[lug] Tracking Connections

Scott A. Herod herod at interact-tv.com
Thu Aug 23 16:09:45 MDT 2001


You could watch the data being written into /var/log/messages ( or
better
yet redirect ipchains messages ), parse them and make the check.  Pretty
easy perl script really.

Scott

"Harris, James" wrote:
> 
> Is there any way you could get trippy and write an ipchain that snags every
> incoming ftp hit and does a traceroute and port scan back onto it? (But
> still passes the packet through to your ftp service.)  That way you could
> get them while there online and might be able to get some more info.
> 
> I seem to remember that ipchains can conceptually bump a connection off to a
> pipe/trigger a script.  I may be completely whacked in thinking this, but
> it's an idea...  I'm sure there are a billion reasons not to do this even if
> it is possible (performance hits, etc...) but I figured I'd throw it out
> anyway.
> 
> Anyone want to chime in on my insanity (oh, well, that's probably a BAD
> thing to ask...)
> 
> Jim
> 
> -----Original Message-----
> From: Kyle Moore [mailto:kmoore at trustamerica.com]
> Sent: Friday, August 17, 2001 08:32
> To: lug at lug.boulder.co.us
> Subject: [lug] Tracking Connections
> 
> I have someone who keeps trying anonymous ftp on a couple of our servers.
> Syslog gives me the IP they are coming from but what I want to find out is
> how they come through our network. I don't have access to any of the
> routers' logs. My main concern here is someone is getting into our network
> that shouldn't...so I want to verify.
> 
> NOTE: I know how horrible ftp is so I don't need any sermons on the wonders
> of ssh/scp.
> 
> --
> Kyle



More information about the LUG mailing list