version 1, including all changes.
.
Rev |
Author |
# |
Line |
1 |
JimCheetham |
1 |
The [lsof] application provides a great way to see what applications are listening on your network ports, but it isn't always available on older OSs, and [netstat] is ... |
|
|
2 |
|
|
|
3 |
A server may have multiple interfaces, multiple IP addresses on those interfaces, and of course multiple ports open (listening) on them. |
|
|
4 |
|
|
|
5 |
Here's a (long, nasty) one-liner bash command line to report in a nice way what ports you currently have open ... |
|
|
6 |
|
|
|
7 |
<verbatim> |
|
|
8 |
for i in $(netstat -ln|grep "LISTEN "|tr -s " "|cut -d" " -f4|sed -e"s/\([^:]*\):\([^:]*\)/\2=\1/"|sort -n); do PORT=$(echo $i |cut -d= -f1); SN=$(grep "[^[:digit:]]$PORT/tcp" /etc/services|tr -s " "|cut -f 1); IP=$(echo $i|cut -d= -f2); if [ "$IP" == "127.0.0.1" ]; then IPp="L"; elif [ "$IP" == "0.0.0.0" ]; then IPp="*"; else IPp=$IP; fi; if [ "$SN" == "" ]; then SNn=$PORT; else SNn=$SN; fi; echo "$SNn ($PORT) $IPp"; done |
|
|
9 |
</verbatim> |
|
|
10 |
|
|
|
11 |
Sample output :- |
|
|
12 |
<verbatim> |
|
|
13 |
smtp (25) L |
|
|
14 |
domain (53) 10.10.10.11 |
|
|
15 |
www (80) L |
|
|
16 |
www (80) 10.10.10.11 |
|
|
17 |
www (80) 10.10.10.10 |
|
|
18 |
https (443) 10.10.10.11 |
|
|
19 |
ipp (631) L |
|
|
20 |
953 (953) L |
|
|
21 |
mysql (3306) L |
|
|
22 |
www-php4 (4080) L |
|
|
23 |
4369 (4369) * |
|
|
24 |
xmpp-client (5222) * |
|
|
25 |
5223 (5223) * |
|
|
26 |
xmpp-server (5269) * |
|
|
27 |
5280 (5280) * |
|
|
28 |
5356 (5356) * |
|
|
29 |
5357 (5357) L |
|
|
30 |
postgresql (5432) L |
|
|
31 |
6010 (6010) L |
|
|
32 |
11211 (11211) * |
|
|
33 |
52029 (52029) * |
|
|
34 |
54440 (54440) L |
|
|
35 |
</verbatim> |
|
|
36 |
|
|
|
37 |
It uses =netstat= to do the basic report of open ports, then translates the known port numbers found in =/etc/services=, indicates which are listening only to localhost (L), and which are listening on all interfaces (~*). |
|
|
38 |
|
|
|
39 |
It's a one-liner because I have multiple servers, and have a handy run-everywhere script that will let me fire off a command to be run on any subset of my machines. It uses double-quotes because I have to enclose the whole thing in single-quotes to prevent early variable expansion on my local workstation. Wow. |
|
|
40 |
|
|
|
41 |
As a more readable script, it looks like this :- |
|
|
42 |
|
|
|
43 |
<verbatim> |
|
|
44 |
for i in $(netstat -ln|grep "LISTEN "|tr -s " "|cut -d" " -f4|sed -e"s/\([^:]*\):\([^:]*\)/\2=\1/"|sort -n) |
|
|
45 |
do |
|
|
46 |
PORT=$(echo $i |cut -d= -f1) |
|
|
47 |
SN=$(grep "[^[:digit:]]$PORT/tcp" /etc/services|tr -s " "|cut -f 1) |
|
|
48 |
IP=$(echo $i|cut -d= -f2) |
|
|
49 |
|
|
|
50 |
if [ "$IP" == "127.0.0.1" ] |
|
|
51 |
then IPp="L" |
|
|
52 |
elif [ "$IP" == "0.0.0.0" ] |
|
|
53 |
then IPp="*" |
|
|
54 |
else IPp=$IP |
|
|
55 |
fi |
|
|
56 |
|
|
|
57 |
if [ "$SN" == "" ] |
|
|
58 |
then SNn=$PORT |
|
|
59 |
else SNn=$SN |
|
|
60 |
fi |
|
|
61 |
|
|
|
62 |
echo "$SNn ($PORT) $IPp" |
|
|
63 |
done |
|
|
64 |
</verbatim> |
|
|
65 |
|
|
|
66 |
The sub-shell snippets are :- |
|
|
67 |
|
|
|
68 |
* get the port/address data |
|
|
69 |
* run =netstat -ln= |
|
|
70 |
* find lines with "LISTEN " in them (excludes "LISTENING" by having the space at the end of LISTEN) |
|
|
71 |
* replace multiple spaces with single spaces, to make =cut='s job easier |
|
|
72 |
* get the fourth space-delimited field only |
|
|
73 |
* change address:port to port~=address |
|
|
74 |
* literally, any non-colon-characters, a colon, any non-colon-characters. |
|
|
75 |
* =sort= into numerical order |
|
|
76 |
* lookup the port number in =/etc/services= |
|
|
77 |
* use the current port~=address data |
|
|
78 |
* get the first field in the ~= separated list (the port) |
|
|
79 |
* assign that to the variable PORT |
|
|
80 |
* look for any lines that mention PORT/tcp in =/etc/services=. Don't allow any other digits in front of PORT (i.e. if PORT = 80, do not select 8080/tcp) |
|
|
81 |
* replace multiple tabs with a single tab |
|
|
82 |
* select only the first field (in a tab-separated list, the default for =cut=) |