服务端口排查命令详解
nmap
示例
- 检查IP 1-10000范围内所开端口情况
]# nmap 192.168.74.130
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 16:56 CST
Nmap scan report for 192.168.74.130
Host is up (0.000022s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 5.64 seconds
- -vv详细输出
]# nmap -vv 192.168.74.130
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 16:58 CST
Initiating Parallel DNS resolution of 1 host. at 16:58
Completed Parallel DNS resolution of 1 host. at 16:59, 13.00s elapsed
Initiating SYN Stealth Scan at 16:59
Scanning 192.168.74.130 [1000 ports]
Discovered open port 22/tcp on 192.168.74.130
Completed SYN Stealth Scan at 16:59, 1.58s elapsed (1000 total ports)
Nmap scan report for 192.168.74.130
Host is up (0.000030s latency).
Scanned at 2020-05-06 16:59:06 CST for 2s
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds
Raw packets sent: 1061 (46.684KB) | Rcvd: 2123 (89.168KB)
- 扫描20000-30000范围内的端口情况,不能大于65535
]# nmap -p20000-30000 192.168.74.130
...
PORT STATE SERVICE
20022/tcp open unknown
...
- 扫描指定端口情况
]# nmap -p22,25,8080 192.168.74.130
...
PORT STATE SERVICE
22/tcp open ssh
25/tcp closed smtp
80/tcp closed http
...
- 类似ping方式扫描
]# nmap -sP ip = ping ip
- 扫描一个网段下的ip
]# nmap -sP ip/24
- 路由跟踪 后面可以是域名或IP
]# nmap -traceroute www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 17:09 CST
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.023s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
6667/tcp closed irc
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 48.24 ms 192.168.74.2
2 43.83 ms 61.135.169.125
Nmap done: 1 IP address (1 host up) scanned in 18.57 seconds
- 包含了1-1000端口ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测
]# nmap -A ip
ss
- ss -tnlp #以数字格式显示tcp正在监听的连接
- ss -o state fin-wait-1 '(sport=:http or sport=:https)'
- ss src ip[:port]
- ss dst ip[:port]
使用方法
ss [options] [filter]
-t:tcp
-u:udp
-a:all
-l:listen
-p:process
-s:列出当前socket详细信息
-o state fin-wait-1 '(sport=:http or sport=:https)'
established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
listen
closing
all:all of the above state
connected:all the states except for listen and closed
synchronized:all the connected states except for syn-sent
bucket:show states, which are maintained as minisockets i,e time-wait and syn-recv
big:opposite to bucket state
示例
- 显示tcp所有连接
]# ss -atn
- 显示状态为established的tcp连接
]# ss -t state established
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 192.168.74.130:ssh 192.168.74.1:50978
- 匹配本地地址和端口
]# ss src 192.168.74.130
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.74.130:ssh 192.168.74.1:50978
netstat
使用方法类似ss,但是速度较慢。ss比netstat快的主要原因是,netstat是遍历/proc下面每个PID目录,ss直接读/proc/net下面的统计信息。所以ss执行的时候消耗资源以及消耗的时间都比netstat少很多。
当服务器的socket连接数量非常大时(如上万个),无论是使用netstat命令还是直接cat /proc/net/tcp执行速度都会很慢,相比之下ss可以节省很多时间。ss快的秘诀在于,它利用了TCP协议栈中tcp_diag,这是一个用于分析统计的模块,可以获得Linux内核中的第一手信息。如果系统中没有tcp_diag,ss也可以正常运行,只是效率会变得稍微慢但仍然比netstat要快
telnet
- 远程连接主机
- 测试远程主机端口
示例:
- 测试远程主机80端口
]# telnet 192.168.153.130 80