Viewing users' system access

Slashdot it! Delicious Share on Facebook Tweet! Digg!

Colorful Output

If you want to see something more exciting than the monochrome output of the tools mentioned above, you can use the whowatch [3] tool. The program shows users and their processes output graphically, in color, and, more importantly, updated in real time.

Figure 1 shows the output of a system with 11 users (7 local, 1 connected via SSH, and 3 others) bustling about. In the illustration, the indented processes were started within outdented processes above them.

Figure 1: Process analysis with whowatch.

So you can see that the user test connected over SSH activated a terminal, which runs a Bash shell and is currently working with Midnight Commander (mc ). The whowatch command works with the keyboard and has a menu you can start by pressing F9. The menu offers features such as the possibility to display details of a selected processes and to end the process if necessary.

Active Connections

Even more than local activities, connections to and from the outside world are also interesting. The w and whowatch programs mentioned above already gave you some information about activity over the network. An additional tool to use is ss , which is part of the standard set of tools of any Linux. The name of the program comes from socket statistics and, in terms of functionality, it has similarities with netstat [4], as it inspects the network sockets for, TCP, UDP, DCCP, RAW connections, and connections to Unix domain sockets. In addition to the statistical information, it lists the existing connections.

The ss tool offers a variety of options [5]. By using ss -pl | grep 17500 , you will see which processes opened Port 17500. In Listing 7, you can see that would be Dropbox, the file exchange service. Option -p stands for --processes and displays the process names. The -l option stands for --listening and limits the output to only existing listening connections.

Listing 7

Using ss

$ ss -pl | grep 17500
LISTEN  0       128             *:17500         *:*             users:(("dropbox",4957,27))

You can obtain a list of all of the existing TCP connections by using ss -t (Listing 8). The keyword ESTAB is shown when a connection has been established. The CLOSW-WAIT tag is displayed when the socket is about to close. The other columns show the local and remote IP addresses, and the port or the network protocol. The listing shows very common connections such as IMAP, LDAP, IRC, SSH, HTTP, HTTPS, NFS and AFS via IPv4, and IPv6.

Listing 8

Output of ss -t

01 $ ss -t
02 State                        Recv-Q  Send-Q  Local Address:Port                              Peer Address:Port
03 ESTAB                        0               0               2001:bf0:c000:a::1:123:36483            2001:748:100:40::8:112:imap2
04 CLOSE-WAIT   1               0                       
05 ESTAB                        0               0                         
06 ESTAB                        0               0                            
07 ESTAB                        0               0                       
08 ESTAB                        0               0                       
09 ESTAB                        0               0                       
10 ESTAB                        0               0                       
11 ESTAB                        0               0                         
12 ESTAB                        0               0                       

You can restrict the output even further if you invoke individual options by employing Boolean operations. The following example filters out all of the existing HTTP connections (Listing 9). You can attain this with option -o state established , or conversely by explicitly stating the network protocol http for the source address and destination address.

Listing 9

Using ss Filters

01 $ ss -o state established '( dport = :http or sport = :http )'
02 Recv-Q       Send-Q          Local Address:Port              Peer Address:Port
03 0                    0               
04 0                    0               
05 0                    0               
06 0                    0               

Use sport for source port and dport for the destination port. Again, you must enclose the string in simple quotation marks, so the shell does not evaluate the expression but rather passes it on to ss as is.

You can also filter HTTPS connections that come from outside using the dst (for destination) keyword and specifying the https protocol (Listing 10).

Listing 10

Filtering External Connections

01 $ ss dst :https
02 State                Recv-Q  Send-Q  Local Address:Port              Peer Address:Port
03 ESTAB                0               0       
04 ESTAB                0               0       
05 ESTAB                0               0       
06 ESTAB                0               0       
07 ESTAB                0               0       

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Finding dynamic IP addresses

    What are the IP addresses for your router, laptop, and coffee maker? Clever Linux tools come to the rescue to help you get this information.

  • Pyspread – The Spreadsheet with a Python connection

    You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.

  • Ubuntu 2014

    Jono takes a look at development in the year ahead.

  • Installing and testing Nextcloud

    Leading ownCloud developers, including the project founder Frank Karlitschek, became dissatisfied with the direction of the project, so they started Nextcloud, a fork of the code and a new company. The goal is to create a better balance among the company, clients, and users. We take a look at how Nextcloud is faring.

  • GNOME Cleartext Passwords: Bug or Feature?

    The current discussion in the Ubuntu forums is about a possible security hole in GNOME, specifically about GNOME registered users having their passwords appear as cleartext on the keyring. Not a bug, say its defenders, but the security concept behind the GNOME keyring.