Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tool works under Linux, Unix-like system, and MS-Windows operating systems.
Explains how to use netstat command to display current connections and find out if your server is under DoS attack or not.
You can use traditional netstat / lsof command to lists open Internet or UNIX domain sockets on FreeBSD. FreeBSD comes with a simple and easy to use command called sockstat.
The -4 option only displays IPv4 sockets.
The -6 option only displays IPv6 sockets.
The -c option only displays connected sockets.
The -l option only displays listening sockets (open port).
For example, display IPv4 related open ports, enter:
# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 653 3 tcp4 127.0.0.1:25 *:* root sshd 647 3 tcp4 10.20.110.2:22 *:* root ntpd 616 4 udp4 *:123 *:*
Here the equivalent of netstat:
$ netstat -nat | grep LISTEN
For information read sockstat command man page:
$ man sockstat
From my mailbag the other day I received an interesting suggestion about obtaining information regarding all running process and network connections remotely using inetd / xinetd :
SSH client can be used to execute a command(s) on a remote UNIX box. Same technique can be used to get current network and system information using netstat information:
ssh you@remotebox netstat -a
ssh you@remotebox netstat -tulpn
He suggests that above command can be run via inetd / xinetd so that admin can connect easily and get information using telnet from 100s UNIX boxes. All you have to do is open /etc/inetd.conf under UNIX / Linux:
# vi /etc/inetd.conf
Append following line:
netstat stream tcp nowait root /bin/netstat netstat -a
# /etc/init.d/openbsd-inetd restart
Next, use telnet to connect to the netstat service (port 15) and get network connection information:
$ telnet server-name netstat
$ telnet 192.168.1.5 15
Trying 192.168.1.5... Connected to 192.168.1.5. Escape character is '^]'. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:6881 *:* LISTEN tcp 0 0 *:6081 *:* LISTEN tcp 0 0 *:nfs *:* LISTEN tcp 0 0 localhost:6082 *:* LISTEN tcp 0 0 *:54053 *:* LISTEN tcp 0 0 *:59275 *:* LISTEN tcp 0 0 *:netstat *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 localhost:webcache *:* LISTEN tcp 0 0 *:43218 *:* LISTEN tcp 0 0 *:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:3128 *:* LISTEN tcp 0 0 localhost:smtp *:* LISTEN tcp 0 1 vivek-desktop.loc:48925 bas4-kitchener06-:56662 SYN_SENT tcp 0 0 vivek-desktop.loc:54791 customer5673.pool:16273 ESTABLISHED tcp 0 0 vivek-desktop.loc:38398 59.94.1xx.yy:45483 ESTABLISHED tcp 0 0 vivek-desktop.loc:42048 60.21.zz.yyy:23235 ESTABLISHED ........... .... .... unix 3 [ ] STREAM CONNECTED 15973 unix 3 [ ] STREAM CONNECTED 15947 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15946 unix 3 [ ] STREAM CONNECTED 15936 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15935 unix 2 [ ] DGRAM 15931 unix 3 [ ] STREAM CONNECTED 15916 unix 3 [ ] STREAM CONNECTED 15915 unix 2 [ ] DGRAM 15906 Connection closed by foreign host.
There are few problems with this solution:
a] Unnecessary service running at port # 15
b] Telnet protocol is not secure
c] I strongly recommend using ssh and password-less login for scripts to obtain this kind of information:
ssh user@remote-box netstat -a
ssh user@remote-box df -H
ssh user@remote-box free -m
ssh user@remote-box /path/to/script.pl
My friend wanted to know how to change or convert DHCP network configuration to static configuration. After initial installation, he wanted to change network settings. Further, his system is w/o GUI system aka X Windows. Here is quick way to accomplish the same:
Your main network configuration file is /etc/network/interfaces
Desired new sample settings:
=> Host IP address 192.168.1.100
=> Netmask: 255.255.255.0
=> Network ID: 192.168.1.0
=> Broadcast IP: 192.168.1.255
=> Gateway/Router IP: 192.168.1.254
=> DNS Server: 192.168.1.254
Open network configuration file
$ sudo vi /etc/network/interfacesOR
$ sudo nano /etc/network/interfaces
Find and remove dhcp entry:
iface eth0 inet dhcp
Append new network settings:
iface eth0 inet static
Save and close the file. Restart the network:
$ sudo /etc/init.d/networking restart
Task: Define new DNS servers
Open /etc/resolv.conf file
$ sudo vi /etc/resolv.conf
You need to remove old DNS server assigned by DHCP server:
Save and close the file.
