I have a server with port 25 closed. I was to be able
to run a script every time someone tries to connect to
port 25, but from the outside the port remains closed.
I need the script that I'm going to run get the IP
address that tried to connect.
I know it's off topic but it's part of an experiment
to stop spam.
Thanks in advance.
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
On Jun 19 2007 09:48, Marc Perkel wrote:
>
>I have a server with port 25 closed. I was to be able
>to run a script every time someone tries to connect to
>port 25, but from the outside the port remains closed.
>I need the script that I'm going to run get the IP
>address that tried to connect.
>
>I know it's off topic but it's part of an experiment
>to stop spam.
tcpdump -lni any port 25
iptables -p tcp --dport 25 -j NFQUEUE
...
Jan
--
--- Jan Engelhardt <[email protected]> wrote:
>
> On Jun 19 2007 09:48, Marc Perkel wrote:
> >
> >I have a server with port 25 closed. I was to be
> able
> >to run a script every time someone tries to connect
> to
> >port 25, but from the outside the port remains
> closed.
> >I need the script that I'm going to run get the IP
> >address that tried to connect.
> >
> >I know it's off topic but it's part of an
> experiment
> >to stop spam.
>
> tcpdump -lni any port 25
> iptables -p tcp --dport 25 -j NFQUEUE
> ...
>
Thanks Jan, but I'm not sure it answers my question. I
want to run a script every time a connection attempt
is made in real time with the IP address as a
parameter to the script. How would I do that? Suppose
my script is:
iplog <ipaddress>
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC
On Jun 19 2007 10:14, Marc Perkel wrote:
>>
>> tcpdump -lni any port 25
>> iptables -p tcp --dport 25 -j NFQUEUE
>> ...
>>
>
>Thanks Jan, but I'm not sure it answers my question.
There's more than one way to do it.
One is...
tcpdump -lni eth0 tcp [extra operands to match SYN packets] |
myprogram
a longer one is to write your own netfilter userspace program
that receives the TCP SYNs (by means of -j NFQUEUE) and does
take action.
Another one is to use -j LOG and let your program parse
down /var/log/firewall. Like
iptables -A INPUT -p tcp --dport 25 --syn -j LOG --log-prefix "[evil]"
tail -f /var/log/firewall | grep '^\[evil\]' | myscript
myscript:
#!/usr/bin/perl
while (defined(my $line = <>)) {
my($ip) = ($line =~ /SRC=(\S+)/);
# Do something
}
>I want to run a script every time a connection attempt is made in real time
The scripts runs constantly, preferably.
>with the IP address as a parameter to the script. How would I do that? Suppose
>my script is:
>
>iplog <ipaddress>
>
>
>
>
>
>____________________________________________________________________________________
>Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.
>http://mobile.yahoo.com/go?refer=1GNXIC
>
Jan
--
--- Jan Engelhardt <[email protected]> wrote:
>
> On Jun 19 2007 10:14, Marc Perkel wrote:
> >>
> >> tcpdump -lni any port 25
> >> iptables -p tcp --dport 25 -j NFQUEUE
> >> ...
> >>
> >
> >Thanks Jan, but I'm not sure it answers my
> question.
>
> There's more than one way to do it.
>
> One is...
> tcpdump -lni eth0 tcp [extra operands to match SYN
> packets] |
> myprogram
>
> a longer one is to write your own netfilter
> userspace program
> that receives the TCP SYNs (by means of -j NFQUEUE)
> and does
> take action.
>
> Another one is to use -j LOG and let your program
> parse
> down /var/log/firewall. Like
>
> iptables -A INPUT -p tcp --dport 25 --syn -j LOG
> --log-prefix "[evil]"
> tail -f /var/log/firewall | grep '^\[evil\]' |
> myscript
>
> myscript:
> #!/usr/bin/perl
>
> while (defined(my $line = <>)) {
> my($ip) = ($line =~ /SRC=(\S+)/);
> # Do something
> }
>
> >I want to run a script every time a connection
> attempt is made in real time
>
> The scripts runs constantly, preferably.
>
> >with the IP address as a parameter to the script.
> How would I do that? Suppose
> >my script is:
> >
> >iplog <ipaddress>
> >
> >
> >
> >
> >
>
>____________________________________________________________________________________
> >Take the Internet to Go: Yahoo!Go puts the Internet
> in your pocket: mail, news, photos & more.
> >http://mobile.yahoo.com/go?refer=1GNXIC
> >
Thanks Jan,
I think what you sent me is workable. I noticed it
goes to the file /var/log/messages. Is there a way to
make it go to a specific file? Thanks a lot for your
help. I've been experimenting with some new and very
interesting ways to catch spam and this could be yet
another breakthrough.
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
On Jun 19 2007 12:36, Marc Perkel wrote:
>
>Thanks Jan,
>
>I think what you sent me is workable. I noticed it
>goes to the file /var/log/messages. Is there a way to
>make it go to a specific file?
Configure your syslog daemon accordingly.
> Thanks a lot for your
>help. I've been experimenting with some new and very
>interesting ways to catch spam and this could be yet
>another breakthrough.
Jan
--
Marc Perkel wrote:
> I have a server with port 25 closed. I was to be able
> to run a script every time someone tries to connect to
> port 25, but from the outside the port remains closed.
> I need the script that I'm going to run get the IP
> address that tried to connect.
>
> I know it's off topic but it's part of an experiment
> to stop spam.
Put a rule in iptables to jump to a user table to do a log and drop. You
are doing it the wrong way, you want to set syslog to write the log
message to a FIFO and have a permanent running program reading it (I do
just this for other things).
Alternatively you can use redirect to send it to a program of your
choosing, which can run a script if you really want to. Beware that rate
limiting is desirable if you are going to start a process for ANY type
of attack packets.
--
Bill Davidsen <[email protected]>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot