Administer service auditing with netstat

The netstat utility will help you find out what services are running on your system. Here are a few basic netstat commands.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

As a Linux administrator, your first line of defense is to know what services are running on your system. It's your responsibility to check whether or not services are authorized, as well as to identify active services that aren't being used.

The netstat utility, which ships with every Linux distribution, can help. This simple little tool tells you what programs are listening to what ports, and it can even tell you if programs are listening on UNIX domain sockets. To get an overview of everything running on your system, use this basic invocation:

# netstat -l

Since domain sockets are not remotely accessible, you can omit that from the listing and achieve more interesting information by using the following command:

# netstat -l -p —tcp —udp

Not only does this command display all listening TCP and UDP sockets, but it also displays what program is doing the listening, as well as its process ID number (PID) via the "-p" switch.

However, if you want a list of all active TCP and UDP connections, use the -a switch instead:

# netstat -a -p —tcp —udp

The -a switch command shows you every active connection, including those that are listening and the ones that are connected. This information is useful for determining what programs are listening for connections. It also allows you to see what outbound and inbound connections are currently established on the system.

About Vincent Danen

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks