SSH ports and who’s on them

So I have a server that I use as a bounce point.  I have servers connecting in to this server on semi-random ports and being the lazy sys admin, I needed to see what was connected using the least number of commands possible.

The original method was just running:

$ sudo netstat -lenp | grep sshd

OUTPUT:
tcp        0      0 127.0.0.1:2240              0.0.0.0:*                   LISTEN      502        25318707   20871/sshd          
tcp        0      0 127.0.0.1:2220              0.0.0.0:*                   LISTEN      513        20138250   15377/sshd          
tcp        0      0 127.0.0.1:22220             0.0.0.0:*                   LISTEN      513        20138245   15377/sshd          
tcp        0      0 127.0.0.1:41133             0.0.0.0:*                   LISTEN      517        26217756   3998/sshd           
tcp        0      0 127.0.0.1:3790              0.0.0.0:*                   LISTEN      502        27078659   29871/sshd          
tcp        0      0 127.0.0.1:41135             0.0.0.0:*                   LISTEN      517        26575404   11610/sshd          
tcp        0      0 127.0.0.1:31119             0.0.0.0:*                   LISTEN      517        25208355   2835/sshd           
tcp        0      0 127.0.0.1:20400             0.0.0.0:*                   LISTEN      502        25318702   20871/sshd          
tcp        0      0 127.0.0.1:2260              0.0.0.0:*                   LISTEN      502        25372125   29095/sshd          
tcp        0      0 127.0.0.1:22100             0.0.0.0:*                   LISTEN      501        24173991   18987/sshd          
tcp        0      0 127.0.0.1:30038             0.0.0.0:*                   LISTEN      517        26855748   25323/sshd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      0          4845       1635/sshd           
tcp        0      0 127.0.0.1:20600             0.0.0.0:*                   LISTEN      502        25372120   29095/sshd          
tcp        0      0 127.0.0.1:40380             0.0.0.0:*                   LISTEN      517        26855743   25323/sshd          
tcp        0      0 127.0.0.1:2300              0.0.0.0:*                   LISTEN      501        24173996   18987/sshd          
tcp        0      0 127.0.0.1:31133             0.0.0.0:*                   LISTEN      517        26217761   3998/sshd           
tcp        0      0 127.0.0.1:31135             0.0.0.0:*                   LISTEN      517        26575411   11610/sshd          
tcp        0      0 127.0.0.1:41119             0.0.0.0:*                   LISTEN      517        25208350   2835/sshd           
tcp        0      0 ::1:2240                    :::*                        LISTEN      502        25318708   20871/sshd          
tcp        0      0 ::1:2220                    :::*                        LISTEN      513        20138251   15377/sshd          
tcp        0      0 ::1:22220                   :::*                        LISTEN      513        20138246   15377/sshd          
tcp        0      0 ::1:41133                   :::*                        LISTEN      517        26217757   3998/sshd           
tcp        0      0 ::1:3790                    :::*                        LISTEN      502        27078660   29871/sshd          
tcp        0      0 ::1:41135                   :::*                        LISTEN      517        26575405   11610/sshd          
tcp        0      0 ::1:31119                   :::*                        LISTEN      517        25208356   2835/sshd           
tcp        0      0 ::1:20400                   :::*                        LISTEN      502        25318703   20871/sshd          
tcp        0      0 ::1:2260                    :::*                        LISTEN      502        25372126   29095/sshd          
tcp        0      0 ::1:22100                   :::*                        LISTEN      501        24173992   18987/sshd          
tcp        0      0 ::1:30038                   :::*                        LISTEN      517        26855749   25323/sshd          
tcp        0      0 :::22                       :::*                        LISTEN      0          4843       1635/sshd           
tcp        0      0 ::1:20600                   :::*                        LISTEN      502        25372121   29095/sshd          
tcp        0      0 ::1:40380                   :::*                        LISTEN      517        26855744   25323/sshd          
tcp        0      0 ::1:2300                    :::*                        LISTEN      501        24173997   18987/sshd          
tcp        0      0 ::1:31133                   :::*                        LISTEN      517        26217762   3998/sshd           
tcp        0      0 ::1:31135                   :::*                        LISTEN      517        26575412   11610/sshd          
tcp        0      0 ::1:41119                   :::*                        LISTEN      517        25208351   2835/sshd

However, not only did I not want to retype my password each time, but I didn’t want to look up a name from the UID of the user.  The other issue is that this output is messy.  I get distracted easily, so I wanted to clean up the display.  I wrote the following function to handle this.  Put it in your /etc/bashrc file (for everyone to use).  On CentOS, netstat won’t let you see what this displays without su permissions.  While there are a few ways to handle this, I chose to allow users the a specific group the ability to sudo netstat with a password (I trust the 2 people that have access to this server).

So first:  run visudo and add this:

 %<usergroup>  ALL=(ALL)  NOPASSWD: /bin/netstat

Then add this to /etc/bashrc (or your .bashrc)

function sshwho {
    sudo netstat -lpe --numeric-ports --numeric-hosts | grep ssh | awk '{printf("%-20s%-20s%-20s%-20s\n",$1,$4,$7,$9);}'
}

It’s a basic one liner that runs netstat, only outputs lines containing ‘ssh’, then runs it through awk to print only the pieces we want and make it pretty with printf.  New output:

[mgargiullo@server-z ~]$ sshwho
tcp                 127.0.0.1:2240      tom                 20871/sshd          
tcp                 127.0.0.1:2220      server-a            15377/sshd          
tcp                 127.0.0.1:22220     server-a            15377/sshd          
tcp                 127.0.0.1:41133     steve               3998/sshd           
tcp                 127.0.0.1:3790      tom                 29871/sshd          
tcp                 127.0.0.1:41135     steve               11610/sshd          
tcp                 127.0.0.1:31119     steve               2835/sshd           
tcp                 127.0.0.1:20400     tom                 20871/sshd          
tcp                 127.0.0.1:2260      tom                 29095/sshd          
tcp                 127.0.0.1:22100     mgargiullo          18987/sshd          
tcp                 127.0.0.1:30038     steve               25323/sshd          
tcp                 0.0.0.0:22          root                1635/sshd           
tcp                 127.0.0.1:20600     tom                 29095/sshd          
tcp                 127.0.0.1:40380     steve               25323/sshd          
tcp                 127.0.0.1:2300      mgargiullo          18987/sshd          
tcp                 127.0.0.1:31133     steve               3998/sshd           
tcp                 127.0.0.1:31135     steve               11610/sshd          
tcp                 127.0.0.1:41119     steve               2835/sshd

You can modify the function to look for any data you wish.

 

 

 


Posted

in

,

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *