Jonas - thanks for your code. I ran it on one of my name servers that is
the name server for several hundred domains. Unfortunately in the last
hour only 3 IP addresses have hit trying to talk to port 25. So this
isn't turning out to be the wellspring of blacklist data I had hoped it
would be.
Jonas Eckerman wrote:
Marc Perkel wrote:
I don't care what it's written in but I'm thinking that xinetd might
be easiest. What I want is something to record the IP address of any
host connection to port 25.
You don't really need to accept the connection. Just logging
connection attenmpts should be enough.
As an examplem something like this (watch for wrapping):
tcpdump -lnpqt -i vr0 'tcp[13] & 2 != 0 and dst port 25 and dst host
195.67.112.220'
Should output lines like:
213.163.128.161.48278 > 195.67.112.220.25: tcp 0 (DF)
213.163.128.161.48279 > 195.67.112.220.25: tcp 0 (DF)
190.84.222.78.2106 > 195.67.112.220.25: tcp 0 (DF)
for each connection attempt to port 25 on 195.67.112.220.
If port 25 is firewalled usinbg pf, vr0 should probably be replaced
with "pflog0". Similar setup should be doable with other firewalls
that create a log interface for tcpdump.
Then you can filter that output to remove evevrything but the IP address.
For example
tcpdump -lnpqt -i vr0 'tcp[13] & 2 != 0 and dst port 25 and dst host
195.67.112.220' | sed -e 's/\.[0-9]* .*$//'
should output just the IP numbers.
So maybe something like this should work:
tcpdump -lnpqt -i <interface> 'tcp[13] & 2 != 0 and dst port 25 and
dst host <host>' | sed -e 's/\.[0-9]* .*$//' | nc -u 2 <host> <port>
It could be running in a detached session. (And yes, the '-u' is on
purpose, I think UDP is good for this kind of thing.)
Please not that the above is untested and that I'm not used to working
with sed or netcat.
Regards
/Jonas
