How to find the IP of the source of an SSH reverse tunnel?

Question

Using lsof -i I can see there is a reverse ssh tunnel set up on my server:

sshd       1321   remote    8u  IPv4 219299       TCP localhost.localdomain:mvs-capacity (LISTEN)

How can I find out the IP address of the machine that created this tunnel?

Thanks

score 3 · Answer 1 · answered Sep 07 '10 at 22:25

3

lsof -nPp 1321

answered Sep 07 '10 at 22:25

al.

score 1 · Answer 2 · answered Sep 07 '10 at 21:51

1

Run lsof -i | grep 1321 to see the other connections the pid has, one of which should be the ip of the machine that created the tunnel.

answered Sep 07 '10 at 21:51

Mark Wagner

score 1 · Answer 3 · answered Sep 07 '10 at 22:20

1

or you can use netstat -a

answered Sep 07 '10 at 22:20

Zak

score 0 · Answer 4 · answered Sep 07 '10 at 22:23

0

Try netstat -ntp | grep 1321 (replace 1321 with the pid of the process in question.). This will allow you to see the network connections.

answered Sep 07 '10 at 22:23

knx

score 0 · Answer 5 · answered Jan 17 '18 at 07:10

0

To get only the ip address you can do this.

netstat -ntp | grep "27750" | awk '{print $5}' | awk -F ':' '{print $1}'

If you know that you only have one tunnel you can use this without knowledge of the pid.

netstat -ntp | grep "sshd: root" | awk '{print $5}' | awk -F ':' '{print $1}'

answered Jan 17 '18 at 07:10

Mikael Svensson

Remember that `netstat` is deprecated and may not be installed on modern Linux systems. – Michael Hampton Jan 17 '18 at 09:30

5 Answers5