Using Netstat to Locate Holes in Your System

Using Netstat to Locate Holes in Your System

Many system administrators often have leaks and holes in their servers and do not even know it.  Having the ability to locate open ports and backdoors in a system allows you to keep your server as secure as possible.  The Netstat tool is an excellent way you can locate potential problems.

A hole in your network is an open door for attackers and hackers to load files and potentially damage an entire network.  A hole is a backdoor and how attackers load files.  Once files are loaded on a server, it can be difficult to locate them. If the files are harmful, it may be too late to locate them because you need to completely rebuild the server from a backup.  The netstat tool allows you to ensure there are no open ports or backdoors for hackers to enter into your network.

If you want to know if your server is under attack, you can use the netstat command.  If your server is currently under attack, you can also find out the IP address of the abuser.  Type:

# netstat –nat | awk ‘{print $6}’ | sort | uniq –c | sort –n

If you have found an IP address you would like more information about, type:

# netstat –nat | grep {IPaddress} | awk ‘{print $6}’ | sort | uniq –c \ sort –n

Before you use the netstat command, it is usually best to have a printed list of all of the IP addresses connected to your server that should be using the server.  Most administrators use static IP addresses for users so they can easily identify computers on the network.

If you need to print a list of every unique IP address that is currently connected to your server, type:

# netstat –nat | awk ‘{print $5}’ | cut –d: -f1 | sed –e ‘/^$/d’ | uniq

Some IP addresses may not be currently connected to the server, but active on the network.  If you need a complete list of every IP address, type:

# netstat –nat | awk ‘{print $5}’ | cut –d: -f1 | sed –e ‘/^$/d’ | uniq | wc -1

If you think your Linux server might be under attack, you can print a list of all open connections.  This list will be sorted by IP address. Type:

# netstat –atun | awk ‘{print $5}’ | cut –d: -f1 | sed –e ‘/^$d’ |sort | uniq –c

This way, you will have the opportunity to block any and all IP addresses that are abusive.  If you don’t want to block the IP addresses, you can also null route them.

To display a summary of the statistics for each protocol on the network, type:

Netstat –s:

Packet transmission information can be displayed for dropped and transmitted packets, type:

# netstat –interfaces eth0

The netstat function is very helpful in learning information about your network and things that might be going on. If you are searching for an abusive user or an intruder, the netstat command is the best option to use.

 

Please Login to post your comment