Tech Support Notes
introduction
1. Topic 01: Firewalls
- 1.1. CSF
- 1.2. APF
- 1.3. IPtables
- 1.4. UFW
- 1.5. Windows Firewall
2. Topic 02: Package Management
- 2.1. Yum
- 2.2. rpm
- 2.3. rpm2cpio
- 2.4. Apt
- 2.5. dpkg
3. Topic 03: Networking
- 3.1. mtr/traceroute
- 3.2. pathping
- 3.3. ipv6
- 3.4. nmap
- 3.5. telnet/netcat
- 3.6. netstat/ss
- 3.7. Bandwidth and Speed Testing
- 3.8. Assigning IP's
4. Topic 04: DNS
- 4.1. Dns overview
- 4.2. dig
- 4.3. host
5. Topic 5: Configuration Files
- 5.1. ssh
- 5.2. apache
- 5.3. samba
- 5.4. bind/named
- 5.5. exim
- 5.6. postfix
- 5.7. vsftpd
6. Topic 6: Mysql
- 6.1. to sort
7. Topic 7: Apache
- 7.1. to sort
8. Topic 8: Memory
- 8.1. free / vmstat
9. Topic 9: Process Tracking
- 9.1. ps
- 9.2. lsof
- 9.3. windows
10. Topic 10: Partitions/Filesystems
- 10.1. Basic Layout
- 10.2. creating / modifying
- 10.3. fdisk / parted
- 10.4. fstab / mount
- 10.5. labels / uuid
- 10.6. LVM Part One
- 10.7. LVM Part Two
11. Topic 11: Devices/shares
- 11.1. samba / nfs / nas
- 11.2. iscsi
12. Topic 12: Space and drive usage
- 12.1. du / df / inodes
- 12.2. iostat
- 12.3. smartctl
13. Topic 13: Logging
- 13.1. logging configuration
- 13.2. general system logs
- 13.3. plesk logs
- 13.4. cpanel logs
14. Topic 14: Finding Exploits
- 14.1. maldet
- 14.2. rootkit hunter
- 14.3. windows
15. Topic 15: Email
- 15.1. general troubleshooting
- 15.2. exim
- 15.3. qmail
- 15.4. postfix
- 15.5. spam
16. Topic 16: Find
- 16.1. find examples
17. Topic 17: Rescue Layer/Live Environment
- 17.1. mounting filesystem / chroot
- 17.2. cloning
18. Topic 18: Permissions/users/groups
- 18.1. permissions
- 18.2. users
- 18.3. groups
19. Topic 19: Cpanel
- 19.1. general
- 19.2. Moving Mysql
20. Topic 20: Plesk
- 20.1. general
21. Topic 21: Windows
- 21.1. windows to sort
- 21.2. hyper-v
22. Topic 22: Freebsd
- 22.1. installing packages
- 22.2. networking
- 22.3. drive management
23. Topic 23: Dumping ground
- 23.1. sed / awk
- 23.2. gdb
- 23.3. curl / wget
- 23.4. compress / uncompress
- 23.5. rsync / scp
- 23.6. Random commands

Tech Support Notes

lsof

lsof is a command line utility which is used to list the information about the files that are opened by various processes. In unix, everything is a file, ( pipes, sockets, directories, devices, etc.). So by using lsof, you can get the information about any opened files

Simply typing lsof will provide a list of all open files belonging to all active processes

[callisto] (~) >>> lsof|head
COMMAND     PID      USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
init          1      root  cwd       DIR              202,2      4096          2 /
init          1      root  rtd       DIR              202,2      4096          2 /
init          1      root  txt       REG              202,2    150352     966707 /sbin/init (deleted)
init          1      root  mem       REG              202,2     65928     647197 /lib64/libnss_files-2.12.so
init          1      root  mem       REG              202,2   1926800     647181 /lib64/libc-2.12.so
init          1      root  mem       REG              202,2     93320     647243 /lib64/libgcc_s-4.4.7-20120601.so.1
init          1      root  mem       REG              202,2     47064     647209 /lib64/librt-2.12.so
init          1      root  mem       REG              202,2    145896     647207 /lib64/libpthread-2.12.so
init          1      root  mem       REG              202,2    268232     647294 /lib64/libdbus-1.so.3.4.0

One open file is displayed per line and, unless you specify otherwise, all open files from all processes are displayed. The Command, PID, and User columns represent the name of a process, process identifier (PID), and owner's name, respectively. The Device, SIZE/OFF, Node, and Name columns refer to the file itself, specifying the name of the disk, size of the file, inode (the file's identification on the disk), and actual name of the file. Depending on the flavor of UNIX, the size of the file might also be reported as the current position the application is reading in the file (offset).

