Answer to 1 & 2:
The warning is from netstat
, not from grep
and its about the PID/Program name
column of the netstat
output:
$ netstat -tapen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
Using sudo
:
$ sudo netstat -tapen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
The alert is self explanatory, you have to be root
to view the process IDs and program names owned by other (all) users, otherwise you will only get the PID/names of programs owned by you although you will get the open socket listings for those processes.
The distinction is basically summed up by the following, from man netstat
:
PID/Program name
Slash-separated pair of the process id (PID) and process name of
the process that owns the socket. --program causes this column to
be included. You will also need superuser privileges to see this
information on sockets you don't own. This identification information is
not yet available for IPX sockets.
In you case, the program sshd
is owned by root
, so without using sudo
all the socket info will appear in the output, not the program name and PID. As a result while using grep
on the result of netstat -taepn
you are getting the warning.
On the other hand if you use sudo
, the PID/program name will appear in the netstat -taepn
output and you can use grep
to find the output.
The following will make you more clear (check the last column(PID/Program name)):
$ netstat -tapen
PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 11088 -
$sudo netstat -taepn
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 11088 1002/sshd
If you are running this from a client machine then you can just ignore it as the process in that case will be ssh
(not sshd
) and will be owned by you.
Answer to 3:
There are so many ways. I will add a few:
$ sudo netstat -taepn | grep "ssh" | tr -s ' ' | cut -d' ' -f4 | head -1
192.168.5.3:22
$ sudo netstat -taepn | grep -Po "\b(\d|\.)+:22(?= .*ssh)"
192.168.5.3:22
$ sudo netstat -taepn | sed -nr '/ssh/s/.* ([^:]+:22) .*/\1/p'
192.168.5.3:22
EDIT: Without sudo
:
$ netstat -taepn 2>/dev/null | grep ":22 " | tr -s ' ' | cut -d' ' -f4 | head -1
192.168.5.3:22
$ netstat -taepn 2>/dev/null | grep -Po "\b(\d|\.)+:22\b"
192.168.5.3:22
$ netstat -taepn 2>/dev/null | sed -nr '/:22 /s/.* ([^:]+:22) .*/\1/p'
192.168.5.3:22
EDIT 2:
If you want to get the remote IP address connected to port 22 (ssh
) of the server without using sudo
, your best best would be to read the socket statistics via ss
command and get the desired output from that.
$ ss -ant | grep -Po "(\d|\.)+:22\s+\K[^:]+"
192.168.6.4
$ ss -ant | sed -nr 's/.*([0-9]|\.)+:22 +([^:]+).*/\2/p'
192.168.6.4
$ ss -ant | grep -e "ESTAB" | grep ":22" | tr -s ' ' | cut -d' ' -f5 | cut -d':' -f1
192.168.6.4
We have run the above commands in the server and 192.168.6.4
is the IP address of the remote computer connected to the server via ssh
on port 22.