Background
netstat
is one of the most useful commands when troubleshooting a network but the syntax can be completely overwhelming. Combine complex syntax with subtle differences between Linux, Linux distributions, and Windows, and all of a sudden you need a handy reference otherwise you can’t use the tool. This purpose of this article is to list a few different scenarios where you might want to use netstat
.
List of Useful Netstat Commands
See all TCP/UDP Connections Sorted
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
The above output will sort all TCP and UDP connections to your server. If you are suffering from a Denial of Service (DoS) attack, you will notice that one specific IP address has a lot of connections to your server. For example, you might see that most IP addresses have one or two connections, but one specific IP has 56 connections. In this case, you probably want to see what that IP address is hitting.
A trivial way to determine what this IP is hitting is to use good old top
. Press c
when in top and look for websites that are busy. Then tail -f
the website’s log file. A common problem when running WordPress is that xmlrpc.php
is being hit repeatedly.
You can use the following firewalld
command, if it’s installed, to block the IP address (replace a.b.c.d):
# firewall-cmd --add-rich-rule='rule family=ipv4 source address=a.b.c.d reject' --permanent success # service firewalld restart
Find all HTTPS / Port 443 / Website Connections
Here is another useful command, this one just to find port 443
SSL connections:
netstat -anp |grep ':443' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
Reference
See Also
How do deal with an Apache / NGINX server that’s under attack
Leave us a comment if you have any other useful netstat
commands that we should list here.