Posted: Sep 27, 2015 by Bryan Tong
This is great if you are ever in a situation where seeing active SSH connections would benefit. Maybe for security auditing or dealing with intrusions, even firewall testing. I have found this command to be effective at filtering it out.
netstat -aln | grep ":22 " | grep -v STREAM | grep -v 127.0.0.1
You should see some output similar to
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.92.131:22 192.168.232.5:49351 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN
I have doctored the IP addresses here. The left most IP address in this case 192.168.92.131 on port 22 (which is your server), has a connection established with 192.168.232.5 on port 49351.
If you see any IP addresses in the right or left column that should not be there, it is cause for action.
Please check my other blogs for tips on securing Linux servers on the internet.