[lug] Tracking Connections
Scott A. Herod
herod at interact-tv.com
Thu Aug 23 16:09:45 MDT 2001
You could watch the data being written into /var/log/messages ( or
better
yet redirect ipchains messages ), parse them and make the check. Pretty
easy perl script really.
Scott
"Harris, James" wrote:
>
> Is there any way you could get trippy and write an ipchain that snags every
> incoming ftp hit and does a traceroute and port scan back onto it? (But
> still passes the packet through to your ftp service.) That way you could
> get them while there online and might be able to get some more info.
>
> I seem to remember that ipchains can conceptually bump a connection off to a
> pipe/trigger a script. I may be completely whacked in thinking this, but
> it's an idea... I'm sure there are a billion reasons not to do this even if
> it is possible (performance hits, etc...) but I figured I'd throw it out
> anyway.
>
> Anyone want to chime in on my insanity (oh, well, that's probably a BAD
> thing to ask...)
>
> Jim
>
> -----Original Message-----
> From: Kyle Moore [mailto:kmoore at trustamerica.com]
> Sent: Friday, August 17, 2001 08:32
> To: lug at lug.boulder.co.us
> Subject: [lug] Tracking Connections
>
> I have someone who keeps trying anonymous ftp on a couple of our servers.
> Syslog gives me the IP they are coming from but what I want to find out is
> how they come through our network. I don't have access to any of the
> routers' logs. My main concern here is someone is getting into our network
> that shouldn't...so I want to verify.
>
> NOTE: I know how horrible ftp is so I don't need any sermons on the wonders
> of ssh/scp.
>
> --
> Kyle
More information about the LUG
mailing list