[nflug] need idea
Cyber Source
peter at thecybersource.com
Mon Feb 20 11:40:09 EST 2006
Roelant Ossewaarde wrote:
> I had the same problem. I now have one machine that has scp enabled. I
> have my client scp to that machine, but with a wrong username/password
> (in my case: hifrombuffalo). Since the username doesn't exist, the IP
> shows up in my ftp and auth-log, together with the username that tried
> to log on.
>
> I do that every two hours (which is my rotation time for
> auth/ftp-logs), so if I ever need to check the IP-number, I just grep
> hifrombuffalo in auth.log. Voila!
>
>
>
> Nate Byrnes wrote:
>> How about matching the message id in your mail logs to see what the
>> hostname or IP of the sender was. If using sendmail grep
>> /var/log/maillog (or your configured location) for the message id
>> from the email header. The last entry in the brackets should be the
>> system which passed the email to your mailserver. Hope this helps.
>>
>> Cyber Source wrote:
>>
>>> Darin Perusich wrote:
>>>
>>>> why not just have the cron job that runs email you the info from
>>>> ifconfig? assuming that your clients are using unix routes then
>>>> "ifconfig -a |mail peter at thecybersource.com" should send you that
>>>> info your looking for.
>>>>
>>>> Cyber Source wrote:
>>>>
>>>>> Hello All,
>>>>> I need an idea where I can find the originating IP of an email. I
>>>>> monitor alot of my clients servers, etc. and I have the cron jobs
>>>>> and such email me, which I have filters for and then sort them by
>>>>> who they are so things are organized. I also like to be able to
>>>>> help my clients out from time to time and ssh in to do things and
>>>>> I would like to not have to tell them to do a /sbin/ifconfig or if
>>>>> they are behind a router, to go to my web site and then I have a
>>>>> look at /var/log/httpd/access.
>>>>> For most of my clients, if I look at the message headers of the
>>>>> cron emails, I can see the IP and then use that to log in, mostly
>>>>> cable dhcp clients. However, I am finding more and more dsl dhcp
>>>>> clients to be a problem because not only do they change alot (and
>>>>> normally not a problem because each day has a new email) but when
>>>>> I look at the dsl clients message headers I see something like this
>>>>>
>>>>> Return-Path: <root at thecybersource.com>
>>>>> Received: from localhost.localdomain
>>>>> (pool-71-251-164-250.bflony.east.verizon.net [71.251.164.250])
>>>>> by thecybersource.com (8.13.1/8.13.1) with ESMTP id k1K9AHeL024738
>>>>>
>>>>> If this were cable, the ip would be 71.251.164.250 but this does
>>>>> not seem to work with dsl, it is not reporting the actual ip that
>>>>> the client used when the box sent the email.
>>>>>
>>>>> So, I am looking for a way to have a cron run or something on the
>>>>> box that can send me a daily email showing the public ip they are
>>>>> using. I initially thought of doing a cron that could do a
>>>>> traceroute but I that doesnt work either. I don't know if
>>>>> something has changed on routers today to block such a process but
>>>>> when I use traceroute today, alot of it just times out with
>>>>> multiple ***.
>>>>> Anyway, ideas anyone?
>>>>> _______________________________________________
>>>>> nflug mailing list
>>>>> nflug at nflug.org
>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>>
>>> That doesnt help when they are behind routers, it only shows the
>>> internal stuff, I need to know the public IP.
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>>> !DSPAM:43f9d66b47272099511928!
>>>
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
Perfect, that's it. But you could also set it up so the person actually
has a key on the host so when they do ssh in or scp it still shows in
the Logwatch file, as it shows all failed/passed ssh attempts and that
gets emailed to me everyday already, Thanks!
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list