Task: Test DNS server
$ host cyberciti.biz
Network command line cheat sheet
You can also use commands to change settings. Please note that these settings are temporary and not the permanent. Use above method to make network changes permanent or GUI tool as described below.
Task: Display network interface information
Task: Take down network interface eth0 / take a network interface down
$ sudo ifconfig eth0 downOR
$ sudo ifdown eth0
Task: Bring a network interface eth0 up
$ sudo ifconfig eth0 upOR
$ sudo ifup eth0
Task: Change IP address and netmask from command line
Activate network interface eth0 with a new IP (192.168.1.50) / netmask:
$ sudo ifconfig eth0 192.168.1.50 netmask 255.255.255.0 up
Task: Display the routing table
$ /sbin/route OR
$ /sbin/route -n
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.0 U 0 0 0 ra0 172.16.114.0 * 255.255.255.0 U 0 0 0 eth0 172.16.236.0 * 255.255.255.0 U 0 0 0 eth1 default 192.168.1.254 0.0.0.0 UG 0 0 0 ra0
Task: Add a new gateway
$ sudo route add default gw 172.16.236.0
Task: Display current active Internet connections (servers and established connection)
$ netstat -nat
Task: Display open ports
$ sudo netstat -tulpOR
$ sudo netstat -tulpn
Task: Display network interfaces stats (RX/TX etc)
$ netstat -i
Task: Display output for active/established connections only
$ netstat -e
$ netstat -te
$ netstat -tue
- -t : TCP connections
- -u : UDP connections
- -e : Established
Task: Test network connectivity
Send ICMP ECHO_REQUEST to network hosts, routers, servers etc with ping command. This verifies connectivity exists between local host and remote network system:
$ ping router
$ ping 192.168.1.254
$ ping cyberciti.biz
See simple Linux system monitoring with ping command and scripts for more information.
Task: Use GUI (Graphical Configuration) network Tool
If you are new, use GUI configuration tool, type the following command at terminal:
$ network-admin &
Above command is Ubuntu’s GUI for configuring network connections tool.
Final tip – Learn how find out more information about commands
A man page is your best friend when you wanted to learn more about particular command or syntax. For example, read detailed information about ifconfig and netstat command:
$ man ifconfig
$ man netstat
Just get a short help with all command options by appending –help option to each command:
$ netstat --help
Find out what command is used for particular task by searching the short descriptions and manual page names for the keyword:
$ man -k 'delete directory'
$ apropos -s 1 remove
Display short descriptions of a command:
$ whatis rm
$ whatis netstat
Linux offers an excellent collection of utilities, which can be use to finding the files and executables, remember you cannot memorize all the commands and files 😉
Someone might attack on your Linux based system. You can drop attacker IP using IPtables. However, you can use route or ip command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.
You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system) stopping various attacks coming from a single IP (read as spammers or hackers) using the following syntax on a Linux based system.
BIND is the Berkeley Internet Name Domain, DNS server. It is wildly used on UNIX and Linux like oses. You can use following tools to troubleshoot bind related problems under UNIX or Linux oses.
