Differences

This shows you the differences between two versions of the page.

--- connetctions_to_port [2015/04/01 18:38] – created luke7858
+++ connetctions_to_port [2024/05/23 07:26] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+==== Connections to port 80 ====
+This command will show all connections (including IP address) to port 80. You are able to change this port if your web server does not run on this by changing the |grep :80| section in the command below
+\\
+Show static view of connections to port 80:
+\\
+\\
+==== NEW AWESOME COMMAND ====
+<sxh bash>
+ netstat -punt | grep ':80.*ESTAB' | awk '{ print $5}' | cut -d':' -f4 | sort | uniq -c | sort -rn | while read i; do echo -n "$i "; curl -s http://ip-api.com/csv/$(echo "$i" | awk '{ print $2 }') | cut -d',' -f2; sleep 1; done
+</sxh>
+Example output:
+<sxh bash>
+x.x.x.x "United States"
+x.x.x.x Ireland
+x.x.x.x "United Kingdom"
+x.x.x.x "South Africa"
+x.x.x.x China
+x.x.x.x "United Kingdom"
+x.x.x.x "Czech Republic"
+</sxh>
+\\
+\\
+Second Best command:
+<sxh bash>
+netstat -nap | awk '$4~/:80$/{print$5}' | awk -F: '{print$(NF-1)}' | sort | uniq -c | sort -nr | head -20
+</sxh>
+\\
+<sxh bash>
+netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
+</sxh>
+\\
+\\
+<sxh bash>
+netstat -ant | egrep ":80|:443" | egrep "ESTABLISHED|SYN_RECV" | awk '{ print $5 }' | sed -e 's/\:\:ffff\://g' | awk -F: '{print $1}' | sort | uniq -c | sort -nr |awk '{print $1 " "$2}'
+</sxh>
+\\
+\\
+Show a live view of current connections
 <sxh bash>
 while x=0; do clear;date;echo "";echo "  [Count] | [IP ADDR]";echo "-------------------";netstat -np|grep :80|grep -v LISTEN|awk '{print $5}'|cut -d: -f1|uniq -c; sleep 5;done
+</sxh>
+\\
+===Troubleshooting IP Connections ===
+Once you have this output you may want to toubleshoot the location. Is this a ddos? an dos?
+<sxh bash>
+whois x.x.x.x | grep 'country\|address'
+</sxh>
+<sxh bash>
+whois x.x.x.x | egrep 'role:|address:|abuse-mailbox:'
 </sxh>