Some handy examples:

Find all the processes for a specific user using lsof -u USER

[callisto] (~) >>> lsof -u ryan|head
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
screen  16567 ryan  cwd    DIR              202,2     4096 3065532 /home/ryan
screen  16567 ryan  rtd    DIR              202,2     4096       2 /
screen  16567 ryan  txt    REG              202,2   389192   52604 /usr/bin/screen
screen  16567 ryan  mem    REG              202,2   156928  647173 /lib64/ld-2.12.so
screen  16567 ryan  mem    REG              202,2     9264   51095 /usr/lib64/libutempter.so.1.1.5
screen  16567 ryan  mem    REG              202,2  1926800  647181 /lib64/libc-2.12.so
screen  16567 ryan  mem    REG              202,2    22536  647185 /lib64/libdl-2.12.so
screen  16567 ryan  mem    REG              202,2   138280  647567 /lib64/libtinfo.so.5.7
screen  16567 ryan  mem    REG              202,2   472064  647187 /lib64/libfreebl3.so

To see all the processes writing to a specific file:

[callisto] (~) >>> lsof /var/log/messages
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
rsyslogd  1097 root    1w   REG  202,2   330446 3786258 /var/log/messages
abrt-dump 1549 root    4r   REG  202,2   330446 3786258 /var/log/messages

If you just want to grab the PIDs for a binary or log file you can use the -t option:

[callisto] (~) >>> lsof -t /usr/sbin/sshd
1343
18424
18428
25299
25305

With the PID you can narrow your search even further to see what the process is actually doing using the -p option:

[callisto] (~) >>> lsof -p 25305|head
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
sshd    25305 ryan  cwd    DIR              202,2     4096       2 /
sshd    25305 ryan  rtd    DIR              202,2     4096       2 /
sshd    25305 ryan  txt    REG              202,2   546680   51491 /usr/sbin/sshd
sshd    25305 ryan  DEL    REG                0,4          5012920 /dev/zero
sshd    25305 ryan  mem    REG              202,2     6096  647446 /lib64/security/pam_shells.so
sshd    25305 ryan  mem    REG              202,2    18592  647428 /lib64/security/pam_limits.so
sshd    25305 ryan  mem    REG              202,2    10224  647426 /lib64/security/pam_keyinit.so
sshd    25305 ryan  mem    REG              202,2    10240  647431 /lib64/security/pam_loginuid.so
sshd    25305 ryan  mem    REG              202,2    18664  647443 /lib64/security/pam_selinux.so

List processes using a mount point:

[saturn] (~) >>> lsof /srv|tail
dropbox   873 deluge  mem    REG   8,49      13744  271807 /srv/deluge/.dropbox-dist/fcntl.so
dropbox   873 deluge  mem    REG   8,49      17336  271937 /srv/deluge/.dropbox-dist/cStringIO.so
dropbox   873 deluge  mem    REG   8,49      16740  271890 /srv/deluge/.dropbox-dist/binascii.so
dropbox   873 deluge  mem    REG   8,49      10596  271885 /srv/deluge/.dropbox-dist/_random.so
dropbox   873 deluge  mem    REG   8,49      28936  271950 /srv/deluge/.dropbox-dist/math.so
dropbox   873 deluge  mem    REG   8,49       9116  271886 /srv/deluge/.dropbox-dist/_functools.so
dropbox   873 deluge  mem    REG   8,49      19572  271875 /srv/deluge/.dropbox-dist/zlib.so
dropbox   873 deluge    5u   REG   8,49      12288  262155 /srv/deluge/.dropbox/config.dbx
smbd    17862   root  cwd    DIR   8,49       4096  262146 /srv/deluge/completed
smbd    17862   root    8r   DIR   8,49       4096  262146 /srv/deluge/completed

Show all connections with `-i` flag. You can employ grep and other sorting methods to narrow your focus:

[callisto] (~) >>> lsof -i|grep sshd
sshd       1343     root    3u  IPv4    9453      0t0  TCP *:65195 (LISTEN)
sshd       1343     root    4u  IPv6    9455      0t0  TCP *:65195 (LISTEN)
sshd      18424     root    3r  IPv4 4992325      0t0  TCP callisto.example.com:65195->isd01.domain.com:37081 (ESTABLISHED)
sshd      18428     ryan    3u  IPv4 4992325      0t0  TCP callisto.example.com:65195->isd01.domain.com:37081 (ESTABLISHED)
sshd      25299     root    3r  IPv4 5012872      0t0  TCP callisto.example.com:65195->hyperion.example.com:34272 (ESTABLISHED)
sshd      25305     ryan    3u  IPv4 5012872      0t0  TCP callisto.example.com:65195->hyperion.example.com:34272 (ESTABLISHED)

