• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Configuring, monitoring, and securing networks form an essential part of a Sysadmin’s job. When it comes to managing Linux networks, there are many commands and utilities available.

    At times networked systems fail. You as an administrator are required to diagnose and resolve issues. Monitoring helps in detecting problems and fixing them before things get out of hand. Monitoring for security and performance also forms an essential part of an admin’s activities.

    Here we discuss some commonly used commands to manage Linux networks.

    ip

    The iproute2 package includes the IP command which is used for network and routing configuration. This replaces the traditional ifconfig and route commands.

    ip takes a second argument that specifies the object on which you wish to execute a command and an action like add, delete, or show.

    ip link

    ip link is for configuring, adding, and deleting network interfaces. Use ip link show command to display all network interfaces on the system :

    $ ip link show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether 02:35:97:08:6b:2a brd ff:ff:ff:ff:ff:ff
    3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether 08:00:27:6f:60:ff brd ff:ff:ff:ff:ff:ff

    You can see the man page for ip link with:

    $ man  ip-link

    ip address

    Use ip address command to display addresses, bind new address or delete old ones. The man page ip address command is named as ip-address.

    For example, the following command shows the IP address assigned to the network interface enp0s8:

    ip address show dev enp0s8
    3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 08:00:27:6f:60:ff brd ff:ff:ff:ff:ff:ff
        inet 10.0.0.51/24 brd 10.0.0.255 scope global enp0s8
    ...
    

    ip route

    Use the IP route to print or display the routing table. The following command displays the contents of the routing table:

    $ ip route show
    default via 10.0.2.2 dev enp0s3 
    10.0.0.0/24 dev enp0s8  proto kernel  scope link  src 10.0.0.51 
    10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.15

    nmap

    While Nmap had been used in many movies,  The Matrix Reloaded (Wikipedia, IMDB, Amazon) turned Nmap into a movie star!.

    Nmap (“Network Mapper”) is a powerful utility used for network discovery, security auditing, and administration. Many system admins use it to determine which of their systems are online, and also for OS detection and service detection. 

    The default Nmap scan shows the ports, their state (open/closed), and protocols. It sends a packet to 1000 most common ports and checks for the response.

    $ nmap 10.0.0.50
    
    Starting Nmap 7.01 ( https://nmap.org ) at 2020-09-07 10:32 UTC
    Nmap scan report for 10.0.0.50
    Host is up (0.00077s latency).
    Not shown: 997 filtered ports
    PORT     STATE  SERVICE
    22/tcp   open   ssh
    80/tcp   open   http
    3306/tcp closed mysql

    To check which hosts on your network are up:

    $ nmap -sn 10.0.0.0/24
    
    Starting Nmap 7.01 ( https://nmap.org ) at 2020-09-07 11:59 UTC
    Nmap scan report for 10.0.0.1
    Host is up (0.00084s latency).
    Nmap scan report for 10.0.0.50
    Host is up (0.0021s latency).
    Nmap scan report for 10.0.0.51
    Host is up (0.00026s latency).
    Nmap done: 256 IP addresses (3 hosts up) scanned in 2.61 seconds

    Use -O flag to identify which operating system a host is running.

    $ sudo  nmap 10.0.0.50 -O
    Starting Nmap 7.01 ( https://nmap.org ) at 2020-09-07 13:44 UTC
    Nmap scan report for 10.0.0.50
    Host is up (0.00053s latency).
    ...
    Running: Linux 3.X
    OS CPE: cpe:/o:linux:linux_kernel:3
    OS details: Linux 3.10 - 3.19
    Network Distance: 1 hop
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 21.95 seconds

    A word of caution: Nobody appreciates their systems being scanned over the internet. So before you do so, seek permission.

    You can also use Nmap on Windows, check out this installation guide.

    ping

    Use ping to see if a host is alive. This super simple command helps you check the status of a host or a network segment. Ping command sends an ICMP ECHO_REQUEST packet to the target host and waits to see if it replies.

    However, some hosts block ICMP echo requests with a firewall. Some sites on the internet may also do the same.

    By default, ping runs in an infinite loop. To send a defined number of packets, use -c flag.

    $ ping -c 3 google.com 
    PING google.com (172.217.167.238): 56 data bytes
    64 bytes from 172.217.167.238: icmp_seq=0 ttl=118 time=7.898 ms
    64 bytes from 172.217.167.238: icmp_seq=1 ttl=118 time=7.960 ms
    64 bytes from 172.217.167.238: icmp_seq=2 ttl=118 time=6.247 ms
    
    --- google.com ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 6.247/7.368/7.960/0.793 ms

    With -o flag ping exits successfully after receiving one reply packet.

