1. Overview

In this tutorial, we’ll review some scenarios of finding the client’s IP address while connected to an SSH session.

2. Introduction to the Problem

When connecting to a remote machine through an SSH session, there are times when we would like to find the IP of the client without disconnecting the session.

By closing the session, processes running in the background can be interrupted, or we could lose information —like the directory we’re working on or information stored in variables.

In the following scenarios, we’ll see how we can get the client IP address, from a remote session, without closing the session.

3. who and w Commands

The who command is a tool that parses the login database files (/var/run/utmp or /var/log/wtmp by default) and retrieve useful information about who’s logged on:

user1$ who
user1  pts/0 2020-12-25  05:19  (189.137.157.229)
ale    pts/1 2020-12-25  05:20  (189.249.25.155)
...

Here, the client IP address is the last field of the registry.

Additionally, we can specify our user using the parameters am and i:

user1$ who am i
user1  pts/0  2020-12-25 05:19 (189.137.157.229)

The w command also parses the /var/run/utmp file to show who’s currently logged on, and the /proc file to see the processes associated with the user:

user1$ w
05:35:08 up 1450 days, 7:07, 1 user, load average: 0.00, 0.01, 0.05
USER   TTY    FROM             [email protected]  IDLE   JCPU   PCPU   WHAT
user1  pts/0  189.137.157.229  05:19   0.00s  0.03s  0.00s  w
ale    pts/1  189.249.25.155   05:20   0.00s  0.03s  0.00s  -bash
...

In this scenario, the client IP address is in the third column.

4. finger and pinky Commands

The finger and pinky commands display similar information about the users logged on the system:

user1$ finger
Login  Name  Tty   Idle  Login Time    Office             Office Phone
user1        pts/0       Dec 25 06:04  (189.137.157.229)

user1$ pinky
Login  Name  TTY    Idle  When              Where
user1        pts/0        2020-12-25 06:04  189.137.157.229

Using either of the two commands, we can see the client IP address in the last field.

5. last Command

The last command shows a listing of the last logged in users since the file was created by parsing the /var/log/wtmp file by default.

Let’s use this pipe the result of this command to the head command to get only the information of the last users logged on:

user1$ last | head
user1  pts/0  189.137.157.229  Fri Dec 25 06:29   still logged in
ale    pts/1  189.249.25.155   Fri Dec 25 06:19 - 06:20 (00:00)
...

Here, we can see the client IP address in the third field.

6. netstat and ss Commands

netstat and ss are two very useful tools that retrieve information about the processes using sockets.

Let’s use netstat filtered by grep, to get the client IP addresses:

user1$ sudo netstat -tpn | grep "ESTABLISHED.*sshd"
tcp  0  60  10.128.0.2:22  189.137.157.229:18068  ESTABLISHED  29446/sshd: user1 [pr
...

Here, we see the client IP address in the 5th field in the format <client IP address>:<client port>.

Let’s take a closer look at the netstat parameters:

  • -t lists only the sockets using the TCP protocol
  • -p shows the process id and name of the program using the socket
  • -n shows the addresses in a numerical way

The grep pattern allows us to filter only the processes using the sshd daemon with a connection established.

Let’s use ss in a similar way to netstat:

user1$ sudo ss -tp | grep "ESTAB.*sshd"
ESTAB  0  92  10.128.0.2:ssh  189.137.157.229:18068  users:(("sshd",pid=29863,fd=3),("sshd",pid=29861,fd=3))
...

Here, we can see the IP address in the 5th field in the format <client IP address>:<client port>.

Let’s take another look at the parameters used in the ss command:

  • -t displays TCP sockets
  • -p shows processes using socket

We’ve used the grep command to filter in the same way as in the netstat example.

Since netstat is deprecated, we should use the ss tool.

7. lsof Command

Another powerful tool is the lsof command. This command stands for “list open files”.

By using this program, we can get information about files open and the processes that are using them. Since a file can be a socket, we can use that to find out connection information:

user1$ sudo lsof -i TCP -s tcp:established -n | grep ssh
sshd  29448  user1  3u  IPv4  63825743  0t0  TCP  10.128.0.2:22->189.137.157.229:18068 (ESTABLISHED)
...

Here, we can see the client IP address in the 9th field in the format <server IP address>:<server port>-><client IP address>:<client port>.

Now, let’s review the lsof parameters:

  • -i TCP selects the files using the TCP protocol
  • -s tcp:established lists only network files with “tcp” state “established”
  • -n prevents lsof from translating network numbers to hostnames. By this, we can see the numeric IP address

8. Conclusion

In this tutorial, we’ve reviewed some strategies to get the client’s IP address while we’re in an SSH session.

We’ve used the who, w, finger, pinky, last, netstat, ss, and the lsof commands.

guest
0 Comments
Inline Feedbacks
View all comments