Develop Reference

Linux: how to know which process (or program) is sending data to a local port?

I launched a program that listens at 127.0.0.1:3000 on a CentOS server. I haven't sent any message to the program but it keeps receiving data. I want to know who is sending data to my program. So I type in the following command:
netstat -an | grep 3000
A snapshot output is:
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3000 127.0.0.1:41960 TIME_WAIT
tcp 0 0 127.0.0.1:3000 127.0.0.1:41956 TIME_WAIT
tcp 0 0 127.0.0.1:3000 127.0.0.1:41964 TIME_WAIT
tcp 1 0 127.0.0.1:41968 127.0.0.1:3000 CLOSE_WAIT
tcp 0 0 127.0.0.1:3000 127.0.0.1:41952 TIME_WAIT
tcp 0 0 127.0.0.1:3000 127.0.0.1:41968 FIN_WAIT2
The output changes every time I type in the command. The port numbers in a pattern like 4xxxx increment frequently.
If I type in lsof -nPi tcp:3000, one of the outputs is
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 76230 xxx 18u IPv4 130828 0t0 TCP 127.0.0.1:3000 (LISTEN)
node 76230 xxx 20u IPv4 208468 0t0 TCP 127.0.0.1:3000->127.0.0.1:42072 (ESTABLISHED)
I don't know what these 4xxxx numbers stand for. In my case, how to know who is sending data to 127.0.0.1:3000?

You got a PID 76230 and having that you can get to know the process name by
$ ps -p 76230 -o comm=

Tight VNC server and Gucamole

I have a VM in which I installed the VNC server (TightVNC) using the link : https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-18-04
It is installed successfully and I can see the port 5901 running
/etc/tigervnc$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 16460/Xtigervnc
tcp 0 0 127.0.0.1:5902 0.0.0.0:* LISTEN 16183/Xtigervnc
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:5901 :::* LISTEN 16460/Xtigervnc
tcp6 0 0 ::1:5902 :::* LISTEN 16183/Xtigervnc
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
udp 0 0 0.0.0.0:36618 0.0.0.0:* -
udp 29184 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 7680 0 0.0.0.0:5353 0.0.0.0:* -
udp6 0 0 :::37372 :::* -
udp6 20736 0 :::5353 :::*
Now from my local machine, I tried to do the port binding to my local from VM (as per the link https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-18-04)
ssh -L 5901:127.0.0.1:5901 -C -N -l test 172.1.1.1
In my local machine, I able to see the port is binded to 5901
/etc/guacamole$ fuser 5901/tcp
5901/tcp: 22049
Now when I try to take the VNC connection using 127.0.0.1:5901, It promopts for VM's password and shows only the blank page.
Could someone help me with this?
Thanks,
Hari

edit your ~/.vnc/xstartup file thus:
#!/bin/sh
startxfce4 &
I had the same problem and this solved it
For reference i got it from here:
https://www.raspberrypi.org/forums/viewtopic.php?t=52557

You can also try killing and restarting your VNC server
kill $(pgrep Xvnc)
vncserver
Are you trying to VNC from the local machine to the local machine? I am assuming just for testing correct?
If you are not getting a rejection, at least it should be talking to the service.

Why "service sshd start" command can not return to command prompt?

I'm install a new CentOS7, its sshd service works fine. Then I download the source code of openssh7.5p1, build it and install it to the default directory "/usr/local/sbin/sshd". I want to use it to replace the system's sshd.
I modify the file "/usr/lib/systemd/system/sshd.service", change following line:
old:
ExecStart=/usr/sbin/sshd $OPTIONS
new:
ExecStart=/usr/local/sbin/sshd $OPTIONS
After that, type command "service sshd start", the command can not return and seems hang up. Looks as follows:
[root#localhost ~]# service sshd start
Redirecting to /bin/systemctl start sshd.service
I press Ctl+C to terminate the command. Then use command "netstat -ntlp" to find that the "sshd" already started, not sure why the "service sshd start" can not return to prompt.
[root#localhost ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2443/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 63144/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1043/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1815/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 63144/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1043/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1815/master
I try to start sshd manually, it works fine, the sshd started successfully(no any warning message) and the command return immediately. The command as follows:
[root#localhost ~]# /usr/local/sbin/sshd -f /etc/ssh/sshd_config
Any help is appreciated. Let me know if you want to known more information. Thanks.

How about tinkering With type in your .service ?
have you tried to set it to idle ?
maybe systemd waits to receive a message from sshd and seems to hang..

Understanding the netstat output

tcp 0 0 :::111 :::* LISTEN
Above is the output of netstat -nl | grep 111What is the meaning of :::111 segment?

technet.microsoft.com says that:
Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IP routing table, IPv4 statistics
(for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for
the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used
without parameters, netstat displays active TCP connections.
So you can find which addresses and ports are used and listening. for example you want to run a Tomcat server on port 8080. but it used. so you can run:
netstat -ano | find "8080"
output will be something like:
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 1185
TCP [::]:8080 [::]:0 LISTENING 1185
It says that process number 1185 is using this port. If it is necessary to use this port you can shutdown the app that use this port and run your server on it by this command:
taskkill /F /PID 1185

#echo off
:myline
netstat -nob
echo.
echo.
ping 127.0.0.1 > %temp%\pingio.txt
goto myline
Put this in a batch file and run it as Administrator to monitor network processes.

telnet refused on specific port on AWS instances

I'm tryign to telnet from one linux env (10.205.116.141) to 10.205.117.246 on port 7199 but keep getting a connection refused. I did a chkconfig iptables off on both servers and even make sure iptables if stopped as well.
what else should I be looking at?
[root#ip-10-205-116-141 bin]# telnet 10.205.117.246 7199
Trying 10.205.117.246...
telnet: connect to address 10.205.117.246: Connection refused
trace route seems to be working as well...
[root#ip-10-205-116-141 bin]# traceroute 10.205.117.246 -p 7199
traceroute to 10.205.117.246 (10.205.117.246), 30 hops max, 60 byte packets
1 ip-10-205-117-246.xyz.cxcvs.com (10.205.117.246) 0.416 ms 0.440 ms 0.444 ms
also, I'm on a aws vpc so we don't get public IPs provisioned for use...
checked my security group and it looks like all ports are open as well
EDIT:
here is netstat as well, they look the same on both nodes:
[ec2-user#ip-10-205-116-141 ~]$ netstat -an | grep LISTEN
tcp 0 0 127.0.0.1:46626 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9160 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:36523 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9042 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2738 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.205.116.141:7000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7199 0.0.0.0:* LISTEN
shouldn't 127.0.0.1:7199 really be 10.205.116.141:7199?
sorry, can't post a sc of the security groups...