The ss: Command is Useful for Network Security

A very useful tool in administering a Linux network is the ss command.  You can identify socket statistics with this command.  The ss command is very similar to the netstat command.  However, you can gain more useful information about TCP and state information with the ss command.

The ss command is fast.  Information is very fast when you are searching.  The netstat command can seem very slow in comparison to this tool.  If you need to track sockets and TCP connections, the ss command can help you.  Some of the useful data you can obtain with the ss command include established ssh/ftp/http/ and https connections, local processes connected to a server, all TCP and UDP sockets, and all of the TCP sockets in state FIN-WAIT-1, and more.

If you want a list of currently waiting, established, orphaned, or closed TCP sockets, type:

# ss –s

If you would like a list of all network ports that are currently open, type:

#ss -1

If you would like to see processes named that are using an open socket, type:

# ss –pl

To learn which user or IP address is responsible for opening a socket or port #, type:

# ss –lp | grep (port #)

When you use this command to learn about which user has opened a socket, you can also learn information about his or her current session.  You will learn the port the user opened, find out how much memory has been used, the current directory the user is working in, etc.

To view all TCP sockets, type:

# ss –t –a

All UDP sockets, type:

# ss –u –a

All HTTP Connections, type:

# ss –o state established ‘( dport = :http or sport = :http )’

All SMTP Connections, type:

# ss –o state established ‘(dport = :smtp or sport = :smtp )’

All processes connected to a specific server, type:

# ss –(servername) src /tmp/.x11-unix/*

If you would like to see all of the TCP sockets that are in the state FIN-WAIT-1, type:

# ss –o state fin-wait-1 ‘( sport = :http or sport = :https )’ dst 202.54.1/24

The above command allows you to view if any TCP sockets are waiting and on a timer.  You will also be able to see the timers and when they are set to begin.  The IP address range 202.54.1/24 is an assumption the network is this range.  When using this command, type in your network address and range.

The ss command is an ideal tool to view network usage and data.  If you are looking for local processes, open ports, open TCP sockets, or established connections to a server, this command will help you research.