Hi folks, I just want to ask, if you guys know about ip monitoring? example someone connect to the monitoring port on the server than the monitoring daemon will capture the ip of the remote server that tries to connect to the server. I glad if you all can helps me or just give me the url of the monitoring tools.. rgds me
Usually if you add a LOG flag to the port in /shorewall/rules that you want
to monitor, Shorewall will write to /var/log/messages a line telling you all
about that connection attempt.
For example, to log every connection attempt to port 666 on your server, you
would put:
#TARGET SOURCE DEST PROTO DEST SOURCE
RATE USER/
# PORT PORT(S)
LIMIT GROUP
ACCEPT*:info* net fw tcp 666
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
As you can see, all you do is just put a :info part after the ACCEPT part.
To view the log (which also contains all sorts of other messages from Linux,
I should warn you), you normally type ''less
/var/log/messages'', without the
quotes. This will bring you to a big long scrollable log list, which you
will probably only want to look at the end of :-)
Use Shift-G to jump to the end of the file, then just scroll up looking for
things like:
Jan 29 04:06:12 blade038 kernel: Shorewall:net2fw:DROP:IN=eth0
OUTMAC=00:0a:e6:a6:84:9b:00:d0:97:cc:90:00:08:00 SRC=213.16.1
50.19 DST=84.23.16.233 LEN=66 TOS=0x00 PREC=0x00 TTL=56 ID=28153 PROTO=UDP
SPT=1024 DPT=53 LEN=46
To translate, the IN part is the interface the connection came in on, the
SRC is the IP address of the person who tried to connect, and the DST is
your IP address. The PROTO is the protocol (tcp, udp or
''ping''(icmp is the
technical term)), and DPT is the port they tried to connect on. In the
example rule above, this would be ''666''.
Hope this helps, and welcome to the list. :-)
Jan Mulders
On 01/02/06, Amir Haris Ahmad <shorewall.net@gmail.com>
wrote:>
> Hi folks,
>
> I just want to ask, if you guys know about ip monitoring? example someone
> connect to the monitoring port on the server than the monitoring daemon
will
> capture the ip of the remote server that tries to connect to the server. I
> glad if you all can helps me or just give me the url of the monitoring
> tools..
>
>
> rgds
> me
>
Thanks it helps.. but can i put the log to specific location?.. because in /var/log/messages contains many lines. and any sofware to that can helps for good presentation. On 2/1/06, Jan Mulders <lastchancehotel@gmail.com> wrote:> > Usually if you add a LOG flag to the port in /shorewall/rules that you > want to monitor, Shorewall will write to /var/log/messages a line telling > you all about that connection attempt. > > For example, to log every connection attempt to port 666 on your server, > you would put: > > #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ > # PORT PORT(S) LIMIT GROUP > ACCEPT*:info* net fw tcp 666 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > As you can see, all you do is just put a :info part after the ACCEPT part. > > To view the log (which also contains all sorts of other messages from > Linux, I should warn you), you normally type ''less /var/log/messages'', > without the quotes. This will bring you to a big long scrollable log list, > which you will probably only want to look at the end of :-) > > Use Shift-G to jump to the end of the file, then just scroll up looking > for things like: > > Jan 29 04:06:12 blade038 kernel: Shorewall:net2fw:DROP:IN=eth0 OUT> MAC=00:0a:e6:a6:84:9b:00:d0:97:cc:90:00:08:00 SRC=213.16.1 > 50.19 DST=84.23.16.233 LEN=66 TOS=0x00 PREC=0x00 TTL=56 ID=28153 PROTO=UDP > SPT=1024 DPT=53 LEN=46 > > To translate, the IN part is the interface the connection came in on, the > SRC is the IP address of the person who tried to connect, and the DST is > your IP address. The PROTO is the protocol (tcp, udp or ''ping''(icmp is the > technical term)), and DPT is the port they tried to connect on. In the > example rule above, this would be ''666''. > > Hope this helps, and welcome to the list. :-) > > Jan Mulders > > > On 01/02/06, Amir Haris Ahmad <shorewall.net@gmail.com> wrote: > > > > Hi folks, > > > > I just want to ask, if you guys know about ip monitoring? example > > someone connect to the monitoring port on the server than the monitoring > > daemon will capture the ip of the remote server that tries to connect to the > > server. I glad if you all can helps me or just give me the url of the > > monitoring tools.. > > > > > > rgds > > me > > > >
Am Mittwoch 01 Februar 2006 16:02 schrieb Amir Haris Ahmad:> Thanks it helps.. but can i put the log to specific location?.. because in > /var/log/messages contains many lines. and any sofware to that can helps > for good presentation.Be creative... Use grep and pipe the output to another file. :) -- Mit freundlichem Gruß 8) Rene Schmidt http://log.reneschmidt.de
If you install a package called ''syslog-ng'', then you can specify where you want to put it. Alternatively, you can do as Rene suggested and use Grep to find all the shorewall entries and chuck them in another file. I have very limited experience of grep so you''ll have to do a little googling. Jan On 01/02/06, Rene Schmidt <rene@reneschmidt.de> wrote:> > Am Mittwoch 01 Februar 2006 16:02 schrieb Amir Haris Ahmad: > > Thanks it helps.. but can i put the log to specific location?.. because > in > > /var/log/messages contains many lines. and any sofware to that can helps > > for good presentation. > > Be creative... Use grep and pipe the output to another file. :) > > -- > Mit freundlichem Gruß > 8) > Rene Schmidt > http://log.reneschmidt.de > > >