On 17/02/10 12:08, Stephen Rowles wrote:
> On 02/17/2010 11:19 AM, Lisi wrote:
>> The IPs of the two active computers are 192.168.0.2 and 192.168.0.3. The
>> router is 192.168.0.1.
>>
>> I then tried the following (from 192.168.0.2):
>>
>> Tux:/home/lisi# netstat -atn
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address State
>> tcp 0 0 0.0.0.0:59782 0.0.0.0:* LISTEN
>> tcp 0 0 127.0.0.1:1004 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
>> tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN
>> tcp 0 0 192.168.0.2:43311 92.122.211.37:1935
>> ESTABLISHED
>> tcp6 0 0 :::22 :::* LISTEN
>> tcp6 0 0 ::1:631 :::* LISTEN
>> Tux:/home/lisi# ps -ef | grep sshd
>> root 2341 1 0 06:38 ? 00:00:00 /usr/sbin/sshd
>> root 15602 15392 0 11:08 pts/1 00:00:00 grep sshd
>> Tux:/home/lisi#
>>
>> If I have understood correctly, that is a bit worrying. (The ESTABLISHED
>> one.) So have I understood? I hope that I have not. ;-0.
it's not that alarming, assuming your local IP is 192.168.0.2 (that
certainly is not a publicly-accessible address). It most likely just
means that you've established a tcp connection out to 92.122.211.37
Incidentally, without the 'n' arg, netstat will (attempt to) give you
hostnames, rather than IP addresses, which may be of interest
>>
>> If it _is_ ominous, I can block that IP. But I presumably need to close some
>> open ports as well?
>>
>> Lisi
>>
>
> To know if it is ominous or not, the command fuser is your friend :)
>
> You can run fuser to find out what process the connection is to, you
> might find it is a simple MSN connection, or something else expected.
>
> For example in my machine, finding out what process is using tcp port 22
> (n for namespace of tcp, you can use udp and others too, v for verbose
> output):
>
> ]# fuser -vn tcp 22
> USER PID ACCESS COMMAND
> 22/tcp: root 1888 F.... sshd
>
> Hope that helps.
alternatively, as root, netstat can tell you this as well
netstat -atpn is your friend here
netstat -tulpn will give tcp and udp services (in this case -tlpn would
be fine) plus the process name that is running on that port.
Not always perfect (for some apps here it just says 'python', for example)
...
tcp 0 0 x.x.x.x:38052 x.x.x.:8001 ESTABLISHED 3849/konversation
...
although the fuser trick is also sometimes handy.
lsof (ls open files) can do this too - all established TCP connections:
# lsof -i TCP -s TCP:ESTABLISHED
or for a specific port:
# lsof -i TCP:38052
...
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
konversat 3849 stuart 15u IPv4 220155 0t0 TCP
x.x.x.x:38052->remote.host.name:vcom-tunnel (ESTABLISHED)
...
Regards,
Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
