佳音的博客

2009/02/25

netstat 命令指南

Filed under: Uncategorized — 佳音 @ 4:01 下午

http://www.cyberciti.biz/tips/netstat-command-tutorial-examples.html

netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:

1 CLOSE_WAIT      1 established)      1 Foreign      3 FIN_WAIT1      3 LAST_ACK     13 ESTABLISHED     17 LISTEN    154 FIN_WAIT2    327 TIME_WAIT

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

2 LAST_ACK      2 LISTEN      4 FIN_WAIT1     14 ESTABLISHED     91 TIME_WAIT    130 FIN_WAIT2

Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:

15 CLOSE_WAIT  37 LAST_ACK  64 FIN_WAIT_1  65 FIN_WAIT_21251 TIME_WAIT3597 SYN_SENT5124 ESTABLISHED

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:

449

Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:

1 10.0.77.52      2 10.1.11.3      4 12.109.42.21      6 12.191.136.3............    13 202.155.209.202     18 208.67.222.222     28 0.0.0.0 

    233 127.0.0.1

You can simply block all abusive IPs using iptables or just null route them.

etc.

转略..

]]>

Powered by 00RZ