Please help me understand my netstat output
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
This is my SSH server listening on port 22 for all the world to connect to.
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
This is my postgres server listening only on the local IP address, not routable, for all the world to connect to. I believe that only my own server can connect internally to it because it is using the localhost IP address; but I wonder why the configuration is such that the port is open to anyone. Does this mean that if someone managed to tunnel over my SSH server that they could connect remotely to my postgres server? Would it make any difference to change my postgres configuration to only listen for connections from localhost?
tcp 0 48 AAA.BBB.CCC.DDD:22 WWW.XXX.YYY.ZZZ:21796 ESTABLISHED -
This is my current SSH connection to the server on which I ran netstat (IP addresses redacted).
tcp 0 0 :::80 :::* LISTEN -
This is my Apache web server listening on port 80 for the world to connect to. But I don't understand why it is listed in this form - I don't understand this form of address (three colons and then a port). Why isn't it listed like the SSH server as 0.0.0.0:80 with remote address 0.0.0.0:*? I don't understand this way of listing addresses or why it is different than the SSH case.
tcp 0 0 ::1:5432 :::* LISTEN -
This is my postgres server again, I believe; the port number is right. But I don't understand why it's listed again here. For what it's worth, I did try connecting to port 5432 from the outside and got 'connection refused' even though this line makes it look like postgres is listening to the world. I am confused.
udp 0 0 ::1:57034 ::1:57034 ESTABLISHED -
OK what the heck is this?
4 Replies
Postgres/apache is listed twice because of IPv6, ::1:5432 is the IPv6 equivalent of 127.0.0.1:5432
The last one not sure, run sudo netstat -lpntu to see what's listening the pid/program name is only shown when running as root.
@obs:
Your postgres is listening on localhost only which means only your server can connect to it, if someone got into your server via SSH then yes they could connect but you'd also have bigger problems.
Postgres/apache is listed twice because of IPv6, ::1:5432 is the IPv6 equivalent of 127.0.0.1:5432
The last one not sure, run sudo netstat -lpntu to see what's listening the pid/program name is only shown when running as root.
Thank you for your response. If the ::: address form is for IPv6, why would my apache server only be listed as listening on :::80? Does that mean that it is only listening on IPv6 (impossible as I connect to it via IPv4 all the time)? Or is the IPv4 listing somehow 'folded up' into this IPv6 line?
I ran the netstat -lpntu command you specified but that UDP connection is gone now and isn't listed anymore. I really don't know what that was. Should I be concerned?
netstat -apn shows all connections not just listening ones so the other udp you can ignore, it was only localhost anyway.
@bji:
Thank you for your response. If the ::: address form is for IPv6, why would my apache server only be listed as listening on :::80? Does that mean that it is only listening on IPv6 (impossible as I connect to it via IPv4 all the time)? Or is the IPv4 listing somehow 'folded up' into this IPv6 line?
OK, I can answer my own question here, after having done some reading on IPv6 (very interesting!).
Linux supports IPv4-mapped IPv6 addresses and thus a process on Linux can listen only on an IPv6 port and still communicate with IPv4 hosts. To the server, it is always talking only IPv6; but IPv4 clients are automaticaly connected to the server via the IPv4 to IPv6 mapping that the Linux TCP stack(s) do.
This is a nice feature of Linux that makes server implementations simpler while at the same time providing support for both IPv4 and IPv6 transparently.
I guess that Apache is now written to take advantage of this feature, whereas postgresql and sshd (at least the old-ish versions I have) are not, which explains the differences in the way they are listed from netstat (postgresql and sshd being listed as IPv4 services, Apache as an IPv6 service).
EDIT
I also figured out what that weird udp connection was … I got another one and it looks like it's postgresql. I have no idea why postgresql sends IPv6 UDP packets to itself but anyway the connection appears to be postgresql related. e.g.
udp 0 0 ::1:57034 ::1:57034 ESTABLISHED 1313/postgres