Difference between revisions of "Network/Tools"

From LunaSys
Jump to navigation Jump to search
(Created page with "== Nice commands == taken from: - [http://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html] - [http://www.cyberciti.biz/tips/netstat-command-tutori...")
 
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
== Scripts ==
 +
 +
=== br0 creation from eth0 ===
 +
 +
<pre>
 +
#!/bin/bash
 +
 +
CFGPATH=/etc/sysconfig/network-scripts
 +
#CFGPATH=/root
 +
REFCFGPATH=/root
 +
 +
# keep the original
 +
if [ ! -f "$REFCFGPATH/ifcfg-eth0.ref" ]; then
 +
  cp $CFGPATH/ifcfg-eth0 $REFCFGPATH/ifcfg-eth0.ref
 +
fi
 +
 +
# build new eth0
 +
grep -E '(DEVICE|HWADDR|ONBOOT)' $REFCFGPATH/ifcfg-eth0.ref > $CFGPATH/ifcfg-eth0
 +
echo "BRIDGE=br0" >> $CFGPATH/ifcfg-eth0
 +
 +
# build br0
 +
grep -v -E '(HWADDR|UUID)' $REFCFGPATH/ifcfg-eth0.ref | sed 's/eth0/br0/g' | sed 's/BOOTPROTO=["]*none["]*/BOOTPROTO=static/g' | sed 's/TYPE=["]*Ethernet["]*/TYPE="Bridge"/g' | sed 's/NM_CONTROLLED=["a-z]*/NM_CONTROLLED="no"/g' > $CFGPATH/ifcfg-br0
 +
</pre>
 +
 
== Nice commands ==
 
== Nice commands ==
  
Line 4: Line 28:
 
  - [http://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html]
 
  - [http://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html]
 
  - [http://www.cyberciti.biz/tips/netstat-command-tutorial-examples.html]
 
  - [http://www.cyberciti.biz/tips/netstat-command-tutorial-examples.html]
 +
 +
=== iptraf ===
 +
 +
=== nethogs ===
 +
 +
=== netstat ===
  
 
useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
 
useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
Line 20: Line 50:
  
 
  # netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
 
  # netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
 +
 +
=== ss ===
 +
 +
Display Sockets Summary
 +
 +
# ss -s
 +
 +
Display All Open Network Ports
 +
 +
# ss -l
 +
 +
Display All TCP Sockets
 +
 +
# ss -t -a
 +
 +
Display All UDP Sockets
 +
 +
# ss -u -a
 +
 +
Display All Established SMTP Connections
 +
 +
# ss -o state established '( dport = :smtp or sport = :smtp )'
 +
 +
Display All Established HTTP Connections
 +
 +
# ss -o state established '( dport = :http or sport = :http )'
 +
 +
Find All Local Processes Connected To X Server
 +
 +
# ss -x src /tmp/.X11-unix/*
 +
 +
List all the TCP sockets in state -FIN-WAIT-1 for our httpd to network 202.54.1/24 and look at their timers:
 +
 +
# ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 202.54.1/24
 +
 +
How Do I Filter Sockets Using TCP States?
 +
 +
## tcp ipv4 ##
 +
ss -4 state FILTER-NAME-HERE
 +
## tcp ipv6 ##
 +
ss -6 state FILTER-NAME-HERE
 +
 +
How Do I Matches Remote Address And Port Numbers?
 +
 +
ss dst ADDRESS_PATTERN
 +
## Show all ports connected from remote 192.168.1.5##
 +
ss dst 192.168.1.5
 +
## show all ports connected from remote 192.168.1.5:http port##
 +
ss dst 192.168.1.5:http
 +
ss dst 192.168.1.5:smtp
 +
ss dst 192.168.1.5:443

Latest revision as of 14:15, 24 April 2012

Scripts

br0 creation from eth0

#!/bin/bash

CFGPATH=/etc/sysconfig/network-scripts
#CFGPATH=/root
REFCFGPATH=/root

# keep the original
if [ ! -f "$REFCFGPATH/ifcfg-eth0.ref" ]; then
  cp $CFGPATH/ifcfg-eth0 $REFCFGPATH/ifcfg-eth0.ref
fi

# build new eth0
grep -E '(DEVICE|HWADDR|ONBOOT)' $REFCFGPATH/ifcfg-eth0.ref > $CFGPATH/ifcfg-eth0
echo "BRIDGE=br0" >> $CFGPATH/ifcfg-eth0

# build br0
grep -v -E '(HWADDR|UUID)' $REFCFGPATH/ifcfg-eth0.ref | sed 's/eth0/br0/g' | sed 's/BOOTPROTO=["]*none["]*/BOOTPROTO=static/g' | sed 's/TYPE=["]*Ethernet["]*/TYPE="Bridge"/g' | sed 's/NM_CONTROLLED=["a-z]*/NM_CONTROLLED="no"/g' > $CFGPATH/ifcfg-br0

Nice commands

taken from: 

- [1]
- [2]

iptraf

nethogs

netstat

useful to find out if your server is under attack or not. You can also list abusive IP address using this method. 

# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

Dig out more information about a specific ip address: 

# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

To print list of all unique IP address connected to server, enter: 

# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter: 

# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

ss

Display Sockets Summary 

# ss -s

Display All Open Network Ports 

# ss -l

Display All TCP Sockets 

# ss -t -a

Display All UDP Sockets 

# ss -u -a

Display All Established SMTP Connections 

# ss -o state established '( dport = :smtp or sport = :smtp )'

Display All Established HTTP Connections 

# ss -o state established '( dport = :http or sport = :http )'

Find All Local Processes Connected To X Server 

# ss -x src /tmp/.X11-unix/*

List all the TCP sockets in state -FIN-WAIT-1 for our httpd to network 202.54.1/24 and look at their timers: 

# ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 202.54.1/24

How Do I Filter Sockets Using TCP States? 

## tcp ipv4 ##
ss -4 state FILTER-NAME-HERE
## tcp ipv6 ##
ss -6 state FILTER-NAME-HERE

How Do I Matches Remote Address And Port Numbers? 

ss dst ADDRESS_PATTERN
## Show all ports connected from remote 192.168.1.5##
ss dst 192.168.1.5
## show all ports connected from remote 192.168.1.5:http port##
ss dst 192.168.1.5:http
ss dst 192.168.1.5:smtp
ss dst 192.168.1.5:443
Retrieved from "http://wiki.lunasys.fr/mediawiki/index.php?title=Network/Tools&oldid=126"