命令简介
lsof 命令用于显示 Linux 系统当前已打开的所有文件列表。查看进程或系统打开的文件会给调试带来极大的帮助。下面简单地介绍 lsof 常使用的功能。
lsof (list open files)命令用于查看你进程打开的文件,打开文件的进程,进程打开的端口(TCP、UDP),还可以用于找回/恢复被删除的文件。lsof 命令需要访问核心内存和各种文件,所以需要具备 root 超级管理员权限的用户才能执行此命令。
语法格式
lsof [Options]
选项说明
-a #显示打开文件的进程 -c<进程名> #显示指定进程所打开的文件 -g #显示GID号进程详情 -d<文件号> #显示占用该文件号的进程 +d<目录> #显示目录下被打开的文件 +D<目录> #递归列出目录下被打开的文件 -n<目录> #显示使用NFS的文件 -l #在输出显示用户ID而不是用户名 -i<条件> #输出符合条件的进程 -p<进程号> #输出指定进程号所打开的文件 -u #显示指定UID号进程详情 -h #显示帮助信息 -t #仅获取进程ID -U #获取UNIX套接口地址 -F #格式化输出结果 -v #显示版本信息
应用举例
显示所有连接
[root@CentOS7-1 ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 629 chrony 5u IPv4 16952 0t0 UDP localhost:323 chronyd 629 chrony 6u IPv6 16953 0t0 UDP localhost:323 sshd 866 root 3u IPv4 19638 0t0 TCP *:ssh (LISTEN) sshd 866 root 4u IPv6 19647 0t0 TCP *:ssh (LISTEN) master 976 root 13u IPv4 20415 0t0 TCP localhost:smtp (LISTEN) master 976 root 14u IPv6 20416 0t0 TCP localhost:smtp (LISTEN) netdata 18325 netdata 4u IPv4 114083 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 5u IPv6 114084 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 36u IPv6 114297 0t0 UDP localhost:8125 netdata 18325 netdata 37u IPv4 114298 0t0 UDP localhost:8125 netdata 18325 netdata 38u IPv6 114302 0t0 TCP localhost:8125 (LISTEN) netdata 18325 netdata 39u IPv4 114303 0t0 TCP localhost:8125 (LISTEN) sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED)
只显示IPV6的连接信息
[root@CentOS7-1 ~]# lsof -i 6 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 629 chrony 6u IPv6 16953 0t0 UDP localhost:323 sshd 866 root 4u IPv6 19647 0t0 TCP *:ssh (LISTEN) master 976 root 14u IPv6 20416 0t0 TCP localhost:smtp (LISTEN) netdata 18325 netdata 5u IPv6 114084 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 36u IPv6 114297 0t0 UDP localhost:8125 netdata 18325 netdata 38u IPv6 114302 0t0 TCP localhost:8125 (LISTEN)
只显示IPV4的连接信息
[root@CentOS7-1 ~]# lsof -i 4 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 629 chrony 5u IPv4 16952 0t0 UDP localhost:323 sshd 866 root 3u IPv4 19638 0t0 TCP *:ssh (LISTEN) master 976 root 13u IPv4 20415 0t0 TCP localhost:smtp (LISTEN) netdata 18325 netdata 4u IPv4 114083 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 37u IPv4 114298 0t0 UDP localhost:8125 netdata 18325 netdata 39u IPv4 114303 0t0 TCP localhost:8125 (LISTEN) sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED)
仅显示TCP连接
[root@CentOS7-1 ~]# lsof -i tcp COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 866 root 3u IPv4 19638 0t0 TCP *:ssh (LISTEN) sshd 866 root 4u IPv6 19647 0t0 TCP *:ssh (LISTEN) master 976 root 13u IPv4 20415 0t0 TCP localhost:smtp (LISTEN) master 976 root 14u IPv6 20416 0t0 TCP localhost:smtp (LISTEN) netdata 18325 netdata 4u IPv4 114083 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 5u IPv6 114084 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 38u IPv6 114302 0t0 TCP localhost:8125 (LISTEN) netdata 18325 netdata 39u IPv4 114303 0t0 TCP localhost:8125 (LISTEN) sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED)
仅显示UDP连接
[root@CentOS7-1 ~]# lsof -i udp COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 629 chrony 5u IPv4 16952 0t0 UDP localhost:323 chronyd 629 chrony 6u IPv6 16953 0t0 UDP localhost:323 netdata 18325 netdata 36u IPv6 114297 0t0 UDP localhost:8125 netdata 18325 netdata 37u IPv4 114298 0t0 UDP localhost:8125
显示指定端口的连接信息
[root@CentOS7-1 ~]# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 866 root 3u IPv4 19638 0t0 TCP *:ssh (LISTEN) sshd 866 root 4u IPv6 19647 0t0 TCP *:ssh (LISTEN) sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED) [root@CentOS7-1 ~]# lsof -i :80 [root@CentOS7-1 ~]# lsof -i :62148 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED)
列由某个用户打开的进程或文件
[root@CentOS7-1 ~]# lsof -u root | head -5 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,0 262 64 / systemd 1 root rtd DIR 253,0 262 64 / systemd 1 root txt REG 253,0 1628608 16959493 /usr/lib/systemd/systemd systemd 1 root mem REG 253,0 20064 1679454 /usr/lib64/libuuid.so.1.3.0 #列出除了root以外用户打开的文件 [root@CentOS7-1 ~]# lsof -u ^root | head COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME polkitd 618 polkitd cwd DIR 253,0 262 64 / polkitd 618 polkitd rtd DIR 253,0 262 64 / polkitd 618 polkitd txt REG 253,0 120432 17108633 /usr/lib/polkit-1/polkitd polkitd 618 polkitd mem REG 253,0 61560 18290 /usr/lib64/libnss_files-2.17.so polkitd 618 polkitd mem REG 253,0 68192 40949 /usr/lib64/libbz2.so.1.0.6 polkitd 618 polkitd mem REG 253,0 99952 324334 /usr/lib64/libelf-0.176.so polkitd 618 polkitd mem REG 253,0 19896 46144 /usr/lib64/libattr.so.1.1.0 polkitd 618 polkitd mem REG 253,0 20064 1679454 /usr/lib64/libuuid.so.1.3.0 polkitd 618 polkitd mem REG 253,0 265576 20649 /usr/lib64/libblkid.so.1.1.0
显示指定的连接信息
#显示指定到指定主机的连接 [root@CentOS7-1 ~]# lsof -i@192.168.1.100 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED) #显示指定到指定主机端口的连接 [root@CentOS7-1 ~]# lsof -i@192.168.1.100:22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED)
显示某些状态的端口信息
#找出处于监听状态的端口 [root@CentOS7-1 ~]# lsof -i -sTCP:LISTEN COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 866 root 3u IPv4 19638 0t0 TCP *:ssh (LISTEN) sshd 866 root 4u IPv6 19647 0t0 TCP *:ssh (LISTEN) master 976 root 13u IPv4 20415 0t0 TCP localhost:smtp (LISTEN) master 976 root 14u IPv6 20416 0t0 TCP localhost:smtp (LISTEN) netdata 18325 netdata 4u IPv4 114083 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 5u IPv6 114084 0t0 TCP *:dnp-sec (LISTEN) netdata 18325 netdata 38u IPv6 114302 0t0 TCP localhost:8125 (LISTEN) netdata 18325 netdata 39u IPv4 114303 0t0 TCP localhost:8125 (LISTEN) ##找出处于已连接状态的端口 [root@CentOS7-1 ~]# lsof -i -sTCP:ESTABLISHED COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 18968 root 3u IPv4 118704 0t0 TCP CentOS7-1:ssh->192.168.1.93:62148 (ESTABLISHED)
终止用户行为
[root@CentOS7-1 ~]# lsof -u mingongge COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 20369 mingongge cwd DIR 253,0 82 462615 /home/mingongge bash 20369 mingongge rtd DIR 253,0 262 64 / bash 20369 mingongge txt REG 253,0 964536 50333070 /usr/bin/bash bash 20369 mingongge mem REG 253,0 106172832 50333042 /usr/lib/locale/locale-archive bash 20369 mingongge mem REG 253,0 61560 18290 /usr/lib64/libnss_files-2.17.so bash 20369 mingongge mem REG 253,0 2156240 18266 /usr/lib64/libc-2.17.so bash 20369 mingongge mem REG 253,0 19248 18273 /usr/lib64/libdl-2.17.so bash 20369 mingongge mem REG 253,0 174576 20696 /usr/lib64/libtinfo.so.5.9 bash 20369 mingongge mem REG 253,0 163312 1679434 /usr/lib64/ld-2.17.so bash 20369 mingongge mem REG 253,0 26970 16806930 /usr/lib64/gconv/gconv-modules.cache bash 20369 mingongge 0u CHR 136,1 0t0 4 /dev/pts/1 bash 20369 mingongge 1u CHR 136,1 0t0 4 /dev/pts/1 bash 20369 mingongge 2u CHR 136,1 0t0 4 /dev/pts/1 bash 20369 mingongge 255u CHR 136,1 0t0 4 /dev/pts/1 vim 20391 mingongge cwd DIR 253,0 82 462615 /home/mingongge vim 20391 mingongge rtd DIR 253,0 262 64 / vim 20391 mingongge txt REG 253,0 2337192 51061591 /usr/bin/vim vim 20391 mingongge mem REG 253,0 61560 18290 /usr/lib64/libnss_files-2.17.so vim 20391 mingongge mem REG 253,0 106172832 50333042 /usr/lib/locale/locale-archive vim 20391 mingongge mem REG 253,0 11392 8814 /usr/lib64/libfreebl3.so vim 20391 mingongge mem REG 253,0 14424 1679441 /usr/lib64/libutil-2.17.so vim 20391 mingongge mem REG 253,0 40600 18271 /usr/lib64/libcrypt-2.17.so vim 20391 mingongge mem REG 253,0 115816 18278 /usr/lib64/libnsl-2.17.so vim 20391 mingongge mem REG 253,0 109976 18302 /usr/lib64/libresolv-2.17.so vim 20391 mingongge mem REG 253,0 19896 46144 /usr/lib64/libattr.so.1.1.0 vim 20391 mingongge mem REG 253,0 402384 20698 /usr/lib64/libpcre.so.1.2.0 vim 20391 mingongge mem REG 253,0 2156240 18266 /usr/lib64/libc-2.17.so vim 20391 mingongge mem REG 253,0 142144 18300 /usr/lib64/libpthread-2.17.so vim 20391 mingongge mem REG 253,0 1647328 282389 /usr/lib64/perl5/CORE/libperl.so vim 20391 mingongge mem REG 253,0 19248 18273 /usr/lib64/libdl-2.17.so vim 20391 mingongge mem REG 253,0 27752 669 /usr/lib64/libgpm.so.2.1.0 vim 20391 mingongge mem REG 253,0 37064 18281 /usr/lib64/libacl.so.1.1.0 vim 20391 mingongge mem REG 253,0 174576 20696 /usr/lib64/libtinfo.so.5.9 vim 20391 mingongge mem REG 253,0 155744 1679449 /usr/lib64/libselinux.so.1 vim 20391 mingongge mem REG 253,0 1136944 18275 /usr/lib64/libm-2.17.so vim 20391 mingongge mem REG 253,0 163312 1679434 /usr/lib64/ld-2.17.so vim 20391 mingongge 0u CHR 136,1 0t0 4 /dev/pts/1 vim 20391 mingongge 1u CHR 136,1 0t0 4 /dev/pts/1 vim 20391 mingongge 2u CHR 136,1 0t0 4 /dev/pts/1 vim 20391 mingongge 3u REG 253,0 12288 462619 /home/mingongge/.test.sh.swp 然后我们使用下面的命令来终止这个用户的这些操作行为 [root@CentOS7-1 ~]# kill -9 `lsof -t -u mingongge` [root@CentOS7-1 ~]# lsof -u mingongge #你会发现这个用户的所有操作都被终止了
这个命令组合,在日常使用环境下还可以用于检查服务器被攻击的行为,如果有行为异常的用户登录操作,可以使用管理员暂时将此用户的一切操作全部干掉,然后再找出解决方法。
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
