I might be under attack, how do I view my open connections?

To list open connections to your server and sorts them by amount will very from different distributions of Linux, we will cover the main distributions.

The following commands need to be entered at the command prompt.


netstat -ntu | awk 'NR>2' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c


netstat -an | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | awk '{ printf("No value assigneds\t",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print ""} 


netstat -na |awk '{print $5}' |cut -d "." -f1,2,3,4 |sort |uniq -c |sort -n

These are few steps to be taken when you feel the server is under attack:

1. Check the load using the command w and ps aux.
2. Check which service is utilizing maximum CPU by the command nice top.
3. Check which IP is taking the maximum number of apache port 80 connections:
netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
4. Block the IP using a firewall (APF or iptables apf -d <IP> or <ip> route add blackhole <IP>)

You can also implement security features on your server:
1. Install apache modules such as mod_dosevasive and mod_security in your server.
2. Configure APF and IPTABLES to reduce the connections from attackers.
3. Basic server securing steps: http://linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1