[nflug] need idea

Roelant Ossewaarde rao3 at buffalo.edu
Mon Feb 20 11:54:05 EST 2006 


Cyber Source wrote:
> Roelant Ossewaarde wrote:
> 
>> I had the same problem. I now have one machine that has scp enabled. I 
>> have my client scp to that machine, but with a wrong username/password 
>> (in my case: hifrombuffalo). Since the username doesn't exist, the IP 
>> shows up in my ftp and auth-log, together with the username that tried 
>> to log on.
>>
>> I do that every two hours (which is my rotation time for 
>> auth/ftp-logs), so if I ever need to check the IP-number, I just grep 
>> hifrombuffalo in auth.log. Voila!
>>
>>
>>
>> Nate Byrnes wrote:
>>
>>> How about matching the message id in your mail logs to see what the 
>>> hostname or IP of the sender was. If using sendmail grep 
>>> /var/log/maillog (or your configured location) for the message id 
>>> from the email header. The last entry in the brackets should be the 
>>> system which passed the email to your mailserver. Hope this helps.
>>>
>>> Cyber Source wrote:
>>>
>>>> Darin Perusich wrote:
>>>>
>>>>> why not just have the cron job that runs email you the info from 
>>>>> ifconfig? assuming that your clients are using unix routes then 
>>>>> "ifconfig -a |mail peter at thecybersource.com" should send you that 
>>>>> info your looking for.
>>>>>
>>>>> Cyber Source wrote:
>>>>>
>>>>>> Hello All,
>>>>>> I need an idea where I can find the originating IP of an email. I 
>>>>>> monitor alot of my clients servers, etc. and I have the cron jobs 
>>>>>> and such email me, which I have filters for and then sort them by 
>>>>>> who they are so things are organized. I also like to be able to 
>>>>>> help my clients out from time to time and ssh in to do things and 
>>>>>> I would like to not have to tell them to do a /sbin/ifconfig or if 
>>>>>> they are behind a router, to go to my web site and then I have a 
>>>>>> look at /var/log/httpd/access.
>>>>>> For most of my clients, if I look at the message headers of the 
>>>>>> cron emails, I can see the IP and then use that to log in, mostly 
>>>>>> cable dhcp clients. However, I am finding more and more dsl dhcp 
>>>>>> clients to be a problem because not only do they change alot (and 
>>>>>> normally not a problem because each day has a new email) but when 
>>>>>> I look at the dsl clients message headers I see something like this
>>>>>>
>>>>>> Return-Path: <root at thecybersource.com>
>>>>>> Received: from localhost.localdomain 
>>>>>> (pool-71-251-164-250.bflony.east.verizon.net [71.251.164.250])
>>>>>> by thecybersource.com (8.13.1/8.13.1) with ESMTP id k1K9AHeL024738
>>>>>>
>>>>>> If this were cable, the ip would be 71.251.164.250 but this does 
>>>>>> not seem to work with dsl, it is not reporting the actual ip that 
>>>>>> the client used when the box sent the email.
>>>>>>
>>>>>> So, I am looking for a way to have a cron run or something on the 
>>>>>> box that can send me a daily email showing the public ip they are 
>>>>>> using. I initially thought of doing a cron that could do a 
>>>>>> traceroute but I that doesnt work either. I don't know if 
>>>>>> something has changed on routers today to block such a process but 
>>>>>> when I use traceroute today, alot of it just times out with 
>>>>>> multiple ***.
>>>>>> Anyway, ideas anyone?
>>>>>> _______________________________________________
>>>>>> nflug mailing list
>>>>>> nflug at nflug.org
>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>
>>>>>
>>>>>
>>>> That doesnt help when they are behind routers, it only shows the 
>>>> internal stuff, I need to know the public IP.
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>> !DSPAM:43f9d66b47272099511928!
>>>>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
> Perfect, that's it. But you could also set it up so the person actually 
> has a key on the host so when they do ssh in or scp it still shows in 
> the Logwatch file, as it shows all failed/passed ssh attempts and that 
> gets emailed to me everyday already, Thanks!

Yes, but I don't want to give access to my machine. An access attempt is 
good enough for me. And now I can use names *I* find easy to use (such 
as 'hifrombuffalo').

_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list