So I have a server that I use as a bounce point. I have servers connecting in to this server on semi-random ports and being the lazy sys admin, I needed to see what was connected using the least number of commands possible.
The original method was just running:
$ sudo netstat -lenp | grep sshd OUTPUT: tcp 0 0 127.0.0.1:2240 0.0.0.0:* LISTEN 502 25318707 20871/sshd tcp 0 0 127.0.0.1:2220 0.0.0.0:* LISTEN 513 20138250 15377/sshd tcp 0 0 127.0.0.1:22220 0.0.0.0:* LISTEN 513 20138245 15377/sshd tcp 0 0 127.0.0.1:41133 0.0.0.0:* LISTEN 517 26217756 3998/sshd tcp 0 0 127.0.0.1:3790 0.0.0.0:* LISTEN 502 27078659 29871/sshd tcp 0 0 127.0.0.1:41135 0.0.0.0:* LISTEN 517 26575404 11610/sshd tcp 0 0 127.0.0.1:31119 0.0.0.0:* LISTEN 517 25208355 2835/sshd tcp 0 0 127.0.0.1:20400 0.0.0.0:* LISTEN 502 25318702 20871/sshd tcp 0 0 127.0.0.1:2260 0.0.0.0:* LISTEN 502 25372125 29095/sshd tcp 0 0 127.0.0.1:22100 0.0.0.0:* LISTEN 501 24173991 18987/sshd tcp 0 0 127.0.0.1:30038 0.0.0.0:* LISTEN 517 26855748 25323/sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 4845 1635/sshd tcp 0 0 127.0.0.1:20600 0.0.0.0:* LISTEN 502 25372120 29095/sshd tcp 0 0 127.0.0.1:40380 0.0.0.0:* LISTEN 517 26855743 25323/sshd tcp 0 0 127.0.0.1:2300 0.0.0.0:* LISTEN 501 24173996 18987/sshd tcp 0 0 127.0.0.1:31133 0.0.0.0:* LISTEN 517 26217761 3998/sshd tcp 0 0 127.0.0.1:31135 0.0.0.0:* LISTEN 517 26575411 11610/sshd tcp 0 0 127.0.0.1:41119 0.0.0.0:* LISTEN 517 25208350 2835/sshd tcp 0 0 ::1:2240 :::* LISTEN 502 25318708 20871/sshd tcp 0 0 ::1:2220 :::* LISTEN 513 20138251 15377/sshd tcp 0 0 ::1:22220 :::* LISTEN 513 20138246 15377/sshd tcp 0 0 ::1:41133 :::* LISTEN 517 26217757 3998/sshd tcp 0 0 ::1:3790 :::* LISTEN 502 27078660 29871/sshd tcp 0 0 ::1:41135 :::* LISTEN 517 26575405 11610/sshd tcp 0 0 ::1:31119 :::* LISTEN 517 25208356 2835/sshd tcp 0 0 ::1:20400 :::* LISTEN 502 25318703 20871/sshd tcp 0 0 ::1:2260 :::* LISTEN 502 25372126 29095/sshd tcp 0 0 ::1:22100 :::* LISTEN 501 24173992 18987/sshd tcp 0 0 ::1:30038 :::* LISTEN 517 26855749 25323/sshd tcp 0 0 :::22 :::* LISTEN 0 4843 1635/sshd tcp 0 0 ::1:20600 :::* LISTEN 502 25372121 29095/sshd tcp 0 0 ::1:40380 :::* LISTEN 517 26855744 25323/sshd tcp 0 0 ::1:2300 :::* LISTEN 501 24173997 18987/sshd tcp 0 0 ::1:31133 :::* LISTEN 517 26217762 3998/sshd tcp 0 0 ::1:31135 :::* LISTEN 517 26575412 11610/sshd tcp 0 0 ::1:41119 :::* LISTEN 517 25208351 2835/sshd
However, not only did I not want to retype my password each time, but I didn’t want to look up a name from the UID of the user. The other issue is that this output is messy. I get distracted easily, so I wanted to clean up the display. I wrote the following function to handle this. Put it in your /etc/bashrc file (for everyone to use). On CentOS, netstat won’t let you see what this displays without su permissions. While there are a few ways to handle this, I chose to allow users the a specific group the ability to sudo netstat with a password (I trust the 2 people that have access to this server).
So first: run visudo and add this:
%<usergroup> ALL=(ALL) NOPASSWD: /bin/netstat
Then add this to /etc/bashrc (or your .bashrc)
function sshwho {
sudo netstat -lpe --numeric-ports --numeric-hosts | grep ssh | awk '{printf("%-20s%-20s%-20s%-20s\n",$1,$4,$7,$9);}'
}
It’s a basic one liner that runs netstat, only outputs lines containing ‘ssh’, then runs it through awk to print only the pieces we want and make it pretty with printf. New output:
[mgargiullo@server-z ~]$ sshwho tcp 127.0.0.1:2240 tom 20871/sshd tcp 127.0.0.1:2220 server-a 15377/sshd tcp 127.0.0.1:22220 server-a 15377/sshd tcp 127.0.0.1:41133 steve 3998/sshd tcp 127.0.0.1:3790 tom 29871/sshd tcp 127.0.0.1:41135 steve 11610/sshd tcp 127.0.0.1:31119 steve 2835/sshd tcp 127.0.0.1:20400 tom 20871/sshd tcp 127.0.0.1:2260 tom 29095/sshd tcp 127.0.0.1:22100 mgargiullo 18987/sshd tcp 127.0.0.1:30038 steve 25323/sshd tcp 0.0.0.0:22 root 1635/sshd tcp 127.0.0.1:20600 tom 29095/sshd tcp 127.0.0.1:40380 steve 25323/sshd tcp 127.0.0.1:2300 mgargiullo 18987/sshd tcp 127.0.0.1:31133 steve 3998/sshd tcp 127.0.0.1:31135 steve 11610/sshd tcp 127.0.0.1:41119 steve 2835/sshd
You can modify the function to look for any data you wish.
Leave a Reply