Re: How would I do this? (expert tricks) OT
Marc Perkel wrote: I have a server with port 25 closed. I was to be able to run a script every time someone tries to connect to port 25, but from the outside the port remains closed. I need the script that I'm going to run get the IP address that tried to connect. I know it's off topic but it's part of an experiment to stop spam. Put a rule in iptables to jump to a user table to do a log and drop. You are doing it the wrong way, you want to set syslog to write the log message to a FIFO and have a permanent running program reading it (I do just this for other things). Alternatively you can use redirect to send it to a program of your choosing, which can run a script if you really want to. Beware that rate limiting is desirable if you are going to start a process for ANY type of attack packets. -- Bill Davidsen <[EMAIL PROTECTED]> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
Marc Perkel wrote: I have a server with port 25 closed. I was to be able to run a script every time someone tries to connect to port 25, but from the outside the port remains closed. I need the script that I'm going to run get the IP address that tried to connect. I know it's off topic but it's part of an experiment to stop spam. Put a rule in iptables to jump to a user table to do a log and drop. You are doing it the wrong way, you want to set syslog to write the log message to a FIFO and have a permanent running program reading it (I do just this for other things). Alternatively you can use redirect to send it to a program of your choosing, which can run a script if you really want to. Beware that rate limiting is desirable if you are going to start a process for ANY type of attack packets. -- Bill Davidsen [EMAIL PROTECTED] We have more to fear from the bungling of the incompetent than from the machinations of the wicked. - from Slashdot - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
--- Jan Engelhardt <[EMAIL PROTECTED]> wrote:
>
> On Jun 19 2007 10:14, Marc Perkel wrote:
> >>
> >> tcpdump -lni any port 25
> >> iptables -p tcp --dport 25 -j NFQUEUE
> >> ...
> >>
> >
> >Thanks Jan, but I'm not sure it answers my
> question.
>
> There's more than one way to do it.
>
> One is...
> tcpdump -lni eth0 tcp [extra operands to match SYN
> packets] |
> myprogram
>
> a longer one is to write your own netfilter
> userspace program
> that receives the TCP SYNs (by means of -j NFQUEUE)
> and does
> take action.
>
> Another one is to use -j LOG and let your program
> parse
> down /var/log/firewall. Like
>
> iptables -A INPUT -p tcp --dport 25 --syn -j LOG
> --log-prefix "[evil]"
> tail -f /var/log/firewall | grep '^\[evil\]' |
> myscript
>
> myscript:
> #!/usr/bin/perl
>
> while (defined(my $line = <>)) {
> my($ip) = ($line =~ /SRC=(\S+)/);
> # Do something
> }
>
> >I want to run a script every time a connection
> attempt is made in real time
>
> The scripts runs constantly, preferably.
>
> >with the IP address as a parameter to the script.
> How would I do that? Suppose
> >my script is:
> >
> >iplog
> >
> >
> >
> >
> >
>
>
> >Take the Internet to Go: Yahoo!Go puts the Internet
> in your pocket: mail, news, photos & more.
> >http://mobile.yahoo.com/go?refer=1GNXIC
> >
Thanks Jan,
I think what you sent me is workable. I noticed it
goes to the file /var/log/messages. Is there a way to
make it go to a specific file? Thanks a lot for your
help. I've been experimenting with some new and very
interesting ways to catch spam and this could be yet
another breakthrough.
Shape Yahoo! in your own image. Join our Network Research Panel today!
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
On Jun 19 2007 12:36, Marc Perkel wrote: > >Thanks Jan, > >I think what you sent me is workable. I noticed it >goes to the file /var/log/messages. Is there a way to >make it go to a specific file? Configure your syslog daemon accordingly. > Thanks a lot for your >help. I've been experimenting with some new and very >interesting ways to catch spam and this could be yet >another breakthrough. Jan -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
On Jun 19 2007 10:14, Marc Perkel wrote:
>>
>> tcpdump -lni any port 25
>> iptables -p tcp --dport 25 -j NFQUEUE
>> ...
>>
>
>Thanks Jan, but I'm not sure it answers my question.
There's more than one way to do it.
One is...
tcpdump -lni eth0 tcp [extra operands to match SYN packets] |
myprogram
a longer one is to write your own netfilter userspace program
that receives the TCP SYNs (by means of -j NFQUEUE) and does
take action.
Another one is to use -j LOG and let your program parse
down /var/log/firewall. Like
iptables -A INPUT -p tcp --dport 25 --syn -j LOG --log-prefix "[evil]"
tail -f /var/log/firewall | grep '^\[evil\]' | myscript
myscript:
#!/usr/bin/perl
while (defined(my $line = <>)) {
my($ip) = ($line =~ /SRC=(\S+)/);
# Do something
}
>I want to run a script every time a connection attempt is made in real time
The scripts runs constantly, preferably.
>with the IP address as a parameter to the script. How would I do that? Suppose
>my script is:
>
>iplog
>
>
>
>
>
>
>Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail,
>news, photos & more.