Show connections to a specific host using `-i@host`

[callisto] (~) >>> lsof [email protected]
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    18424 root    3r  IPv4 4992325      0t0  TCP callisto.example.com:65195->x.x.x.x:37081 (ESTABLISHED)
sshd    18428 ryan    3u  IPv4 4992325      0t0  TCP callisto.example:65195->x.x.x.x:37081 (ESTABLISHED)

Find all TCP and UDP connections

[callisto] (~) >>> lsof -iUDP|head
COMMAND     PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
controlle  1883  root    6u  IPv4   13924      0t0  UDP *:nimcontroller
named      4801 named  512u  IPv6  445845      0t0  UDP *:domain
named      4801 named  513u  IPv4  445850      0t0  UDP localhost.localdomain:domain
named      4801 named  514u  IPv4  445852      0t0  UDP 10.8.x.x:domain
named      4801 named  515u  IPv4  445854      0t0  UDP callisto.example.com:domain
named      4801 named  516u  IPv4  445856      0t0  UDP 184.x.x.10-static.reverse.example.com:domain
named      4801 named  517u  IPv4  445858      0t0  UDP 184.x.x.11-static.reverse.example.com:domain
named      4801 named  518u  IPv4  445860      0t0  UDP 184.x.x.11-static.reverse.example.com:domain
named      4801 named  519u  IPv4  445862      0t0  UDP 184.x.x.11-static.reverse.example.com:domain


[callisto] (~) >>> lsof -iTCP|head
COMMAND     PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd       1343     root    3u  IPv4    9453      0t0  TCP *:65195 (LISTEN)
sshd       1343     root    4u  IPv6    9455      0t0  TCP *:65195 (LISTEN)
cpsrvd-ss  1730     root    3u  IPv4   13106      0t0  TCP *:infowave (LISTEN)
cpsrvd-ss  1730     root    4u  IPv4   13107      0t0  TCP *:nbx-ser (LISTEN)
cpsrvd-ss  1730     root    5u  IPv4   13108      0t0  TCP *:radsec (LISTEN)
cpsrvd-ss  1730     root    6u  IPv4   13109      0t0  TCP *:nbx-dir (LISTEN)
cpsrvd-ss  1730     root    9u  IPv4   13114      0t0  TCP *:gnunet (LISTEN)
cpsrvd-ss  1730     root   10u  IPv4   13115      0t0  TCP *:eli (LISTEN)
controlle  1883     root    5u  IPv4   13921      0t0  TCP *:nimcontroller (LISTEN)

Find ports that are awaiting connections. You can also do this by grepping for LISTEN

[callisto] (~) >>>  lsof -i -sTCP:LISTEN|head
COMMAND     PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd       1343     root    3u  IPv4    9453      0t0  TCP *:65195 (LISTEN)
sshd       1343     root    4u  IPv6    9455      0t0  TCP *:65195 (LISTEN)
cpsrvd-ss  1730     root    3u  IPv4   13106      0t0  TCP *:infowave (LISTEN)
cpsrvd-ss  1730     root    4u  IPv4   13107      0t0  TCP *:nbx-ser (LISTEN)
cpsrvd-ss  1730     root    5u  IPv4   13108      0t0  TCP *:radsec (LISTEN)
cpsrvd-ss  1730     root    6u  IPv4   13109      0t0  TCP *:nbx-dir (LISTEN)
cpsrvd-ss  1730     root    9u  IPv4   13114      0t0  TCP *:gnunet (LISTEN)
cpsrvd-ss  1730     root   10u  IPv4   13115      0t0  TCP *:eli (LISTEN)
controlle  1883     root    5u  IPv4   13921      0t0  TCP *:nimcontroller (LISTEN)

[callisto] (~) >>> lsof -i | grep -i LISTEN|head
sshd       1343     root    3u  IPv4    9453      0t0  TCP *:65195 (LISTEN)
sshd       1343     root    4u  IPv6    9455      0t0  TCP *:65195 (LISTEN)
cpsrvd-ss  1730     root    3u  IPv4   13106      0t0  TCP *:infowave (LISTEN)
cpsrvd-ss  1730     root    4u  IPv4   13107      0t0  TCP *:nbx-ser (LISTEN)
cpsrvd-ss  1730     root    5u  IPv4   13108      0t0  TCP *:radsec (LISTEN)
cpsrvd-ss  1730     root    6u  IPv4   13109      0t0  TCP *:nbx-dir (LISTEN)
cpsrvd-ss  1730     root    9u  IPv4   13114      0t0  TCP *:gnunet (LISTEN)
cpsrvd-ss  1730     root   10u  IPv4   13115      0t0  TCP *:eli (LISTEN)
controlle  1883     root    5u  IPv4   13921      0t0  TCP *:nimcontroller (LISTEN)
spooler    1924     root    8u  IPv4   14035      0t0  TCP *:nimspooler (LISTEN)

An lsof Tutorial and Primer
Lsof Command Examples