Hi All, I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it. The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server. I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it? Thanks, Eric Falbe
You could setup an iptables rule on the OUTPUT chain to log attempted accesses, then watch the log file, like outlined here: http://stackoverflow.com/questions/11584824/run-a-system-command-when-an-iptables-rule-is-matched You could use "lsof -n ..." to find the command trying to open the port. Another option might be to setup tcpdump to capture all packets (including payload data) going to that server/port, then review that and see if you find any clues about the program making the requests. ? Brian Mathis @orev On Fri, May 30, 2014 at 11:14 AM, Eric Falbe <ericf706 at gmail.com> wrote:> Hi All, > > I was wondering if anyone knew of a way to notify or log when a specific > remote port is openened? I have an old LDAP server that I am looking to > get rid of, but there is still a few queries reaching it. > > The sytem authentication is setup correctly (as is Postfix), so I am > thinking there must be some script or program that is setup to query the > older LDAP server. > > I tried using lsof -i|grep 389, but I am not quick enough to get results > before the socket is closed. Is there any program or script I could write > to detect when this socket gets opened, and what PID and/or program owns it? > > Thanks, > Eric Falbe > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On 05/30/2014 11:14 AM, Eric Falbe wrote:> Hi All, > > I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it. > > The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server. > > I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it? >it's a fairly interesting problem (at least to me); I'm not wizard enough to be able to redirect the connection, but you could write a perl script that sits on the port and logs the remote IP connecting, although that would break the service while you're figuring out who's still connecting. the other thing I'd consider (although my quick little experiment didn't quite work) is turning on/adding to iptables for some logging. you could also potentially do something with tcp wrappers if the daemon has the libraries, or maybe some xinetd magic.
On Fri, May 30, 2014 at 10:14 AM, Eric Falbe <ericf706 at gmail.com> wrote:> Hi All, > > I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it. > > The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server. > > I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it? >I'd run tcpdump or wireshark with a 'port 389' filter on the old ldap server to capture the source IPs of the queries if you don't know the host(s) doing it. And if you know the host(s) but not the program(s) configured to do it, you might try a 'grep -R 'pattern' /etc where the pattern is the name or ip of the ldap server. -- Les Mikesell lesmikesell at gmail.com