Differences

This shows you the differences between two versions of the page.

--- connetctions_to_port [2015/04/19 15:40] – luke7858
+++ connetctions_to_port [2024/05/23 07:26] (current) – external edit 127.0.0.1
@@ Line 3: / Line 3: @@
 \\
 Show static view of connections to port 80:
+\\
+\\
+==== NEW AWESOME COMMAND ====
+<sxh bash>
+ netstat -punt | grep ':80.*ESTAB' | awk '{ print $5}' | cut -d':' -f4 | sort | uniq -c | sort -rn | while read i; do echo -n "$i "; curl -s http://ip-api.com/csv/$(echo "$i" | awk '{ print $2 }') | cut -d',' -f2; sleep 1; done
+</sxh>
+Example output:
+<sxh bash>
+x.x.x.x "United States"
+x.x.x.x Ireland
+x.x.x.x "United Kingdom"
+x.x.x.x "South Africa"
+x.x.x.x China
+x.x.x.x "United Kingdom"
+x.x.x.x "Czech Republic"
+</sxh>
+\\
+\\
+Second Best command:
+<sxh bash>
+netstat -nap | awk '$4~/:80$/{print$5}' | awk -F: '{print$(NF-1)}' | sort | uniq -c | sort -nr | head -20
+</sxh>
+\\
 <sxh bash>
 netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
 </sxh>
+\\
+\\
+<sxh bash>
+netstat -ant | egrep ":80|:443" | egrep "ESTABLISHED|SYN_RECV" | awk '{ print $5 }' | sed -e 's/\:\:ffff\://g' | awk -F: '{print $1}' | sort | uniq -c | sort -nr |awk '{print $1 " "$2}'
+</sxh>
+\\
+\\
 Show a live view of current connections
 <sxh bash>
 while x=0; do clear;date;echo "";echo "  [Count] | [IP ADDR]";echo "-------------------";netstat -np|grep :80|grep -v LISTEN|awk '{print $5}'|cut -d: -f1|uniq -c; sleep 5;done
+</sxh>
+\\
+===Troubleshooting IP Connections ===
+Once you have this output you may want to toubleshoot the location. Is this a ddos? an dos?
+<sxh bash>
+whois x.x.x.x | grep 'country\|address'
+</sxh>
+<sxh bash>
+whois x.x.x.x | egrep 'role:|address:|abuse-mailbox:'
 </sxh>