I've packaged a couple of scripts that tie into PortSentry which page me
(and send email) every time one tries to connect to a port protected by
PortSentry.
One sends out a page based on the command line by using an email gateway
(you'll have to figure out your own).
The other does the work; it sends out the page, as well as formulating a
big email with all the details possible about the source IP.
This current script will, if the binaries are available, do the
following (all against the source IP address):
* whois (administrative contacts and IP block owner)
* dig (name lookup and name servers)
* traceroute (how long? what routers between here and there?)
* tcptraceroute (same as traceroute, but uses TCP not ICMP - pierces
some firewalls)
* ping (how long does it take to get there?)
* nmap (what ports do they have open? What are they running?)
The last four also help to identify that this is a REAL host active on
the network.
The nmap option is in the script but not run by default: some sites
could classify a nmap probe as hostile behavior (and perhaps illegal
behavior). The nmap line is commented out.
The package is at
http://leaf.sourceforge.net/pub/oxygen/packages/alert.lrp
Enjoy!
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
