On 02/17/2010 11:19 AM, Lisi wrote:
> The IPs of the two active computers are 192.168.0.2 and 192.168.0.3. The
> router is 192.168.0.1.
>
> I then tried the following (from 192.168.0.2):
>
> Tux:/home/lisi# netstat -atn
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 0.0.0.0:59782 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:1004 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN
> tcp 0 0 192.168.0.2:43311 92.122.211.37:1935
> ESTABLISHED
> tcp6 0 0 :::22 :::* LISTEN
> tcp6 0 0 ::1:631 :::* LISTEN
> Tux:/home/lisi# ps -ef | grep sshd
> root 2341 1 0 06:38 ? 00:00:00 /usr/sbin/sshd
> root 15602 15392 0 11:08 pts/1 00:00:00 grep sshd
> Tux:/home/lisi#
>
> If I have understood correctly, that is a bit worrying. (The ESTABLISHED
> one.) So have I understood? I hope that I have not. ;-0.
>
> If it _is_ ominous, I can block that IP. But I presumably need to close some
> open ports as well?
>
> Lisi
>
To know if it is ominous or not, the command fuser is your friend :)
You can run fuser to find out what process the connection is to, you
might find it is a simple MSN connection, or something else expected.
For example in my machine, finding out what process is using tcp port 22
(n for namespace of tcp, you can use udp and others too, v for verbose
output):
]# fuser -vn tcp 22
USER PID ACCESS COMMAND
22/tcp: root 1888 F.... sshd
Hope that helps.
