You can use the netstat command to list all of the active and pending TCP/IP connections between your machine and every other machine on the Internet. This command is very important if you suspect that somebody is breaking into your computer or using your computer to break into another one. netstat lets you see which machines your machine is talking to over the network. The command's output includes the host and port number of each end of the connection, as well as the number of bytes in the receive and transmit queues. If a port has a name assigned in the /etc/services file, netstat will print it instead of the port number.
Normally, the netstat command displays UNIX domain sockets in addition to IP sockets. You can restrict the display to IP sockets only by using the -f inet option.
Sample output from the netstat command looks like this:
charon% netstat -f inet Active Internet connections Proto Recv-Q Send- Q Local Address Foreign Address (state) tcp 0 0 CHARON.MIT.EDU.telnet GHOTI.LCS.MIT.ED.1300 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet amway.ch.apollo..4196 ESTABLISHED tcp 4096 0 CHARON.MIT.EDU.1313 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1312 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1309 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet MINT.LCS.MIT.EDU.1218 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1308 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.login RING0.MIT.EDU.1023 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1030 *.* LISTEN
NOTE: The netstat program only displays abridged hostnames, but you can use the -n flag to display the IP address of the foreign machine.
The first two lines of this output indicate Telnet connections between the machines GHOTI.LCS.MIT.EDUu and AMWAY.CH.APOLLO.COM and the machine CHARON.MIT.EDU. Both of these connections originated at the remote machine and represent interactive sessions currently being run on CHARON; you can tell this because these ports are greater than 1023 and are connected to the Telnet port. (They may or may not be unnamed.) Likewise, the third Telnet connection, between CHARON and E40-008-7.MIT.EDU, originated at CHARON to the machine E40-008-7. The next two lines are connections to port 6001 (the X Window Server) on MINT.LCS.MIT.EDU. There is a Telnet from MINT to CHARON, one from CHARON to E40-008-7.MIT.EDU, and an rlogin from RINGO.MIT.EDU to CHARON. The last line indicates that a user program running on CHARON is listening for connections on port 1030. If you run netstat on your computer, you are likely to see many connections. If you use the X Window System, you may also see "UNIX domain sockets" that are the local network connections from your X clients to the X Window Server.
With the -a option, netstat will also print a list of all of the TCP and UDP sockets to which programs are listening. Using the -a option will provide you with a list of all the ports that programs and users outside your computer can use to enter the system via the network. (Unfortunately, netstat will not give you the name of the program that is listening on the socket.)[20]:
[20] But the lsof command will. See the discussion about lsof in Chapter 25, Denial of Service Attacks and Solutions.
charon% netstat -a -f inet Active Internet connections Proto Recv-Q Send- Q Local Address Foreign Address (state) Previous netstat printout ... tcp 0 0 *.telnet *.* LISTEN tcp 0 0 *.smtp *.* LISTEN tcp 0 0 *.finger *.* LISTEN tcp 0 0 *.printer *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.daytime *.* LISTEN tcp 0 0 *.chargen *.* LISTEN tcp 0 0 *.discard *.* LISTEN tcp 0 0 *.echo *.* LISTEN tcp 0 0 *.exec *.* LISTEN tcp 0 0 *.login *.* LISTEN tcp 0 0 *.shell *.* LISTEN tcp 0 0 *.ftp *.* LISTEN udp 0 0 *.time *.* udp 0 0 *.daytime *.* udp 0 0 *.chargen *.* udp 0 0 *.discard *.* udp 0 0 *.echo *.* udp 0 0 *.ntalk *.* udp 0 0 *.talk *.* udp 0 0 *.biff *.* udp 0 0 *.tftp *.* udp 0 0 *.syslog *.* charon%
NOTE: There are weaknesses in the implementation of network services that can be exploited so that one machine can masquerade temporarily as another machine. There is nothing that you can do to prevent this deception, assuming that the attacker gets the code correct and has access to the network. This kind of "spoof" is not easy to carry out, but toolkits are available to make the process easier. Some forms of spoofing may require physical access to your local network, but others may be done remotely. All require exact timing of events to succeed. Such spoofs are often impossible to spot afterwards.