How would I do this? (expert tricks) OT

How would I do this? (expert tricks) OT

[Marc Perkel]

I have a server with port 25 closed. I was to be able
to run a script every time someone tries to connect to
port 25, but from the outside the port remains closed.
I need the script that I'm going to run get the IP
address that tried to connect.

I know it's off topic but it's part of an experiment
to stop spam. 

Thanks in advance.



      ____________________________________________________________________________________
Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz

Re: How would I do this? (expert tricks) OT

[Jan Engelhardt]

On Jun 19 2007 09:48, Marc Perkel wrote:
>
>I have a server with port 25 closed. I was to be able
>to run a script every time someone tries to connect to
>port 25, but from the outside the port remains closed.
>I need the script that I'm going to run get the IP
>address that tried to connect.
>
>I know it's off topic but it's part of an experiment
>to stop spam. 

tcpdump -lni any port 25
iptables -p tcp --dport 25 -j NFQUEUE
...



	Jan
-- 

Re: How would I do this? (expert tricks) OT

[Marc Perkel]

--- Jan Engelhardt <jengelh@computergmbh.de> wrote:

> 
> On Jun 19 2007 09:48, Marc Perkel wrote:
> >
> >I have a server with port 25 closed. I was to be
> able
> >to run a script every time someone tries to connect
> to
> >port 25, but from the outside the port remains
> closed.
> >I need the script that I'm going to run get the IP
> >address that tried to connect.
> >
> >I know it's off topic but it's part of an
> experiment
> >to stop spam. 
> 
> tcpdump -lni any port 25
> iptables -p tcp --dport 25 -j NFQUEUE
> ...
> 

Thanks Jan, but I'm not sure it answers my question. I
want to run a script every time a connection attempt
is made in real time with the IP address as a
parameter to the script. How would I do that? Suppose
my script is:

iplog <ipaddress>




       
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC

Re: How would I do this? (expert tricks) OT

[Jan Engelhardt]

On Jun 19 2007 10:14, Marc Perkel wrote:
>> 
>> tcpdump -lni any port 25
>> iptables -p tcp --dport 25 -j NFQUEUE
>> ...
>> 
>
>Thanks Jan, but I'm not sure it answers my question.

There's more than one way to do it.

One is...
	tcpdump -lni eth0 tcp [extra operands to match SYN packets] |
	myprogram

a longer one is to write your own netfilter userspace program
that receives the TCP SYNs (by means of -j NFQUEUE) and does
take action.

Another one is to use -j LOG and let your program parse
down /var/log/firewall. Like

	iptables -A INPUT -p tcp --dport 25 --syn -j LOG --log-prefix "[evil]"
	tail -f /var/log/firewall | grep '^\[evil\]' | myscript

myscript:
#!/usr/bin/perl

while (defined(my $line = <>)) {
	my($ip) = ($line =~ /SRC=(\S+)/);
	# Do something
}

>I want to run a script every time a connection attempt is made in real time

The scripts runs constantly, preferably.

>with the IP address as a parameter to the script. How would I do that? Suppose
>my script is:
>
>iplog <ipaddress>
>
>
>
>
>       
>____________________________________________________________________________________
>Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
>http://mobile.yahoo.com/go?refer=1GNXIC
>

	Jan
-- 

Re: How would I do this? (expert tricks) OT

[Marc Perkel]

--- Jan Engelhardt <jengelh@computergmbh.de> wrote:

> 
> On Jun 19 2007 10:14, Marc Perkel wrote:
> >> 
> >> tcpdump -lni any port 25
> >> iptables -p tcp --dport 25 -j NFQUEUE
> >> ...
> >> 
> >
> >Thanks Jan, but I'm not sure it answers my
> question.
> 
> There's more than one way to do it.
> 
> One is...
> 	tcpdump -lni eth0 tcp [extra operands to match SYN
> packets] |
> 	myprogram
> 
> a longer one is to write your own netfilter
> userspace program
> that receives the TCP SYNs (by means of -j NFQUEUE)
> and does
> take action.
> 
> Another one is to use -j LOG and let your program
> parse
> down /var/log/firewall. Like
> 
> 	iptables -A INPUT -p tcp --dport 25 --syn -j LOG
> --log-prefix "[evil]"
> 	tail -f /var/log/firewall | grep '^\[evil\]' |
> myscript
> 
> myscript:
> #!/usr/bin/perl
> 
> while (defined(my $line = <>)) {
> 	my($ip) = ($line =~ /SRC=(\S+)/);
> 	# Do something
> }
> 
> >I want to run a script every time a connection
> attempt is made in real time
> 
> The scripts runs constantly, preferably.
> 
> >with the IP address as a parameter to the script.
> How would I do that? Suppose
> >my script is:
> >
> >iplog <ipaddress>
> >
> >
> >
> >
> >       
>
>____________________________________________________________________________________
> >Take the Internet to Go: Yahoo!Go puts the Internet
> in your pocket: mail, news, photos & more. 
> >http://mobile.yahoo.com/go?refer=1GNXIC
> >

Thanks Jan,

I think what you sent me is workable. I noticed it
goes to the file /var/log/messages. Is there a way to
make it go to a specific file? Thanks a lot for your
help. I've been experimenting with some new and very
interesting ways to catch spam and this could be yet
another breakthrough.






      ____________________________________________________________________________________
Shape Yahoo! in your own image.  Join our Network Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

Re: How would I do this? (expert tricks) OT

[Jan Engelhardt]

On Jun 19 2007 12:36, Marc Perkel wrote:
>
>Thanks Jan,
>
>I think what you sent me is workable. I noticed it
>goes to the file /var/log/messages. Is there a way to
>make it go to a specific file?

Configure your syslog daemon accordingly.


> Thanks a lot for your
>help. I've been experimenting with some new and very
>interesting ways to catch spam and this could be yet
>another breakthrough.



	Jan
-- 

Re: How would I do this? (expert tricks) OT

[Bill Davidsen]

Marc Perkel wrote:
> I have a server with port 25 closed. I was to be able
> to run a script every time someone tries to connect to
> port 25, but from the outside the port remains closed.
> I need the script that I'm going to run get the IP
> address that tried to connect.
> 
> I know it's off topic but it's part of an experiment
> to stop spam. 

Put a rule in iptables to jump to a user table to do a log and drop. You 
are doing it the wrong way, you want to set syslog to write the log 
message to a FIFO and have a permanent running program reading it (I do 
just this for other things).

Alternatively you can use redirect to send it to a program of your 
choosing, which can run a script if you really want to. Beware that rate 
limiting is desirable if you are going to start a process for ANY type 
of attack packets.

-- 
Bill Davidsen <davidsen@tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot