[nflug] need idea
Roelant Ossewaarde
rao3 at buffalo.edu
Mon Feb 20 11:54:05 EST 2006
Cyber Source wrote:
> Roelant Ossewaarde wrote:
>
>> I had the same problem. I now have one machine that has scp enabled. I
>> have my client scp to that machine, but with a wrong username/password
>> (in my case: hifrombuffalo). Since the username doesn't exist, the IP
>> shows up in my ftp and auth-log, together with the username that tried
>> to log on.
>>
>> I do that every two hours (which is my rotation time for
>> auth/ftp-logs), so if I ever need to check the IP-number, I just grep
>> hifrombuffalo in auth.log. Voila!
>>
>>
>>
>> Nate Byrnes wrote:
>>
>>> How about matching the message id in your mail logs to see what the
>>> hostname or IP of the sender was. If using sendmail grep
>>> /var/log/maillog (or your configured location) for the message id
>>> from the email header. The last entry in the brackets should be the
>>> system which passed the email to your mailserver. Hope this helps.
>>>
>>> Cyber Source wrote:
>>>
>>>> Darin Perusich wrote:
>>>>
>>>>> why not just have the cron job that runs email you the info from
>>>>> ifconfig? assuming that your clients are using unix routes then
>>>>> "ifconfig -a |mail peter at thecybersource.com" should send you that
>>>>> info your looking for.
>>>>>
>>>>> Cyber Source wrote:
>>>>>
>>>>>> Hello All,
>>>>>> I need an idea where I can find the originating IP of an email. I
>>>>>> monitor alot of my clients servers, etc. and I have the cron jobs
>>>>>> and such email me, which I have filters for and then sort them by
>>>>>> who they are so things are organized. I also like to be able to
>>>>>> help my clients out from time to time and ssh in to do things and
>>>>>> I would like to not have to tell them to do a /sbin/ifconfig or if
>>>>>> they are behind a router, to go to my web site and then I have a
>>>>>> look at /var/log/httpd/access.
>>>>>> For most of my clients, if I look at the message headers of the
>>>>>> cron emails, I can see the IP and then use that to log in, mostly
>>>>>> cable dhcp clients. However, I am finding more and more dsl dhcp
>>>>>> clients to be a problem because not only do they change alot (and
>>>>>> normally not a problem because each day has a new email) but when
>>>>>> I look at the dsl clients message headers I see something like this
>>>>>>
>>>>>> Return-Path: <root at thecybersource.com>
>>>>>> Received: from localhost.localdomain
>>>>>> (pool-71-251-164-250.bflony.east.verizon.net [71.251.164.250])
>>>>>> by thecybersource.com (8.13.1/8.13.1) with ESMTP id k1K9AHeL024738
>>>>>>
>>>>>> If this were cable, the ip would be 71.251.164.250 but this does
>>>>>> not seem to work with dsl, it is not reporting the actual ip that
>>>>>> the client used when the box sent the email.
>>>>>>
>>>>>> So, I am looking for a way to have a cron run or something on the
>>>>>> box that can send me a daily email showing the public ip they are
>>>>>> using. I initially thought of doing a cron that could do a
>>>>>> traceroute but I that doesnt work either. I don't know if
>>>>>> something has changed on routers today to block such a process but
>>>>>> when I use traceroute today, alot of it just times out with
>>>>>> multiple ***.
>>>>>> Anyway, ideas anyone?
>>>>>> _______________________________________________
>>>>>> nflug mailing list
>>>>>> nflug at nflug.org
>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>
>>>>>
>>>>>
>>>> That doesnt help when they are behind routers, it only shows the
>>>> internal stuff, I need to know the public IP.
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>> !DSPAM:43f9d66b47272099511928!
>>>>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
> Perfect, that's it. But you could also set it up so the person actually
> has a key on the host so when they do ssh in or scp it still shows in
> the Logwatch file, as it shows all failed/passed ssh attempts and that
> gets emailed to me everyday already, Thanks!
Yes, but I don't want to give access to my machine. An access attempt is
good enough for me. And now I can use names *I* find easy to use (such
as 'hifrombuffalo').
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list