Task: Port 53 open and listing requests
By default BIND listen DNS queries on port 53. So make sure port 53 is open and listing user requests. by running any one of the following tests. See if you can telnet to port 53 from remote computer:
$ telnet remote-server-ip 53
telnet ns1.nixcraft.org domain
Trying 192.168.0.5... Connected to ns1.nixcraft.org. Escape character is '^]'.
If you cannot connect make sure firewall is not blocking your requests. Next use netstat command to list open and listing port 53 on server itself:
$ netstat -tulpn | grep :53
# netstat -atve
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode tcp 0 0 ns1.nixcraft.org:domain *:* LISTEN named 10386 tcp 0 0 rhx.test.com:domain *:* LISTEN named 10384 tcp 0 0 *:ssh *:* LISTEN root 1785 tcp 0 0 rhx.test.com:rndc *:* LISTEN named 10388 tcp 0 0 rhx.test.com:smtp *:* LISTEN root 1873 tcp 0 0 ns1.nixcraft.org:ssh w2k.nixcraft.org:1057 ESTABLISHED root 10501 tcp 0 0 rhx.test.com:32773 rhx.test.com:domain TIME_WAIT root 0 tcp 0 0 ns1.nixcraft.org:32775 ns1.nixcraft.org:domain TIME_WAIT root 0 tcp 0 0 rhx.test.com:32774 rhx.test.com:domain TIME_WAIT root 0
Make sure iptables firewall is not blocking request on server:
# iptables -L -n
# iptables -L -n | less
Make sure named is running:
# /etc/init.d/named status
If not start named:
# chkconfig named on
# service named start
Task: Use log files
You can use log files after starting/restarting bind to see error messages:
# tail â€“f /var/log/message
Nov 17 16:50:25 rhx named: listening on IPv4 interface lo, 127.0.0.1#53 Nov 17 16:50:25 rhx named: listening on IPv4 interface eth0, 192.168.0.5#53 Nov 17 16:50:25 rhx named: command channel listening on 127.0.0.1#953 Nov 17 16:50:25 rhx named: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 Nov 17 16:50:25 rhx named: nixcraft.org.rev:1: no TTL specified; using SOA MINTTL instead Nov 17 16:50:25 rhx named: zone 0.168.192.in-addr.arpa/IN: loaded serial 12 Nov 17 16:50:25 rhx named: zone localhost/IN: loaded serial 42 Nov 17 16:50:25 rhx named: zone nixcraft.org/IN: loaded serial 12 Nov 17 16:50:25 rhx named: running
Task: Check zone file for errors
You can check zone file syntax and /etc/named.conf file using following utilities. named-checkconf command is named (BIND) configuration file syntax checking tool.
# named-checkconf /etc/named.conf
/etc/named.conf:32: missing ';' before 'zone'
Plesse note that if named-checkconf did not find any errors it will not display in output on screen.
Check zone file syntax for errors. named-checkzone is zone file validity checking tool. named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named checkzone useful for checking zone files before configuring them into a name server.
# named-checkzone localhost /var/named/localhost.zone
#named-checkzone nixcraft.org /var/named/nixcraft.org.zone
zone nixcraft.org/IN: loaded serial 12 OK
Task: Testing BIND/DNS with utilities
You can use host and dig utilties to test your bind configuration.
- host: host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
- dig: dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
List IP address associated with host names:
# host nixcraft.org
# host www
www.nixcraft.org has address 192.168.0.6
Perform a zone transfer for zone name using -l option:
# host -l nixcraft.org
nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400 nixcraft.org name server ns1.nixcraft.org. nixcraft.org mail is handled by 10 mail.nixcraft.org. nixcraft.org has address 192.168.0.5 gw.nixcraft.org has address 192.168.0.254 mail.nixcraft.org has address 192.168.0.7 ns1.nixcraft.org has address 192.168.0.5 w2k.nixcraft.org has address 192.168.0.1 www.nixcraft.org has address 192.168.0.6 nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400
# dig mail.nixcraft.org
# dig 192.168.0.5