DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

How I Use netstat and ss to Catch Suspicious Connections on Linux | by Faruk Ahmed | Jul, 2025

Member-only story

How I Use netstat and ss to Catch Suspicious Connections on Linux

--

Share

Intro: Sometimes the biggest threats to your Linux server arenโ€™t in the logs โ€” theyโ€™re quietly hiding in plain sight, listening on open ports or making outbound connections you didnโ€™t authorize. This post explains how I use netstat and ss to find those sneaky processes and shut them down before they become a real problem.

๐Ÿ” 1. The Threat: Undetected Network Activity

Most malware and unauthorized scripts โ€œcall homeโ€ or open ports to accept commands. If youโ€™re not checking for this regularly, youโ€™re trusting every connection your server makes.

โš™๏ธ 2. Install net-tools and Use netstat

On older systems or for familiarity:

# Debian/Ubuntu:sudo apt install net-tools
Enter fullscreen mode Exit fullscreen mode
# Red Hat/CentOS:sudo yum install net-tools
Enter fullscreen mode Exit fullscreen mode

Check all listening ports:

sudo netstat -tulnp
Enter fullscreen mode Exit fullscreen mode

This lists:

  • Protocol (tcp, udp)
  • Local address/port
  • PID/Program name

๐Ÿš€ 3. Use ss for Faster and Modern Analysis


๐Ÿ‘‰ Read Full Blog on Medium Here

Top comments (0)