Can I log UID of start connection? The server has many fw2net connections like this: Feb 26 14:55:12 zeta kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=MY.IP.XX.XX DST=83.222.23.247 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=10110 DF PROTO=TCP SPT=80 DPT=13585 WINDOW=8911 RES=0x00 ACK URGP=0 and I wish to locate who try to open it. Regards, Rodolfo Pilas ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rodolfo Pilas wrote:> Can I log UID of start connection? > > The server has many fw2net connections like this: > > Feb 26 14:55:12 zeta kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 > SRC=MY.IP.XX.XX DST=83.222.23.247 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 > ID=10110 DF PROTO=TCP SPT=80 DPT=13585 WINDOW=8911 RES=0x00 ACK URGP=0 > > and I wish to locate who try to open it.Netfilter (and hence Shorewall) has no means for logging the UID. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rodolfo Pilas wrote:>Can I log UID of start connection? > >The server has many fw2net connections like this: > >Feb 26 14:55:12 zeta kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 >SRC=MY.IP.XX.XX DST=83.222.23.247 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 >ID=10110 DF PROTO=TCP SPT=80 DPT=13585 WINDOW=8911 RES=0x00 ACK >URGP=0 > >and I wish to locate who try to open it.The source port is 80 - so only a privileged user can open it, I''d look for an installation of Apache you''d forgotten about. Also, try "netstat -anp", and possibly grep it''s output for 80. This should show you what PID and program name has the port open. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Simon Hobson wrote:> Rodolfo Pilas wrote: > >> Can I log UID of start connection? >> >> The server has many fw2net connections like this: >> >> Feb 26 14:55:12 zeta kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 >> SRC=MY.IP.XX.XX DST=83.222.23.247 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 >> ID=10110 DF PROTO=TCP SPT=80 DPT=13585 WINDOW=8911 RES=0x00 ACK >> URGP=0 >> >> and I wish to locate who try to open it. > > > The source port is 80 - so only a privileged user can open it, I''d > look for an installation of Apache you''d forgotten about. > > Also, try "netstat -anp", and possibly grep it''s output for 80. This > should show you what PID and program name has the port open.Rodolfo, if you haven''t got a very high traffic firewall, you''d probably be better running wireshark (or ethereal if you''re running an older version). Something like this would do the trick: wireshark -i eth0 -f ''tcp port 80'' Then at least you would be able to see what the traffic is, which should give you some clues to start with. Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/