The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,055 other followers

shell – List open SSH tunnels – via: Super User

Posted by jpluimers on 2020/06/29

I put an lsof example and output in Reverse ssh tunnel between two linux boxes to allow RDP traffic over port 3389, but forgot to explain it.

Note that if you are bumping into remote tunneling issues selecting the wrong network interface, then checkout the GatewayPorts setting in the above post first!

Inactive local tunnels on the client: find the first word ssh on lsof output.

$ lsof -i -n | grep -w '^\<ssh\>'
ssh       93548 jeroenp    3u  IPv4 0x298985ab430c8aa9      0t0  TCP 192.168.71.77:50257->80.101.239.92:30022 (ESTABLISHED)
ssh       93548 jeroenp    5u  IPv6 0x298985ab22e02df9      0t0  TCP [::1]:59124 (LISTEN)
ssh       93548 jeroenp    6u  IPv4 0x298985ab272543a1      0t0  TCP 127.0.0.1:59124 (LISTEN)
ssh       93548 jeroenp    7u  IPv6 0x298985ab22e03339      0t0  TCP [::1]:ms-wbt-server (LISTEN)
ssh       93548 jeroenp    8u  IPv4 0x298985ab4306eaa9      0t0  TCP 127.0.0.1:ms-wbt-server (LISTEN)
ssh       93548 jeroenp    9u  IPv6 0x298985ab28049339      0t0  TCP [::1]:5925 (LISTEN)
ssh       93548 jeroenp   10u  IPv4 0x298985ab25cefe89      0t0  TCP 127.0.0.1:5925 (LISTEN)

The above listens two tunnels listening to ports 59124, 3389 (ms-wbt-server) and 5925.

Remote tunnels on the server: find the first word sshd on lsof output. Needs sudo if sshd runs as daemon or to listen active connections:

$ sudo lsof -i -n | grep -w '^\<sshd\>'
sshd       1664     root    3u  IPv4   21299      0t0  TCP *:ssh (LISTEN)
sshd       1664     root    4u  IPv6   21301      0t0  TCP *:ssh (LISTEN)
sshd       5026     root    3u  IPv4  350758      0t0  TCP 192.168.124.32:ssh->192.168.171.24:52417 (ESTABLISHED)
sshd       5029  jeroenp    3u  IPv4  350758      0t0  TCP 192.168.124.32:ssh->192.168.171.24:52417 (ESTABLISHED)
sshd       5120     root    3u  IPv4 6693665      0t0  TCP 192.168.124.32:ssh->80.100.143.119:11585 (ESTABLISHED)
sshd       5123  jeroenp    3u  IPv4 6693665      0t0  TCP 192.168.124.32:ssh->80.100.143.119:11585 (ESTABLISHED)
sshd      13320     root    3u  IPv4 6319692      0t0  TCP 192.168.124.32:ssh->192.168.171.24:56801 (ESTABLISHED)
sshd      13323  jeroenp    3u  IPv4 6319692      0t0  TCP 192.168.124.32:ssh->192.168.171.24:56801 (ESTABLISHED)
sshd      16505     root    3u  IPv4 6374150      0t0  TCP 192.168.124.32:ssh->192.168.171.24:21505 (ESTABLISHED)
sshd      16508  jeroenp    3u  IPv4 6374150      0t0  TCP 192.168.124.32:ssh->192.168.171.24:21505 (ESTABLISHED)

The above does not list any tunnels, just regular connections as there were no local tunnels from the client active, which lists the server side of tunnel -L 59124:192.168.124.32:5900 (which is service rfb):

$ sudo lsof -i -n | grep -w '^\<sshd\>'

sshd       1664     root    3u  IPv4   21299      0t0  TCP *:ssh (LISTEN)
sshd       1664     root    4u  IPv6   21301      0t0  TCP *:ssh (LISTEN)
sshd       5026     root    3u  IPv4  350758      0t0  TCP 192.168.124.32:ssh->192.168.171.24:52417 (ESTABLISHED)
sshd       5029  jeroenp    3u  IPv4  350758      0t0  TCP 192.168.124.32:ssh->192.168.171.24:52417 (ESTABLISHED)
sshd       5120     root    3u  IPv4 6693665      0t0  TCP 192.168.124.32:ssh->80.100.143.119:11585 (ESTABLISHED)
sshd       5123  jeroenp    3u  IPv4 6693665      0t0  TCP 192.168.124.32:ssh->80.100.143.119:11585 (ESTABLISHED)
sshd       5123  jeroenp   13u  IPv4 6698066      0t0  TCP 192.168.124.32:51494->192.168.124.32:rfb (ESTABLISHED)
sshd      13320     root    3u  IPv4 6319692      0t0  TCP 192.168.124.32:ssh->192.168.171.24:56801 (ESTABLISHED)
sshd      13323  jeroenp    3u  IPv4 6319692      0t0  TCP 192.168.124.32:ssh->192.168.171.24:56801 (ESTABLISHED)
sshd      16505     root    3u  IPv4 6374150      0t0  TCP 192.168.124.32:ssh->192.168.171.24:21505 (ESTABLISHED)
sshd      16508  jeroenp    3u  IPv4 6374150      0t0  TCP 192.168.124.32:ssh->192.168.171.24:21505 (ESTABLISHED)

For the client side of active connections you need sudo too:

$ sudo lsof -i -n | grep -w '^\<ssh\>'
Password:
ssh 93548 jeroenp 3u IPv4 0x298985ab430c8aa9 0t0 TCP 192.168.71.77:50257->80.101.239.92:30022 (ESTABLISHED)
ssh 93548 jeroenp 5u IPv6 0x298985ab22e02df9 0t0 TCP [::1]:59124 (LISTEN)
ssh 93548 jeroenp 6u IPv4 0x298985ab272543a1 0t0 TCP 127.0.0.1:59124 (LISTEN)
ssh 93548 jeroenp 7u IPv6 0x298985ab22e03339 0t0 TCP [::1]:ms-wbt-server (LISTEN)
ssh 93548 jeroenp 8u IPv4 0x298985ab4306eaa9 0t0 TCP 127.0.0.1:ms-wbt-server (LISTEN)
ssh 93548 jeroenp 9u IPv6 0x298985ab28049339 0t0 TCP [::1]:5925 (LISTEN)
ssh 93548 jeroenp 10u IPv4 0x298985ab25cefe89 0t0 TCP 127.0.0.1:5925 (LISTEN)
ssh 93548 jeroenp 15u IPv4 0x298985ab2998de89 0t0 TCP 127.0.0.1:59124->127.0.0.1:52580 (ESTABLISHED)

Based on [WayBackshell – List open SSH tunnels – Super User.

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: