Active Connection Defense#
Techniques for monitoring and terminating suspicious connections during competition.
View Active Connections#
netstat Command#
Basic usage (too much output):
netstat
Useful filtered version:
netstat -tu # TCP and UDP connections only
netstat -tun # + resolve port numbers (shows 22 instead of "ssh")
netstat -tuna # + show listening ports too
sudo netstat -tunap # + show process IDs (requires sudo)
Remember: netstat -tunap (tuna + p)
| Flag | Meaning |
|---|---|
-t |
TCP connections |
-u |
UDP connections |
-n |
Show port numbers (not names) |
-a |
Show all (including listening) |
-p |
Show process IDs (requires sudo) |
Example output:
Proto Local Address Foreign Address State PID/Program
tcp 192.168.8.2:22 192.168.8.100:51736 ESTABLISHED 26546/sshd: jenny
tcp 192.168.8.2:22 192.168.8.100:51732 ESTABLISHED 26540/sshd: bob
Filter with grep#
sudo netstat -tunap | grep ESTABLISHED
sudo netstat -tunap | grep ssh
ss Command (alternative to netstat)#
Some systems don't have netstat - use ss instead:
ss
ss -t # TCP only
ss | grep ESTABLISHED
View Logged-In Users#
w Command#
w
Shows:
- Username
- TTY (terminal)
- From (IP address for remote,
:0for local GUI) - Login time
- What they're running
Example output:
USER TTY FROM LOGIN@ WHAT
sandbox :0 :0 09:00 /usr/bin/gnome-shell <- Local GUI
bob pts/1 192.168.8.100 10:15 -bash <- Remote SSH
jenny pts/2 192.168.8.100 10:16 -bash <- Remote SSH
Note: :0 means local GUI session (probably your teammate), IP address means remote connection (possibly attacker).
Kill Connections#
Kill by Process ID#
- Find the PID with
netstat -tunap - Kill it:
sudo kill <PID>
Example:
sudo netstat -tunap | grep ESTABLISHED
# See jenny's connection has PID 26546
sudo kill 26546
Kill by Username#
Log out all sessions for a specific user:
sudo pkill -kill -u jenny
sudo pkill -kill -u bob
⚠️ WARNING: Don't kill yourself!
sudo pkill -kill -u sandbox # This kills YOUR session too!
If attacker is using the same account as you, kill by PID instead.
Monitor Processes#
top Command#
top # Live view of running processes
htop # Fancier version (may need to install)
Press q to quit.
ps Command#
ps -aux # Show all processes with details
ps -aux | grep python # Find Python scripts
ps -aux | grep bash # Find bash scripts
Look for suspicious scripts running in background (attackers may leave these).
Send Messages to Users#
Broadcast to All Users#
wall "Server shutting down in 5 minutes. Please save your work."
All logged-in users see the message in their terminal.
Message Specific User#
w # Find their TTY (e.g., pts/2)
sudo write bob pts/2 # Opens interactive message
# Type your message, Ctrl+C to end
Competition Strategy#
Active Defense Workflow#
-
Monitor continuously:
sudo netstat -tunap | grep ESTABLISHED w -
Identify suspicious connections:
- Unknown usernames
- Connections from unexpected IPs
- Multiple sessions from same IP
-
Kill suspicious connections:
sudo kill <PID> # By process ID sudo pkill -kill -u <user> # By username -
Meanwhile, teammate secures server:
- Change passwords
- Lock down user accounts
- Enable firewall
- Remove unnecessary services
Watch Out For#
- Background scripts: Attackers may leave Python/bash scripts running
ps -aux | grep python ps -aux | grep bash - Cron jobs: Check
crontab -land/etc/cron.* - Friendly fire: Don't kill your own sessions or teammates!
Quick Reference#
| Task | Command |
|---|---|
| View connections | sudo netstat -tunap |
| View logged-in users | w |
| Kill by PID | sudo kill <PID> |
| Kill by username | sudo pkill -kill -u <user> |
| View processes | ps -aux or top |
| Broadcast message | wall "message" |
| Message specific user | sudo write <user> <tty> |