Security: How To Monitor Your Network Connections

One of the most important concepts in computer security is “knowing thy system”. This essentially means that in order to be able to protect something you need to have some idea of what it’s doing and/or how it works.

Your computer’s connections to the outside world is among the most important information you can have about your system. In addition to what connections are currently established, you also want to know what ports your computer is “listening” on, or in other words, what ways other systems are able to interact with your computer.

Below I’ll cover how to see who your Windows or Linux computer is currently talking to, and the ways your computer is willing to talk through open, listening ports.

Ports

There is often some confusion about what network ports are, and what it means for them to be “open”. Think of network ports as spring-loaded windows on a house. So if someone doesn’t actively hold the window open, it’ll shut automatically and remain closed until it’s opened again.

The important thing to remember is that when you see a port open on your system, it’s because something opened it. Remember, if there wasn’t a midget in the window it would just close by itself. The issue then becomes finding out what program opened the port, and whether or not it’s legitimate.

Windows

Windows has a built-in tool called netstat that can show a decent amount of information. If you just have a quick question about a certain port you can use it right from the command line and avoid using a third party application:

netstat -an | find "LISTENING"

TCP    0.0.0.0:135          0.0.0.0:0            LISTENING
TCP    0.0.0.0:445           0.0.0.0:0            LISTENING
TCP    0.0.0.0:1049          0.0.0.0:0            LISTENING
TCP    0.0.0.0:9000          0.0.0.0:0            LISTENING
TCP    0.0.0.0:33333         0.0.0.0:0            LISTENING

netstat -an | find "ESTABLISHED"

TCP    1.2.3.4:4095          66.102.7.99:80          ESTABLISHED
TCP    1.2.3.4:8324          209.73.177.115:25       ESTABLISHED

Tcpview

For those that want more information about their network connections and/or are graphically inclined, there’s a free tool called Tcpview that’s a must for any serious Windows user.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Tcpview allows you to view, in real time, the connections that are open on your system. Not only does it update constantly as connections spawn or die off, but it also shows you what program is responsible for opening a given port on your system. [For those bent on command line kung-fu, you can get similar functionality from netstat -anb]

Linux

Being a Linux/OS X guy myself I would deserve a good pummeling if I didn’t show how to get similar information from a *nix system. The best way to do this is with the lsof command:

lsof -i

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
dhcpcd  6061 root    4u  IPv4   4510       UDP *:bootpc
sshd    7703 root    3u  IPv6   6499       TCP *:ssh (LISTEN)
sshd    7892 root    3u  IPv6   6757       TCP 10.10.1.5:ssh->
192.168.1.5:49901 (ESTABLISHED)

lsof

lsof -iTCP // only TCPlsof -iUDP // only UDPlsof -i :22 // involving port 22lsof -i :@attacker.com // connections with attacker.comlsof -i :1.2.3.4 // connections to 1.2.3.4lsof -i :mail.com:25 // connections to mail.com on the SMTP portlsof -i | grep LISTEN // see what’s listeninglsof -i | grep ESTABLISHED // see what’s established

Conclusion

Knowing who your system is talking to (and who it’s willing to talk to) is crucial to your overall computer security. Using the short guide above you can now gather this information in both Windows and *nix environments.:

—1 Not true in all cases.

Related posts:

1. Those Bashing Smart Locks Have Forgotten How Easy it is to Pick Regular Ones

2. No, Moving Your SSH Port Isn’t Security by Obscurity

3. The Real Internet of Things: Details and Examples

4. Your Mind’s Software is More Important Than Its Hardware