I have the following problem. I'm using Debian GNU/Linux Stretch and I am trying to use netcat as a simple server. I start it using following command:
$ netcat -l 127.0.0.1 33333
It starts just fine and accepts connections but on a different port than requested:
$ netstat -tulpn | grep netcat
tcp 0 0 0.0.0.0:38782 0.0.0.0:* LISTEN 2851/netcat
This behavior is independent of requested port, user or ufw status. Recently I installed LXC with following packages:
apparmor
bridge-utils
cgmanager
libapparmor-perl
lxc
All have been removed later, but somehow I feel like this behavior may be related to some changes in configuration.
It looks like you are using traditional netcat which requires providing -p argument for the listening port:
netcat -l 127.0.0.1 -p 33333
From nc -h:
-p port local port number
Syntax you use would work with OpenBSD netcat.
Related
I'm studying Iptables on linux, and try to reject all traffic coming to port 80.
I execute iptables -A INPUT --dport 80 -j REJECT on kali-linux.
But how can I testing the result that "all traffic to port 80 is rejected".
And what if allow traffic to port 80 and reject traffic going out through port 80.
I have Nginx on my PC.
There are many ways to check if port 80 is open.
Easiest way is to type telnet myserver.com 80 from a remote computer. It tries to open a port 80 on server. It timeout if unable to open.
Use netstat to show the processes listening on TCP or UDP ports. Scan and grep for port-80.
Something like this:
netstat -an | grep PORTNUMBER | grep -i listen
If you have an output, that means port 80 is open and listening.
External way
nmap example.com -p 80
Internal way
iptables -L -v -n --line-numbers
I am not able to find an answer to a simple thing I will try to achive:
once a tcp connection is established to my linux server, let's say ssh / tcp 22 or x11 / tcp 6000 display -> how do I close this connection without killing the process (sshd / x11 display server).
I saw also some suggestoin to use iptables, but it does not work for me, the connection is still visible in netstat -an.
would be good if someone can point me to the right direction.
what I tried so far
tcpkill: kills the process, not good for me
iptables: does not close the established connection, but prevent further connections.
Thanks in adavnce
DJ
Ok, I found at least one solution (killcx) which is working. Maybe we will be able to find an easier solution.
Also, i saw the comment from "zb" - thanks - which might also work, but I was not able to find a working syntax, since this tool seems to be really useful but complex.
So here is an example how to work with the 1. solution which is working for me:
netstat -anp | grep 22
output: tcp 0 0 192.168.0.82:22 192.168.0.77:33597 VERBUNDEN 25258/0
iptables -A INPUT -j DROP -s 192.168.0.77 (to prevent reconnect)
perl killcx.pl 192.168.0.77:33597 (to kill the tcp connection)
killcx can be found here: http://killcx.sourceforge.net/
it "steals" the connection from the foreign host (192.168.0.77) and close it. So that solution is working fine, but to complex to setup quickly if you are under stress. Here are the required packages:
apt-get install libnetpacket-perl libnet-pcap-perl libnet-rawip-perl
wget http://killcx.sourceforge.net/killcx.txt -O killcx.pl
however, would be good to have an easier solution.
tcpkill wont work, since it will only kill any new connection, it doesnt kill existing ESTABLISHED connections
heres how you remove an Established TCP connection
find the PID of the process and the IP of the client connecting,
lets say you are on serverA and someone is connecting from serverB
root#A> netstat -tulpan | grep ssh | grep serverB
should see something like,
tcp 0 0 <serverA IP>:<port> <serverB>:<port> ESTABLISHED 221955/sshd
use lsof utility to get the File Descriptor of this connection using the parent PID
root#A> lsof -np 221995 | grep serverB IP
should see something like this
sshd 221955 <user> 17u IPv4 2857516568 0t0 TCP <serverA IP>:<port>-><serverB IP>:<port> (ESTABLISHED)
get the File Descriptor number (4th column) = 17u
use GDB to shut down this connection, w/out killing sshd
root#A> gdb -p 211955 --batch -ex 'call shutdown(17u, 2)'
should see something similar,
0x00007f0b138c0b40 in __read_nocancel () from /usr/lib64/libc.so.6
$1 = 0
[Inferior 1 (process 211955) detached]
that TCP connection should now be closed
Is there a way to determine or trace how a port forwarding configuration is set up on a system running Ubuntu 14.04 LTS, on which there is a NodeJS service running and somehow accepting connections via port 80, although the service itself is running on port 8080, given that it's clear that port 80 connections are being handled by Apache (see details below)?