    $ ping -o google.com
    PING google.com (172.217.167.46): 56 data bytes
    64 bytes from 172.217.167.46: icmp_seq=0 ttl=118 time=7.540 ms
    
    --- google.com ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 7.540/7.540/7.540/0.000 ms

    You can use -n flag to avoid reverse DNS lookups. The ICMP sequence number is particularly important. A Break in sequence numbers indicates lost packets.

    A failed ping could be due to

    • network failure
    • host being not alive
    • firewall blocking ICMP ECHO requests

    You can also perform an online ping test to check the connectivity from different parts of the world.

    iPerf

    While ping verifies the availability of a host, iPerf helps analyze and measure network performance between two hosts. With iPerf, you open a connection between two hosts and send some data. iPerf then shows the bandwidth available between the two hosts.

    You can install an iPerf using your distribution package manager. For example on Ubuntu-based distributions you can install like this:

    $ sudo apt install iperf -y

    Once you have installed iPerf on both the machines, start the iPerf server on one of them. The following example starts the iPerf server on a host with IP address 10.0.0.51.

    $ iperf -s
    ------------------------------------------------------------
    Server listening on TCP port 5001
    TCP window size: 85.3 KByte (default)
    ------------------------------------------------------------

    On the second machine start iPerf with the -c flag. This connects with the server and sends some data.

    $ iperf -c 10.0.0.51
    ------------------------------------------------------------
    Client connecting to 10.0.0.51, TCP port 5001
    TCP window size: 85.0 KByte (default)
    ------------------------------------------------------------
    [  3] local 10.0.0.50 port 42177 connected with 10.0.0.51 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  1.13 GBytes   972 Mbits/sec

    iPerf returns with the bandwidth results in a few seconds.

    traceroute

    If ping shows missing packets, you should use traceroute to see what route the packets are taking.  Traceroute shows the sequence of gateways through which the packets travel to reach their destination. For example, traceroute from my machine to google.com shows the following:

    $ traceroute google.com
    traceroute to google.com (172.217.167.46), 64 hops max, 52 byte packets
     1  dlinkrouter.dlink (192.168.0.1)  5.376 ms  2.076 ms  1.932 ms
     2  10.194.0.1 (10.194.0.1)  5.190 ms  5.125 ms  4.989 ms
     3  broadband.actcorp.in (49.207.47.201)  7.165 ms  5.749 ms  5.755 ms
     4  broadband.actcorp.in (49.207.47.225)  5.918 ms *  8.483 ms
    ...
     9  108.170.251.97 (108.170.251.97)  6.359 ms
        del03s16-in-f14.1e100.net (172.217.167.46)  5.448 ms
        108.170.251.97 (108.170.251.97)  6.400 ms

    Line 4 in this output shows a * in the round trip times. This indicates no response was received. This can be due to many reasons – as the traceroute ICMP packets are low-priority, these may be dropped by a router. Or there could be simply congestion.  If you see a * in all the time fields for a given gateway, then possibly the gateway is down.

    Many web-based route tracing tools allow you to do a reverse traceroute, that is, from a website to your host. You can check these at traceroute.org or Geekflare Traceroute.

    tcpdump

    tcpdump is a packet sniffing tool and can be of great help when resolving network issues. It listens to the network traffic and prints packet information based on the criteria you define.

    For example, you can examine all packets sent to or from a particular host, Ubuntu18 in this example:

    $ sudo tcpdump host ubuntu18 -n -c 5
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    14:12:11.509092 IP 10.0.0.4.22 > 183.83.208.234.9633: Flags [P.], seq 2991049004:2991049112, ack 2956233368, win 501, options [nop,nop,TS val 292041322 ecr 405604219], length 108
    14:12:11.509146 IP 10.0.0.4.22 > 183.83.208.234.9633: Flags [P.], seq 108:252, ack 1, win 501, options [nop,nop,TS val 292041322 ecr 405604219], length 144
    14:12:11.509218 IP 10.0.0.4.22 > 183.83.208.234.9633: Flags [P.], seq 252:288, ack 1, win 501, options [nop,nop,TS val 292041322 ecr 405604219], length 36
    14:12:11.509259 IP 10.0.0.4.22 > 183.83.208.234.9633: Flags [P.], seq 288:500, ack 1, win 501, options [nop,nop,TS val 292041322 ecr 405604219], length 212
    14:12:11.509331 IP 10.0.0.4.22 > 183.83.208.234.9633: Flags [P.], seq 500:768, ack 1, win 501, options [nop,nop,TS val 292041322 ecr 405604219], length 268
    5 packets captured
    6 packets received by filter
    0 packets dropped by kernel

    By default, tcpdump resolves IP addresses to hostnames. Use -n flag, if you do not want tcpdump to perform name lookups.

    tcpdump output prints one line for each packet. Use -c flag to limit output, 5 in the example above.

    tcpdump is useful for solving network problems and also identifying potential problems. It is a good idea to run a tcpdump on your network occasionally to verify everything is in order.

    netstat

    Netstat command is used to examine network connections, routing tables, and various network settings and statistics.

