分享1个Linux命令lsof

首先看这个 http://www.2cto.com/os/201108/100604.html

关于lsof，网管员应该了解以下这个用法：
# 显示当前SSH的连接用户和源IP地址

$ sudo lsof -n | grep sshd | grep TCP | cut -c18-28,70-
root  TCP *:22 (LISTEN)
root  TCP *:22 (LISTEN)
root  TCP 1.2.3.4:22->6.7.8.9:2544 (ESTABLISHED)
huangwei  TCP 1.2.3.4:22->6.7.8.9:2544 (ESTABLISHED)
root  TCP 1.2.3.4:22->6.7.8.9:29340 (ESTABLISHED)
huangwei  TCP 1.2.3.4:22->6.7.8.9:29340 (ESTABLISHED)
root  TCP 1.2.3.4:22->6.7.8.9:33223 (ESTABLISHED)
huangwei  TCP 1.2.3.4:22->6.7.8.9:33223 (ESTABLISHED)
huangwei  TCP [::1]:cisco-sccp (LISTEN)
huangwei  TCP 127.0.0.1:cisco-sccp (LISTEN)
huangwei  TCP 1.2.3.4:40183->74.125.227.8:https (ESTABLISHED)
root  TCP 1.2.3.4:22->6.7.8.9:43698 (ESTABLISHED)
huangwei  TCP 1.2.3.4:22->6.7.8.9:43698 (ESTABLISHED)
root  TCP 1.2.3.4:22->6.7.8.9:44943 (ESTABLISHED)
huangwei  TCP 1.2.3.4:22->6.7.8.9:44943 (ESTABLISHED)
huangwei  TCP 1.2.3.4:38038->74.125.227.20:www (ESTABLISHED)
看看是谁在大量并发连接呢？

DDoS？网站管理员的噩梦！一条”简单”命令就能找出script kids？看过来：

$ sudo netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
      8 192.168.0.218
      7 192.168.0.38
      6 192.168.0.14
      6 0.0.0.0
      2 192.168.0.166
      2 192.168.0.110
      2 192.168.0.10
      1 192.168.232.223
      1 192.168.0.70
      1 192.168.0.6
      1 192.168.0.50
      1 192.168.0.22
      1 192.168.0.210
      1 192.168.0.194
看看现在服务器打开了多少端口？看过来：

$ sudo lsof -i
COMMAND    PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
mysqld    1190    mysql   10u  IPv4    5022      0t0  TCP localhost:mysql (LISTEN)
apache2   1347     root    3u  IPv4    5327      0t0  TCP *:www (LISTEN)
svnserve  1759      svn    3u  IPv4    6612      0t0  TCP ooxx-vpn:svn (LISTEN)
sshd      2583     root    3r  IPv4 1194924      0t0  TCP 192.168.1.176:8822->192.168.2.223:40876 (ESTABLISHED)