I have attempted to lsof -i :80 on the system, and according to lsof, there's no process running on port 80. Interestingly, though:
ubuntu#ip-***-**-**-***:~$ sudo netstat -anp | grep apache
tcp6 0 0 :::80 :::* LISTEN 10197/apache2
I have dug into the apache configuration, after determining that it is located at /etc/apache2/apache2.conf and have not been able to find any VirtualHost records, ProxyPass, or anything of the sort.
I have also checked iptables -L just in case.
Would httpry or something like it help figure out the port forwarding configuration and what running processes are responsible for the port forwarding?
iptables -L wouldn't answer the question (this lists the iptables filter table); you'd want to look at the nat table by running iptables -t nat -L (or iptables -t nat -S, which produces output in the format of iptables-save which I find much easier to read).
Typically Apache reads more than just /etc/apache2/apache2.conf, also, so there may be additional Apache config files under /etc/apache2 that you should check.
I have two machines (Machine1 & Machine2) on the same subnet. Machine1 has a tool installed that returns some data. for example if I run the following command, it returns some data.
printf "get:info\nend\n" | nc localhost 1234
However if do the same on Machine2, of course changing localhost to machine1, nothing happens. Any Idea what can be the problem?
printf "get:info\nend\n" | nc machine1 1234
After investigating alot I finally managed to find the reason why I was not able to communicate to the other machine on the specific port.
Iptables setting in my machine1 was not allowing machine1 to listen. I turned off of the iptables and everthing worked fine.
But its not a good idea to turn off the iptables. So for the next step I allowed port 1234 for machine1.
sudo iptables -A INPUT -p tcp --dport 1234 -j ACCEPT
You can find more information about iptables on the link below:
https://help.ubuntu.com/community/IptablesHowTo
I have been using wire-shark to analyse the packets of socket programs, Now i want to see the traffic of other hosts traffic, as i found that i need to use monitor mode that is only supported in Linux platform, so i tried but i couldn't capture any packets that is transferred in my network, listing as 0 packets captured.
Scenario:
I'm having a network consisting of 50+ hosts (all are powered by windows Except mine), my IP address is 192.168.1.10, when i initiate a communication between any 192.168.1.xx it showing the captured traffic.
But my requirement is to monitor the traffic of 192.168.1.21 b/w 192.168.1.22 from my host i,e. from 192.168.1.10.
1: is it possible to capture the traffic as i mentioned?
2: If it is possible then is wire-shark is right tool for it (or should i have to use differnt one)?
3: if it is not possible, then why?
Just adapt this a bit with your own filters and ips : (on local host)
ssh -l root <REMOTE HOST> tshark -w - not tcp port 22 | wireshark -k -i -
or using bash :
wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)
You can use tcpdump instead of tshark if needed :
ssh -l root <REMOTE HOST> tcpdump -U -s0 -w - -i eth0 'port 22' |
wireshark -k -i -
You are connected to a switch which is "switching" traffic. It bases the traffic you see on your mac address. It will NOT send you traffic that is not destined to your mac address. If you want to monitor all the traffic you need to configure your switch to use a "port mirror" and plug your sniffer into that port. There is no software that you can install on your machine that will circumvent the way network switching works.
http://en.wikipedia.org/wiki/Port_mirroring