    Use -i flag to list the network interfaces on your system.

    Here is an example:

    $ netstat -i
    Kernel Interface table
    Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
    eth0       1500 0      4001      0      0 0          2283      0      0      0 BMRU
    eth1       1500 0     27154      0      0 0        838962      0      0      0 BMRU
    lo        65536 0         0      0      0 0             0      0      0      0 LRU

    Using -r flag will display the routing table. This shows the path configured for sending network packets.

    $ netstat -r
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    default         10.0.2.2        0.0.0.0         UG        0 0          0 eth0
    10.0.0.0        *               255.255.255.0   U         0 0          0 eth1
    10.0.2.0        *               255.255.255.0   U         0 0          0 eth0

    An asterisk in the last two lines indicates that no gateway is required to send packets to any host on these networks. This host is directly connected to the networks 10.0.0.0 and 10.0.2.0.

    In the first line, the destination is the default, which means any packet destined for a network not listed in this table is handled by the router 10.0.2,2.

    netstat command without any options displays a list of open sockets. Use -l flag to show only listening sockets, which by default, are not shown. You can use -a flag to show listening and non-listening sockets. Here is an example:

    $ netstat -a
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 *:ssh                   *:*                     LISTEN     
    tcp        0     36 10.0.2.15:ssh           10.0.2.2:51017          ESTABLISHED
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
    udp        0      0 *:bootpc                *:*                                
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node   Path
    unix  3      [ ]         DGRAM                    8186     /run/systemd/notify
    ...
    

    More Netstat command example here

    ss

    Linux installations have a lot of services running by default. These should be disabled or preferably removed, as this helps in reducing the attack surface. You can see what services are running with the netstat command. While netstat is still available, most Linux distributions are transitioning to ss command.

    use ss command with -t and -a flags to list all TCP sockets. This displays both listening and non-listening sockets.

    $ ss -t -a
    State       Recv-Q Send-Q            Local Address:Port                Peer Address:Port   
    LISTEN      0      128                           *:sunrpc                         *:*       
    LISTEN      0      128                           *:http                           *:*       
    LISTEN      0      128                           *:ssh                            *:*       
    LISTEN      0      128                           *:60031                          *:*       
    ESTAB       0      0                     10.0.2.15:ssh                     10.0.2.2:51699   
    ESTAB       0      0                     10.0.2.15:ssh                     10.0.2.2:51049   
    LISTEN      0      128                          :::sunrpc                        :::*       
    LISTEN      0      128                          :::http                          :::*       
    LISTEN      0      128                          :::ssh                           :::*       
    LISTEN      0      128                          :::54715                         :::*

    To display only TCP connections with state established:

    ss -a -t -o state established
    Recv-Q Send-Q                 Local Address:Port                     Peer Address:Port   
    0      0                          10.0.2.15:ssh                          10.0.2.2:51699    timer:(keepalive,23min,0)
    0      0                          10.0.2.15:ssh                          10.0.2.2:51049    timer:(keepalive,114min,0)

    ssh

    ssh enables you to connect securely with remote hosts over the internet. Earlier rlogin and telnet were used to connect to and administer remote hosts. However, both suffer from a fundamental flaw, that is, they send all information including login names and passwords in cleartext.

    ssh enables secure communication over the internet with the following two features :

    • It confirms that the remote host is, who it says it is.
    • It encrypts all communication between the hosts.

    To connect to a remote host you need to have an OpenSSH server running on the remote host. You can install it using your distribution package manager. For example on Ubuntu you can install it like this:

    $ sudo apt install openssh-server

    Here is an example showing how you can connect to the remote host 10.0.0.50 using the ssh command:

    [email protected]:~$ ssh 10.0.0.50
    The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established.
    ECDSA key fingerprint is SHA256:s2tNJQa/C1/W0SevGm7Rt3xoBZG1QL5yT3ff/+PMpnY.
    Are you sure you want to continue connecting (yes/no)? yes

    You get a message saying that the authenticity of the host 10.0.0.50 cannot be established, this is because it’s the first time a connection is being made with 10.0.0.50 (server) and the ssh client has never seen this remote host before. Enter yes to continue connecting. Once the connection has been established, you are prompted for a password:

    Warning: Permanently added '10.0.0.50' (ECDSA) to the list of known hosts.
    [email protected]'s password:

    After you enter the correct password, you are logged into the remote host.

    Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 3.13.0-170-generic x86_64)
     * Documentation:  https://help.ubuntu.com/
    ..
    [email protected]:~$ 

    You can exit this remote shell with the exit command.

    Also, you can easily execute a single command on the remote host using ssh. For example, to run df -h on the remote host:

    $ ssh 10.0.0.50 df -h
    [email protected]'s password: 
    Filesystem      Size  Used Avail Use% Mounted on
    udev            241M   12K  241M   1% /dev
    tmpfs            49M  384K   49M   1% /run
    /dev/sda1        40G  1.6G   37G   5% /
    ...
    none            224G  113G  111G  51% /vagrant
    [email protected]:~$

    scp and sftp

    scp (secure copy) is very similar to cp command for copying files, with an addition – you can include remote hostnames in the source or destination pathnames. The hostname and the directory path are separated by a colon. This enables you to copy files securely over the network in an encrypted form. The following command copies a.txt from the local machine to 10.0.0.50 :

    [email protected]:~$ scp a.txt 10.0.0.50:/home/me
    [email protected]'s password: 
    a.txt                                           100%    0     0.0KB/s   00:00

    sftp (secure ftp) is also a file copy program similar to ftp. However, it uses an SSH encrypted tunnel to copy files, instead of sending everything in cleartext. Also, you do not need an FTP server running on the remote host. You only need an ssh server. Here is an example session:

    [email protected]:~$ sftp 10.0.0.50
    [email protected]'s password: 
    Connected to 10.0.0.50.
    sftp> put kali-linux-2020.3-installer-netinst-i386.iso
    Uploading kali-linux-2020.3-installer-netinst-i386.iso to /home/me/kali-linux-2020.3-installer-netinst-i386.iso
    kali-linux-2020.3-installer-netinst-i386.iso    100%  435MB  27.2MB/s   00:16    
    sftp> bye

    Ifconfig

    Mostly we use ifconfig command to check the IP address assigned to the system.

    [[email protected] ~]# ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 209.97.137.171  netmask 255.255.240.0  broadcast 209.97.143.255
            inet6 fe80::c035:b2ff:fe9d:72d5  prefixlen 64  scopeid 0x20<link>
            ether c2:35:b2:9d:72:d5  txqueuelen 1000  (Ethernet)
            RX packets 1333200  bytes 167143230 (159.4 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 979666  bytes 93582595 (89.2 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 16  bytes 1392 (1.3 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 16  bytes 1392 (1.3 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    [[email protected] ~]#

    dig

    dig (Domain Information Groper) is a flexible tool for interrogating DNS name servers.

    It performs DNS lookups and displays the answers that are returned from the name servers.

    [[email protected] ~]# dig geekflare.com
    
    ; <<>> DiG 9.11.13-RedHat-9.11.13-5.el8_2 <<>> geekflare.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12310
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;geekflare.com.			IN	A
    
    ;; ANSWER SECTION:
    geekflare.com.		30	IN	A	104.27.119.115
    geekflare.com.		30	IN	A	104.27.118.115
    
    ;; Query time: 12 msec
    ;; SERVER: 67.207.67.2#53(67.207.67.2)
    ;; WHEN: Wed Sep 16 17:58:45 UTC 2020
    ;; MSG SIZE  rcvd: 74
    
    [[email protected] ~]#

    telnet

    telnet connect destination’s host and port via a telnet protocol if a connection establishes means connectivity between two hosts is working fine.

    [[email protected] ~]# telnet gf.dev 443
    Trying 104.27.153.44...
    Connected to gf.dev.
    Escape character is '^]'.

    nslookup

    nslookup is a program to query domain name servers and resolving IP.

    [[email protected] ~]# nslookup relicflare.com
    Server:		67.207.67.2
    Address:	67.207.67.2#53
    
    Non-authoritative answer:
    Name:	relicflare.com
    Address: 192.64.119.178
    
    [[email protected] ~]#

    Summary

    Networking in Linux is a vast subject, with a large number of commands and utilities. In this article, we have discussed some commonly used commands which hopefully, will help you in managing and securing your network.