Marc Perkel wrote:
I don't care what it's written in but I'm thinking that xinetd might be
easiest. What I want is something to record the IP address of any host
connection to port 25.
You don't really need to accept the connection. Just logging
connection attenmpts should be enough.
As an examplem something like this (watch for wrapping):
tcpdump -lnpqt -i vr0 'tcp[13] & 2 != 0 and dst port 25 and dst
host 195.67.112.220'
Should output lines like:
213.163.128.161.48278 > 195.67.112.220.25: tcp 0 (DF)
213.163.128.161.48279 > 195.67.112.220.25: tcp 0 (DF)
190.84.222.78.2106 > 195.67.112.220.25: tcp 0 (DF)
for each connection attempt to port 25 on 195.67.112.220.
If port 25 is firewalled usinbg pf, vr0 should probably be
replaced with "pflog0". Similar setup should be doable with other
firewalls that create a log interface for tcpdump.
Then you can filter that output to remove evevrything but the IP
address.
For example
tcpdump -lnpqt -i vr0 'tcp[13] & 2 != 0 and dst port 25 and dst
host 195.67.112.220' | sed -e 's/\.[0-9]* .*$//'
should output just the IP numbers.
So maybe something like this should work:
tcpdump -lnpqt -i <interface> 'tcp[13] & 2 != 0 and dst port 25
and dst host <host>' | sed -e 's/\.[0-9]* .*$//' | nc -u 2 <host>
<port>
It could be running in a detached session. (And yes, the '-u' is
on purpose, I think UDP is good for this kind of thing.)
Please not that the above is untested and that I'm not used to
working with sed or netcat.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
