Braindump

netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.

# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

Output:

1 CLOSE_WAIT 1 established)
1 Foreign
3 FIN_WAIT1
3 LAST_ACK
13 ESTABLISHED
17 LISTEN
154 FIN_WAIT2
327 TIME_WAIT

Dig out more information about a specific ip address:

# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

2 LAST_ACK 2 LISTEN
4 FIN_WAIT1
14 ESTABLISHED
91 TIME_WAIT
130 FIN_WAIT2

Busy server can give out more information:

# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n

Output:

15 CLOSE_WAIT 37 LAST_ACK
64 FIN_WAIT_1
65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

Get List Of All Unique IP Address To print list of all unique IP address connected to server, enter:

# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

To print total of all unique IP address, enter:

# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l

Output:

449

Find Out If Box is Under DoS Attack or Not If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:

# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

Output:

1 10.0.77.52 2 10.1.11.3
4 12.109.42.21
6 12.191.136.3
.....
...
....
13 202.155.209.202
18 208.67.222.222
28 0.0.0.0
233 127.0.0.1

You can simply block all abusive IPs using iptables or just null route them.
Get Live View of TCP Connections

You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.
Display Summary Statistics for Each Protocol

Simply use netstat -s:

# netstat -s | less # netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

Output: Ip:

88354557 total packets received 0 forwarded
0 incoming packets discarded
88104061 incoming packets delivered
96037391 requests sent out
13 outgoing packets dropped
66 fragments dropped after timeout
295 reassemblies required
106 packets reassembled ok
66 packet reassembles failed
34 fragments failed

Icmp:

18108 ICMP messages received 58 input ICMP message failed.
ICMP input histogram:
destination unreachable: 7173
timeout in transit: 472
redirects: 353
echo requests: 10096
28977 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 18881
echo replies: 10096

Tcp:

1202226 active connections openings 2706802 passive connection openings
7394 failed connection attempts
47018 connection resets received
23 connections established
87975383 segments received
95235730 segments send out
681174 segments retransmited
2044 bad segments received.
80805 resets sent

Udp:

92689 packets received 14611 packets to unknown port received.
0 packet receive errors
96755 packets sent

TcpExt:

48452 invalid SYN cookies received 7357 resets received for embryonic SYN_RECV sockets
43 ICMP packets dropped because they were out-of-window
5 ICMP packets dropped because socket was locked
2672073 TCP sockets finished time wait in fast timer
441 time wait sockets recycled by time stamp
368562 delayed acks sent
430 delayed acks further delayed because of locked socket
Quick ack mode was activated 36127 times
32318597 packets directly queued to recvmsg prequeue.
741479256 packets directly received from backlog
1502338990 packets directly received from prequeue
18343750 packets header predicted
10220683 packets header predicted and directly queued to user
17516622 acknowledgments not containing data received
36549771 predicted acknowledgments
102672 times recovered from packet loss due to fast retransmit
Detected reordering 1596 times using reno fast retransmit
Detected reordering 1 times using time stamp
8 congestion windows fully recovered
32 congestion windows partially recovered using Hoe heuristic
19 congestion windows recovered after partial ack
0 TCP data loss events
39951 timeouts after reno fast retransmit
29653 timeouts in loss state
197005 fast retransmits
186937 retransmits in slow start
131433 other TCP timeouts
TCPRenoRecoveryFail: 20217
147 times receiver scheduled too late for direct processing
29010 connections reset due to unexpected data
365 connections reset due to early user close
6979 connections aborted due to timeout

Display Interface Table You can easily display dropped and total transmitted packets with netstat for eth0:

# netstat --interfaces=eth0

Output:

Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 2040929 0 0 0 3850539 0 0 0 BMRU

Posted by Mario at 11:59 AM | Permalink | Comments (6460)

LiSt Open Files (LSOF) is a Linux utility that allows you to view current network connections and the files associated with them.

LSOF provides verbose output and is useful in tracking down all sorts of information. For example, it allows you to see what program is operating on an open port, which daemons have established connections, and what ports are open on your server.

While similar in many ways to utilities like netstat and fuser, LSOF has many unique options that let you find specific information on ports, users, processes, and files.

Getting and installing LSOF

On many Linux systems, LSOF will be installed by default. Try running lsof -v to see whether the program exists on your system. If it doesn't, you will need to download one of the many packages available and install it yourself. Source and binary versions are available here, while distribution-specific packages are available from locations such as Rpmfind.net and are included in databases for apt-get, up2date, and urpmi.

If you are installing from source, download the tarball and perform these commands:

tar xpfz lsof_4.64.tar.gz
cd lsof_4.64
tar xpf lsof_4.64_src.tar
cd lsof_4.64_src
./Configure linux make

During the configuration, you have the option of running an inventory to verify that all the files necessary for compilation are present. You will be asked if you want to customise the installation. This shouldn't be necessary on most Linux platforms, so answering no is fine. If you encounter any problems running LSOF later, you may want to come back and try some customisation. Customisation may also be needed if you upgrade or modify your kernel.

After running make, the executable lsof should appear in the directory. There is no default make install rule, so you can create your own or just copy lsof to your directory of choice. Keep in mind that you may need to modify its permissions to be setuid-root if you want regular users to be able to see all open files. Not that this is necessarily recommended, but it's good to remember, since the output generated when LSOF is run as root will be different from the output generated when it's run by a normal user account.

Looking at network connections

As its name indicates, LSOF deals with open files on a Linux system. An open file can be a regular file, a directory, a library, a stream, or a network socket. You can take advantage of various LSOF options, depending on what you're looking for.

Running lsof by itself will output all open files corresponding to every active process on the box. This can be quite lengthy, so it's best to know what you are looking for in advance. You can get a quick rundown of the options with lsof -h, and the man page goes into much further detail. Let's take a look at some common switches and what they will show us.

lsof -i

The lsof -i command lists all open files associated with Internet connections. It is similar in format to netstat -a -p and will look something like Listing A.

By default, LSOF lists detailed information about each connection. In Listing A, we see the command or program involved, the process ID (PID), the user running the command, the file descriptor (FD), the type of connection, the device number, the Internet protocol, and the name of the file or Internet address. The -i option can be useful when you're attempting to secure your Linux box. You can quickly determine what ports are open and listening for incoming connections. LSOF will also associate them with a program name. Thus, you can quickly identify unnecessary security risks and shut them down.

Ports that are awaiting connections have the keyword LISTEN appended to them. These are ports that are open and accepting connections. Note that LSOF will not distinguish between ports that are completely open and ones that have filters applied. The keyword ESTABLISHED indicates that a connection on the given port has been made. In Listing A, there is an SSH session from labrat.remote.net to test.com. You can see multiple processes associated with the sshd daemon. The main daemon, PID 597, handles incoming requests and forks itself as needed. PID 8545 was spawned by sshd and is responsible for the 8547 process. The only noticeable difference between 8545 and 8547, besides the PID, is in the user field. Notice that lhutz is the user who has remotely logged in to this box. This is useful information that goes beyond merely presenting network connections.

You can narrow your search by specifying a particular port, service, or host name using techniques such as:

lsof -i :587
lsof -i :smtp
lsof -i @labrat.remote.net

LSOF will then output all matching connections. The above examples will list connections listening or established on port 587, list connections associated with the well-known service SMTP, and list connections coming from or going to the host labrat.remote.net, respectively. These techniques are handy if you know what you are looking for in advance. You can watch and see whether inbound SMTP connections are taking too long, possibly causing timeouts. You can verify that the service is in fact running and what port it is listening on. And you can see if anyone from a certain device is connected to your system, whether it is via SSH, Telnet, FTP, or just about any other way possible.

lsof -p 409

LSOF will also accept a PID and output all open files it is using. In this particular instance, we performed an lsof -I to determine what PID number NameD (BIND DNS service) was operating under. Once we discovered it was 409, we issued the command lsof -p 409. The output is shown in Listing B.

You'll notice the different FDs, or file descriptors, right away. The cwd variable represents the current working directory of the process; txt defines the program text, which is the executable itself; mem is a file held in memory, in this case a library; the 4 and 21 represent files in use by this particular process; and the u designator defines them as having both read and write access. These all help you determine whether something physically exists on the system, is being used by the process, or is being held in memory.

lsof +d

The command lsof +d /var/log/apache/ is similar to fuser. It basically associates open files with their processes. In this case, we are looking at all regular files in the /var/log/apache/ directory. The output would look something like Listing C. In this example, Apache is keeping track of two sets of log files, an access and an error log for two domains. As you can see, there are some differences between regular files and Internet connections. For one thing, the TYPE is now REG, indicating a regular file. Also, a SIZE variable is present, which indicates the actual size in bits the file takes up. Notice too that the DEV variable indicates they all use the same device, in this example, a single hard drive. The +d flag that was issued with LSOF tells the command not to leave the top-level directory, while +D would perform a recursive check on all subdirectories.

lsof -F <...>

The -F switch provides an excellent way to format LSOF output. This built-in feature allows you to pipe information directly into external programs, such as a Perl script, a C program, or even a monitoring program like MRTG. You do this by specifying which fields you would like printed. For example, lsof -F pcfn would print the process ID, the command name, the file descriptor, and the filename. Many options are available, and this can save you time in working with the raw data yourself.

