Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This display all active Internet connections to the server and only established connections are
included.
Show only active Internet connections to the server on port 80, this is the http port and so its
useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing
you to recognize many connections coming from one IP.
This command is useful to find out how many active SYNC_REC are occurring on the server. The
number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the
number can jump to pretty high. However, the value always depends on system, so a high value
may be average on another server.
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
List all the unique IP addresses of the node that are sending SYN_REC connection status.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Use netstat command to calculate and count the number of connections each IP address makes
to the server.
netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
List count of number of connections the IPs are connected to the server using TCP or UDP
protocol.
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
Check on ESTABLISHED connections instead of all connections, and displays the connections
count for each IP.
Please note that you have to replace $IPADRESS with the IP numbers that you have found with
netstat.
After firing the above command, KILL all httpd connections to clean your system and than restart
httpd service by
using the following commands: