer works with Windows as well. To use netstat in «continuous mode» there, -c doesn’t work. You use numbers instead, like netstat -na 1 | find «[Scan_Host_IP_Addr]» for it to update every 1 second (in this example). (source).

Is there a way to display more user-friendly information such as domain names, info about the ip? Perhaps using a custom script?

@awm Well, that would be doable with strace on the process, filtering for nameserver lookups (no details, this is not a full answer to it). Alternatively, you could show the reverse DNS of the IPs listed in netstat by omitting the n option included in my answer.

I’ve tried a bunch of tools, including iftop , ntop , iptraf , and of course the very useful built-in netstat -tupln (supported options are OS-dependent), but the most practical for my use case turned out to be nethogs — it aggregates connections by the originating app, and is the least noisy of all.

sudo apt-get install nethogs 

If your goal is to just see all TCP connections initiated by any app then you could use:

sudo tcpdump -i lo -A | grep Host: 

If you just want to just log every connection attempt, the easiest is probably iptables LOG target on Linux (or the equivalent firewall logging feature on your system).

If you need more information like duration of the connection and amount of data exchanged in both directions, then conntrackd (on Linux) is probably the best option.

However note that those two above only log the traffic that goes through netfilter, which is generally all the traffic but doesn’t account traffic generated with IP stacks in user space (like virtual machines or anything using raw sockets) or bridged traffic.

For more general solutions, you can have a look at things like argus , bro-ids , sancp or ntop that log all sorts of information based on traffic they sniff on an interface.

tcpdump allows you to see all IP traffic flowing to/from a specific interface with the ability to filter based on certain criteria. tcpdump is typically installed on most *nix systems by default, if not there’s usually a port somewhere to grab it for your specific distro.

What I think you want to do is get a list of listening ports and then remove them from any other TCP connections, then that will be all of the outgoing connections. The ss (socket status) command outputs «Local Address:Port» and «Peer Address:Port» columns, we need to remove the listening ports from the «Local Address:Port» column and not the «Peer Address:Port» column, otherwise you may miss some outgoing connections. So to achieve that I’m using \s+ behind the «:$port» string in the grep to match on the spaces that exist behind the «Local Address:Port» column; that column has two or more white spaces behind it, where the «Peer Address:Port» has one space and then a newline (grrr. should just have a newline, IMO, then I could have used \s+ instead of \s+ .) Normally I might try to use the filtering functionality of ss, like with ss -tn state established ‘(sport != : and sport !=:)’ src . But it appears there is a limit on how long that string can be, it bombed out on a system where I had a lot of listening ports. So I’m trying to do the same thing with grep. I believe the following will work:

FILTER=$(ss -tn state listening | gawk 'NR > 1 END +|", B[i]; printf ":%s\\s+", B[i]>') ss -tn state established dst :* | grep -P -v "$FILTER" 

Note this depends on the version of ss you’re using, older versions (like: ss utility, iproute2-ss111117) has a different output format, so you may have to use $3 instead of $4 in awk. Note also ss -tln and ss -tn state listening gives you different output, which is a little counter-intuitive to me. YMMV.

I found a slightly more elegant solution that doesn’t require knowing host’s IP, ss -tn state established dst :* works well, I modified the command lines above.

Источник