We've covered just a few of the options LSOF provides, but the man page covers the full spectrum of LSOF capabilities. Some LSOF commands may be processor intensive, due to the sheer number of processes on a system, so be as selective as possible when running commands.

Summary

LSOF is an excellent utility for managing and tracking network connections on your Linux system. Although a number of utilities can perform similar functions, none is quite as robust as LSOF. With LSOF, you can list open ports, identify connections currently being made to your system, and determine what resources a process is using. Not only that, but you can also determine what processes a particular user has and find detailed information about file and directory usage.

Posted by Mario at 11:56 AM | Permalink | Comments (0)

As user robert, I edit/create files .bashrc and .bash_profile with the following content: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' set -o noclobber alias startx='startx -- -dpi 100' PS1="\u@\h:\w> " export PS1 The first three lines force me to answer "yes/no" when I respectively remove, copy (overwrite) and move (overwrite) a file. The "set -o noclobber" parameter prevents me from overwriting a file with other commands such as "cat". Tiny menu fonts are hard on my poor tired eyes. Rather than replace my eyeglass lenses with magnifying glass, I want to make the fonts larger. My above-mentioned "startx" alias will increase the font size significantly (I could use "120" instead of "100" but that would be ridiculously large). Note that this neat trick won't work unless you are starting X manually with "startx" (as opposed to automatic graphic login with gdm). The lines containing "PS1" refer to my prompt at the command line. I really like a prompt that tells me what directory I'm in, like this: robert@sonic:~/programs/python> All of the above modifications that I've made to .bashrc and .bash_profile won't take effect until I log out and log back in again.

Posted by Mario at 04:23 PM | Permalink

The Linux Cookbook: Tips and Techniques for Everyday Use: Finding Files 8.2.3 Finding Files in a Directory Tree by Modification Time To find files last modified during a specified time, use find with the `-mtime' or `-mmin' options; the argument you give with `-mtime' specifies the number of 24-hour periods, and with `-mmin' it specifies the number of minutes. * To list the files in the `/usr/local' directory tree that were modified exactly 24 hours ago, type: $ find /usr/local -mtime 1 RET * To list the files in the `/usr' directory tree that were modified exactly five minutes ago, type: $ find /usr -mmin 5 RET To specify a range of time, precede the number you give with either a plus sign (` ') to match times that are equal to or greater than the given argument, or a hyphen or minus sign (`-') to match times that are equal to or less than the given argument. * To list the files in the `/usr/local' directory tree that were modified within the past 24 hours, type: $ find /usr/local -mtime -1 RET * To list the files in the `/usr' directory tree that were modified within the past five minutes, type: $ find /usr -mmin -5 RET Include the `-daystart' option to measure time from the beginning of the current day instead of 24 hours ago. * To list all of the files in your home directory tree that were modified yesterday, type: $ find ~ -mtime 1 -daystart RET * To list all of the files in the `/usr' directory tree that were modified one year or longer ago, type: $ find /usr -mtime 356 -daystart RET * To list all of the files in your home directory tree that were modified from two to four days ago, type: $ find ~ -mtime 2 -mtime -4 -daystart RET In the preceding example, the combined options `-mtime 2' and `-mtime -4' matched files that were modified between two and four days ago. To find files newer than a given file, give the name of that file as an argument to the `-newer' option. * To find files in the `/etc' directory tree that are newer than the file `/etc/motd', type: $ find /etc -newer /etc/motd RET To find files newer than a given date, use the trick described in the find Info documentation: create a temporary file in `/tmp' with touch whose timestamp is set to the date you want to search for, and then specify that temporary file as the argument to `-newer'. * To list all files in your home directory tree that were modified after May 4 of the current year, type: $ touch -t 05040000 /tmp/timestamp RET $ find ~ -newer /tmp/timestamp RET In this example, a temporary file called `/tmp/timestamp' is written; after the search, you can remove it (see section Removing Files and Directories). NOTE: You can also find files that were last accessed a number of days after they were modified by giving that number as an argument to the `-used' option. This is useful for finding files that get little use--files matching `-used 100', say, were accessed 100 or more days after they were last modified.

Posted by Mario at 09:34 AM | Permalink