In this tutorial, we’ll review some scenarios of finding the client’s IP address while connected to an SSH session.
2. Introduction to the Problem
When connecting to a remote machine through an SSH session, there are times when we would like to find the IP of the client without disconnecting the session.
By closing the session, processes running in the background can be interrupted, or we could lose information —like the directory we’re working on or information stored in variables.
In the following scenarios, we’ll see how we can get the client IP address, from a remote session, without closing the session.
3. who and w Commands
The who command is a tool that parses the login database files (/var/run/utmp or /var/log/wtmp by default) and retrieve useful information about who’s logged on:
user1$ who user1 pts/0 2020-12-25 05:19 (22.214.171.124) ale pts/1 2020-12-25 05:20 (126.96.36.199) ...
Here, the client IP address is the last field of the registry.
Additionally, we can specify our user using the parameters am and i:
user1$ who am i user1 pts/0 2020-12-25 05:19 (188.8.131.52)
The w command also parses the /var/run/utmp file to show who’s currently logged on, and the /proc file to see the processes associated with the user:
user1$ w 05:35:08 up 1450 days, 7:07, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT user1 pts/0 184.108.40.206 05:19 0.00s 0.03s 0.00s w ale pts/1 220.127.116.11 05:20 0.00s 0.03s 0.00s -bash ...
In this scenario, the client IP address is in the third column.
4. finger and pinky Commands
user1$ finger Login Name Tty Idle Login Time Office Office Phone user1 pts/0 Dec 25 06:04 (18.104.22.168) user1$ pinky Login Name TTY Idle When Where user1 pts/0 2020-12-25 06:04 22.214.171.124
Using either of the two commands, we can see the client IP address in the last field.
5. last Command
The last command shows a listing of the last logged in users since the file was created by parsing the /var/log/wtmp file by default.
Let’s use this pipe the result of this command to the head command to get only the information of the last users logged on:
user1$ last | head user1 pts/0 126.96.36.199 Fri Dec 25 06:29 still logged in ale pts/1 188.8.131.52 Fri Dec 25 06:19 - 06:20 (00:00) ...
Here, we can see the client IP address in the third field.
6. netstat and ss Commands
Let’s use netstat filtered by grep, to get the client IP addresses:
user1$ sudo netstat -tpn | grep "ESTABLISHED.*sshd" tcp 0 60 10.128.0.2:22 184.108.40.206:18068 ESTABLISHED 29446/sshd: user1 [pr ...
Here, we see the client IP address in the 5th field in the format <client IP address>:<client port>.
Let’s take a closer look at the netstat parameters:
- -t lists only the sockets using the TCP protocol
- -p shows the process id and name of the program using the socket
- -n shows the addresses in a numerical way
The grep pattern allows us to filter only the processes using the sshd daemon with a connection established.
Let’s use ss in a similar way to netstat:
user1$ sudo ss -tp | grep "ESTAB.*sshd" ESTAB 0 92 10.128.0.2:ssh 220.127.116.11:18068 users:(("sshd",pid=29863,fd=3),("sshd",pid=29861,fd=3)) ...
Here, we can see the IP address in the 5th field in the format <client IP address>:<client port>.
Let’s take another look at the parameters used in the ss command:
- -t displays TCP sockets
- -p shows processes using socket
We’ve used the grep command to filter in the same way as in the netstat example.
Since netstat is deprecated, we should use the ss tool.
7. lsof Command
Another powerful tool is the lsof command. This command stands for “list open files”.
By using this program, we can get information about files open and the processes that are using them. Since a file can be a socket, we can use that to find out connection information:
user1$ sudo lsof -i TCP -s tcp:established -n | grep ssh sshd 29448 user1 3u IPv4 63825743 0t0 TCP 10.128.0.2:22->18.104.22.168:18068 (ESTABLISHED) ...
Here, we can see the client IP address in the 9th field in the format <server IP address>:<server port>-><client IP address>:<client port>.
Now, let’s review the lsof parameters:
- -i TCP selects the files using the TCP protocol
- -s tcp:established lists only network files with “tcp” state “established”
- -n prevents lsof from translating network numbers to hostnames. By this, we can see the numeric IP address
In this tutorial, we’ve reviewed some strategies to get the client’s IP address while we’re in an SSH session.
We’ve used the who, w, finger, pinky, last, netstat, ss, and the lsof commands.