List all IP addresses connected to your Server
Below is an Unix command to list all the IP addresses connected to your server on port 80.
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
Output – Total connections by IP, from highest to lowest.
97 114.198.236.100
56 67.166.157.194
44 170.248.43.76
38 141.0.9.20
37 49.248.0.2
37 153.100.131.12
31 223.62.169.73
30 65.248.100.253
29 203.112.82.128
29 182.19.66.187
Note
This command is useful to detect if your server is under attack, and null route those IPs. Read this null route attacker IP story.
This command is useful to detect if your server is under attack, and null route those IPs. Read this null route attacker IP story.
Let break above lengthy command into pieces :
1. netstat -tn 2>/dev/null
Uses netstat
to list all network connections, ins and outs.
- -n – Display numeric only, don’t resolve into name.
- -t – Display only TCP connections.
Output
#Examples - 7 connections
tcp 0 0 64.91.*.*:80 114.198.236.100:12763 TIME_WAIT
tcp 0 0 64.91.*.*:80 175.136.226.244:51950 TIME_WAIT
tcp 0 0 64.91.*.*:80 175.136.226.244:51951 TIME_WAIT
tcp 0 0 64.91.*.*:23 202.127.210.2:14517 TIME_WAIT
tcp 0 0 64.91.*.*:80 149.238.193.121:65268 TIME_WAIT
tcp 0 0 64.91.*.*:80 114.198.236.100:44088 ESTABLISHED
tcp 0 0 64.91.*.*:80 175.136.226.244:51952 TIME_WAIT
2>/dev/null
Redirect all unwanted output to /dev/null, a special place to absorb all output and clear it.
Redirect all unwanted output to /dev/null, a special place to absorb all output and clear it.
2. grep :80
Only display the IP address that connected to server on port 80.
tcp 0 0 64.91.*.*:80 114.198.236.100:12763 TIME_WAIT
tcp 0 0 64.91.*.*:80 175.136.226.244:51950 TIME_WAIT
tcp 0 0 64.91.*.*:80 175.136.226.244:51951 TIME_WAIT
tcp 0 0 64.91.*.*:80 149.238.193.121:65268 TIME_WAIT
tcp 0 0 64.91.*.*:80 114.198.236.100:44088 ESTABLISHED
tcp 0 0 64.91.*.*:80 175.136.226.244:51952 TIME_WAIT
3. awk ‘{print $5}’
Uses awk
to display the 5th field only.
114.198.236.100:12763
175.136.226.244:51950
175.136.226.244:51951
149.238.193.121:65268
114.198.236.100:44088
175.136.226.244:51952
4. cut -d: -f1
Uses cut
to extract the content.
- -d – Character immediately following the -d option is use as delimiter, default is tab.
- -f – Specifies a field list, separated by a delimiter.
114.198.236.100
175.136.226.244
175.136.226.244
149.238.193.121
114.198.236.100
175.136.226.244
5. sort | uniq -c | sort -nr
Sort the list, group it and sort it again in reverse order.
sort
114.198.236.100
114.198.236.100
149.238.193.121
175.136.226.244
175.136.226.244
175.136.226.244
uniq -c
– Group it.
2 114.198.236.100
1 149.238.193.121
3 175.136.226.244
sort -nr
– sort by numeric, and reverse order (highest display first)
3 175.136.226.244
2 114.198.236.100
1 149.238.193.121
Done.
6. head
This is optional, to display the first 10 result.
I just Love your step by step explanation, thank you very much!
Hi, do ther is some way to see who was connected to my server in some time period and save that information in text file?
you saved my day 🙂
I had to change it a little bit for my needs:
netstat -na | grep 8001 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
awesome
Hi,
You does not require to go for so much deep , you can achieve the same with this . and it works for ipv6 also.
http://www.suyashjain.com/toppings/netstat-tricks-1/
Thanks
Hi,
When i run your command, i get this:
1420
1 66.249.75.226
What od the number 1420 represent
netstat show some IPv4 expressed through IPv6. So rever cut first and move to second last. All valid IPs include the port, so the “grep:”
$ netstat -tn 2>/dev/null | awk ‘{print $5}’ | grep : | rev | cut -d: -f2- | rev | sort | uniq -c | sort -nr
Add next command to drop loopback.
grep -v -e ‘::1’ -e ‘127.0.0.1’
hi. 5 years later lol – bump? i wonder if anyone still browsing this> anyway this info only showing me ipv6 addresses, ubuntu 22.04. thanks for the information and article!
Is there a way to add the hostname for each ip?
Someone from a server is in all my phones and devices. I’ve factory reset my phones. It is still a problem. Please help me