List all IP addresses connected to your Server

Below is an Unix command to list all the IP addresses connected to your server on port 80.


netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

Output – Total connections by IP, from highest to lowest.


     97 114.198.236.100
     56 67.166.157.194
     44 170.248.43.76
     38 141.0.9.20
     37 49.248.0.2
     37 153.100.131.12
     31 223.62.169.73
     30 65.248.100.253
     29 203.112.82.128
     29 182.19.66.187
Note
This command is useful to detect if your server is under attack, and null route those IPs. Read this null route attacker IP story.

Let break above lengthy command into pieces :

1. netstat -tn 2>/dev/null

Uses netstat to list all network connections, ins and outs.

  1. -n – Display numeric only, don’t resolve into name.
  2. -t – Display only TCP connections.

Output


#Examples - 7 connections
tcp        0      0 64.91.*.*:80            114.198.236.100:12763       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51950       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51951       TIME_WAIT   
tcp        0      0 64.91.*.*:23            202.127.210.2:14517         TIME_WAIT   
tcp        0      0 64.91.*.*:80            149.238.193.121:65268       TIME_WAIT   
tcp        0      0 64.91.*.*:80            114.198.236.100:44088       ESTABLISHED
tcp        0      0 64.91.*.*:80            175.136.226.244:51952       TIME_WAIT   
2>/dev/null
Redirect all unwanted output to /dev/null, a special place to absorb all output and clear it.

2. grep :80

Only display the IP address that connected to server on port 80.


tcp        0      0 64.91.*.*:80            114.198.236.100:12763       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51950       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51951       TIME_WAIT   
tcp        0      0 64.91.*.*:80            149.238.193.121:65268       TIME_WAIT   
tcp        0      0 64.91.*.*:80            114.198.236.100:44088       ESTABLISHED
tcp        0      0 64.91.*.*:80            175.136.226.244:51952       TIME_WAIT

3. awk ‘{print $5}’

Uses awk to display the 5th field only.


114.198.236.100:12763  
175.136.226.244:51950
175.136.226.244:51951
149.238.193.121:65268
114.198.236.100:44088
175.136.226.244:51952

4. cut -d: -f1

Uses cut to extract the content.

  1. -d – Character immediately following the -d option is use as delimiter, default is tab.
  2. -f – Specifies a field list, separated by a delimiter.

114.198.236.100
175.136.226.244
175.136.226.244
149.238.193.121
114.198.236.100
175.136.226.244

5. sort | uniq -c | sort -nr

Sort the list, group it and sort it again in reverse order.

sort


114.198.236.100
114.198.236.100
149.238.193.121
175.136.226.244
175.136.226.244
175.136.226.244

uniq -c – Group it.


2 114.198.236.100
1 149.238.193.121
3 175.136.226.244

sort -nr – sort by numeric, and reverse order (highest display first)


3 175.136.226.244
2 114.198.236.100
1 149.238.193.121

Done.

6. head

This is optional, to display the first 10 result.

References

  1. /dev/null
  2. Netstat
  3. AWK
  4. Cut
  5. Uniq
  6. Sort

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

avatar
9 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
8 Comment authors
Fedor PetrykMaryflaxiousNelson Eduardomrmister Recent comment authors
newest oldest most voted
flaxious
Guest
flaxious

I just Love your step by step explanation, thank you very much!

mrmister
Guest
mrmister

Hi, do ther is some way to see who was connected to my server in some time period and save that information in text file?

Fedor Petryk
Guest
Fedor Petryk

awesome

Mary
Guest
Mary

Someone from a server is in all my phones and devices. I’ve factory reset my phones. It is still a problem. Please help me

trackback
CSF – How to limit the number of connections per IP address

[…] List all IP addresses connected to your Server […]

Suyash Jain
Guest
Suyash Jain

Hi,

You does not require to go for so much deep , you can achieve the same with this . and it works for ipv6 also.

http://www.suyashjain.com/toppings/netstat-tricks-1/

Thanks

mrmagne
Guest
mrmagne

Hi,

When i run your command, i get this:

1420
1 66.249.75.226

What od the number 1420 represent

Nelson Eduardo
Guest
Nelson Eduardo

netstat show some IPv4 expressed through IPv6. So rever cut first and move to second last. All valid IPs include the port, so the “grep:”

$ netstat -tn 2>/dev/null | awk ‘{print $5}’ | grep : | rev | cut -d: -f2- | rev | sort | uniq -c | sort -nr

Add next command to drop loopback.
grep -v -e ‘::1’ -e ‘127.0.0.1’

trackback
How to block attackers IP with null route command

[…] sure if this a DOS attack, or just a single IP abuse the connection? Issue following command to list all the connected IP addresses to my server. #netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort […]

Mahmoud
Guest
Mahmoud

you saved my day :)
I had to change it a little bit for my needs:
netstat -na | grep 8001 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr