You are not logged in.

#1 2020-09-15 14:49:56

Cyberpunk_Is_Bae
Member
Registered: 2020-03-23
Posts: 18

Trying to Understand Netstat and Best Practices

Hi thank you for your time.

I have read a lot this morning about what commands people use to transparently understand their systems using commands such as netstat, ss, and so on.  Right now I'm looking at netstat but will happily change to a better solution if you have a preferred tool and would gratefully appreciate the suggestion.

However, if netstat is the right tool, I've narrowed it down to the following:

# netstat -uptn
# netstat -a | grep // ESTABLISHED || LISTENING || CONNECTED

The first can be watched or given -c, the second is for a heavier system-sweep.

Are these the best practices for using this program and, probably a better question, is my overall approach here best for gaining transparency into my system to discover what is or might be open to the outside world?

Last edited by Cyberpunk_Is_Bae (2020-09-15 14:50:09)

Offline

#2 2020-09-16 01:03:08

solskog
Member
Registered: 2020-09-05
Posts: 128

Re: Trying to Understand Netstat and Best Practices

List network open files for the current users login session
$ lsof -i
Detailed output without pipe or pattern matching.
$ lsof -i [46][protocol][@hostname|hostaddr][:service|port]

Offline

#3 2020-09-18 18:26:49

Cyberpunk_Is_Bae
Member
Registered: 2020-03-23
Posts: 18

Re: Trying to Understand Netstat and Best Practices

solskog wrote:
List network open files for the current users login session
$ lsof -i
Detailed output without pipe or pattern matching.
$ lsof -i [46][protocol][@hostname|hostaddr][:service|port]

Thanks.  Is there anything similar to this that I can run continuously?  It takes a while to run and won't see small changes.

Offline

#4 2020-09-18 18:44:51

seth
Member
Registered: 2012-09-03
Posts: 16,263

Re: Trying to Understand Netstat and Best Practices

is or might be open to the outside world

There's no point in checking opened files if you're only interested in opened sockets, let alone for a certain protocol (tcp/udp)
You'd use "netstat" or "ss" for that and apply some filter according to your interests.

That being said: your task description is way to generic to tell what you're probably interested in.
Do you care about (every) active communication w/ the outside (including open connections of your browser etc.) or rather stuff that's actively listening for incoming traffic (an ssh server) - because that's not the same thing.
Or are your actually interested in the traffic itself? => You're looking for wireshark.

On top of that "outside world" might be inhibited by a firewall and/or (pseudo-)DMZ on the local system and/or a (consumer) router.
If you want to know what ports are available from the "outside world" you want to nmap the system from the "outside world".

Offline

#5 2020-09-19 00:29:14

solskog
Member
Registered: 2020-09-05
Posts: 128

Re: Trying to Understand Netstat and Best Practices

lsof does check internet and unix domain sockets.

$ man lsof
An  open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a  network  file  (Internet socket, NFS file or UNIX domain socket.)

With this command you may continually watching the output:

$ watch -n 1 lsof -i

I agree with @seth though, network mitigation is a much bigger topic then just relay on a few commands. And lsof is not a replacement for netstat. However since lsof can also inspect open files, it could be used on application level inspection for a long running service like apache:

# lsof -i | Filter out child PID of a service forming a incomming connection.
# lsof -p PID

Last edited by solskog (2020-09-19 01:37:21)

Offline

#6 2020-09-19 06:10:58

seth
Member
Registered: 2012-09-03
Posts: 16,263

Re: Trying to Understand Netstat and Best Practices

It's not that lsof does not check sockts, but that it checks everything else (and the resulting overhead and wide surveillance grid the OP complained about)
If you're only interested in (network) socktes, netstat and ss get you there much more efficiently.

Offline

Board footer

Powered by FluxBB