Using netstat to find largest number of established connections
To find out the largest number of established connections you can simply use something like
netstat -an | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | cut -d: -f1 | uniq -c | sort -rn | head -n 1
3 192.168.1.2
To see the list of the top 10
netstat -an | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | cut -d: -f1 | uniq -c | sort -rn | head -n 10
2 192.168.1.2
How to view all
netstat -an | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | cut -d: -f1 | uniq -c | sort -rn
3 192.168.1.2
You can also view all but have pages so you can view each in detail
netstat -an | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | cut -d: -f1 | uniq -c | sort -rn | more
8 192.168.1.2
You can show the port with:
netstat -an | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | uniq -c | sort -rn
1 192.168.1.2:58632
1 192.168.1.2:58631
1 192.168.1.2:58629
1 192.168.1.2:58628
1 192.168.1.2:58627
1 192.168.1.2:58613
1 192.168.1.2:55154
1 192.168.1.2:48673
TCP Connections by State
TCP Connections by State probe identifies the total number of TCP connections, as well as the quantity of each in the following states:
TIME_WAIT — The socket is waiting after close for remote shutdown transmission so it may handle packets still in the network.
CLOSE_WAIT — The remote side has been shut down and is now waiting for the socket to close.
FIN_WAIT — The socket is closed, and the connection is now shutting down.
ESTABLISHED — The socket has a connection established.
SYN_RCVD — The connection request has been received from the network.
Monitoring Connections to Plesk Control Panel
To find out who of your customers is logged in to the control panel at the moment:
Go to Home > Active Sessions (in the Security group). All sessions including yours will be presented and the following details will be displayed:
A type of control panel user who established the session: administrator, reseller or client, Web site owner, mailuser for mailbox owner.
Login. The login name the user is logged in as.
IP address. The IP address from which the control panel is accessed.
Logon time. The date and time when the user logged in to the control panel.
Idle time. The time that user was not doing anything in the control panel while being logged in.
To refresh the list of user sessions, click Refresh.
To end a user session, select the respective check box and click Remove, then confirm removal and click OK.
Allowing connections to the SSH service from one IP using APF
You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.
APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server.
Login to your server as the root user.
cd /etc/apf
vi /etc/apf/allow_hosts.rules
Add the following in:
tcp:in:d=22:s=IP-ADDRESS
out:d=22:d=IP-ADDRESS
The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.
Save the changes.
vi /etc/apf/deny_hosts.rules
Add the following:
tcp:in:d=22:s=0/0
out:d=22:d=0/0
Save the changes.
Restart APF firewall
Using iptables to rate limit incoming connections
We all know various ways of blocking dictionary attack that happened through ssh such as disabling direct root login, blocking default 22 port etc. Besides this we can also make use of iptables in a smarter way to achieve the result. Lets see how to accomplish this.
We make use of a recent module that add IP addresses to a list, which can then be used in the future to test connection attempts against. Let’s make things clear using an example. Consider the following two iptables command.
# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent
–update –seconds 60 –hitcount 4 -j DROP
Here the –set parameter in the first line will make sure that the IP address of the host which initiated the connection will be added to the “recent list”, where it will be tested again in the second rule.
Its in the second rule that actual magic happens
–update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the –set flag to add it in the preceding rule.
–seconds flag is used to make sure that the IP address is only going to match if the last connection was within the time frame given.
–hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.
So in total the result of above command is to DROP a connection from an IP address which initiated the connection that has previously been added to the list that sent a packet in the past 60 seconds and sent more than 4 packets in total.
We can change the connection limit by modifying the hit count.