>http://mobile.yahoo.com/go?refer=1GNXIC
>
Jan
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
--- Jan Engelhardt <[EMAIL PROTECTED]> wrote: > > On Jun 19 2007 09:48, Marc Perkel wrote: > > > >I have a server with port 25 closed. I was to be > able > >to run a script every time someone tries to connect > to > >port 25, but from the outside the port remains > closed. > >I need the script that I'm going to run get the IP > >address that tried to connect. > > > >I know it's off topic but it's part of an > experiment > >to stop spam. > > tcpdump -lni any port 25 > iptables -p tcp --dport 25 -j NFQUEUE > ... > Thanks Jan, but I'm not sure it answers my question. I want to run a script every time a connection attempt is made in real time with the IP address as a parameter to the script. How would I do that? Suppose my script is: iplog Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. http://mobile.yahoo.com/go?refer=1GNXIC - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
On Jun 19 2007 09:48, Marc Perkel wrote: > >I have a server with port 25 closed. I was to be able >to run a script every time someone tries to connect to >port 25, but from the outside the port remains closed. >I need the script that I'm going to run get the IP >address that tried to connect. > >I know it's off topic but it's part of an experiment >to stop spam. tcpdump -lni any port 25 iptables -p tcp --dport 25 -j NFQUEUE ... Jan -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
How would I do this? (expert tricks) OT
I have a server with port 25 closed. I was to be able to run a script every time someone tries to connect to port 25, but from the outside the port remains closed. I need the script that I'm going to run get the IP address that tried to connect. I know it's off topic but it's part of an experiment to stop spam. Thanks in advance. Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail=graduation+gifts=bz - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
How would I do this? (expert tricks) OT
I have a server with port 25 closed. I was to be able to run a script every time someone tries to connect to port 25, but from the outside the port remains closed. I need the script that I'm going to run get the IP address that tried to connect. I know it's off topic but it's part of an experiment to stop spam. Thanks in advance. Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mailp=graduation+giftscs=bz - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
On Jun 19 2007 09:48, Marc Perkel wrote: I have a server with port 25 closed. I was to be able to run a script every time someone tries to connect to port 25, but from the outside the port remains closed. I need the script that I'm going to run get the IP address that tried to connect. I know it's off topic but it's part of an experiment to stop spam. tcpdump -lni any port 25 iptables -p tcp --dport 25 -j NFQUEUE ... Jan -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
--- Jan Engelhardt [EMAIL PROTECTED] wrote: On Jun 19 2007 09:48, Marc Perkel wrote: I have a server with port 25 closed. I was to be able to run a script every time someone tries to connect to port 25, but from the outside the port remains closed. I need the script that I'm going to run get the IP address that tried to connect. I know it's off topic but it's part of an experiment to stop spam. tcpdump -lni any port 25 iptables -p tcp --dport 25 -j NFQUEUE ... Thanks Jan, but I'm not sure it answers my question. I want to run a script every time a connection attempt is made in real time with the IP address as a parameter to the script. How would I do that? Suppose my script is: iplog ipaddress Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos more. http://mobile.yahoo.com/go?refer=1GNXIC - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
On Jun 19 2007 10:14, Marc Perkel wrote:
tcpdump -lni any port 25
iptables -p tcp --dport 25 -j NFQUEUE
...
Thanks Jan, but I'm not sure it answers my question.
There's more than one way to do it.
One is...
tcpdump -lni eth0 tcp [extra operands to match SYN packets] |
myprogram
a longer one is to write your own netfilter userspace program
that receives the TCP SYNs (by means of -j NFQUEUE) and does
take action.
Another one is to use -j LOG and let your program parse
down /var/log/firewall. Like
iptables -A INPUT -p tcp --dport 25 --syn -j LOG --log-prefix [evil]
tail -f /var/log/firewall | grep '^\[evil\]' | myscript
myscript:
#!/usr/bin/perl
while (defined(my $line = )) {
my($ip) = ($line =~ /SRC=(\S+)/);
# Do something
}
I want to run a script every time a connection attempt is made in real time
The scripts runs constantly, preferably.
with the IP address as a parameter to the script. How would I do that? Suppose
my script is:
iplog ipaddress
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail,
news, photos more.
http://mobile.yahoo.com/go?refer=1GNXIC
Jan
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
--- Jan Engelhardt [EMAIL PROTECTED] wrote:
On Jun 19 2007 10:14, Marc Perkel wrote:
tcpdump -lni any port 25
iptables -p tcp --dport 25 -j NFQUEUE
...
Thanks Jan, but I'm not sure it answers my
question.
There's more than one way to do it.
One is...
tcpdump -lni eth0 tcp [extra operands to match SYN
packets] |
myprogram
a longer one is to write your own netfilter
userspace program
that receives the TCP SYNs (by means of -j NFQUEUE)
and does
take action.
Another one is to use -j LOG and let your program
parse
down /var/log/firewall. Like
iptables -A INPUT -p tcp --dport 25 --syn -j LOG
--log-prefix [evil]
tail -f /var/log/firewall | grep '^\[evil\]' |
myscript
myscript:
#!/usr/bin/perl
while (defined(my $line = )) {
my($ip) = ($line =~ /SRC=(\S+)/);
# Do something
}
I want to run a script every time a connection
attempt is made in real time
The scripts runs constantly, preferably.
with the IP address as a parameter to the script.
How would I do that? Suppose
my script is:
iplog ipaddress
Take the Internet to Go: Yahoo!Go puts the Internet
in your pocket: mail, news, photos more.
http://mobile.yahoo.com/go?refer=1GNXIC
Thanks Jan,
I think what you sent me is workable. I noticed it
goes to the file /var/log/messages. Is there a way to
make it go to a specific file? Thanks a lot for your
help. I've been experimenting with some new and very
interesting ways to catch spam and this could be yet
another breakthrough.
Shape Yahoo! in your own image. Join our Network Research Panel today!
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: How would I do this? (expert tricks) OT
On Jun 19 2007 12:36, Marc Perkel wrote: Thanks Jan, I think what you sent me is workable. I noticed it goes to the file /var/log/messages. Is there a way to make it go to a specific file? Configure your syslog daemon accordingly. Thanks a lot for your help. I've been experimenting with some new and very interesting ways to catch spam and this could be yet another breakthrough. Jan -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
