[nflug] need idea

Cyber Source peter at thecybersource.com
Mon Feb 20 12:13:31 EST 2006 

Roelant Ossewaarde wrote:
>
>
> Cyber Source wrote:
>> Roelant Ossewaarde wrote:
>>
>>> I had the same problem. I now have one machine that has scp enabled. 
>>> I have my client scp to that machine, but with a wrong 
>>> username/password (in my case: hifrombuffalo). Since the username 
>>> doesn't exist, the IP shows up in my ftp and auth-log, together with 
>>> the username that tried to log on.
>>>
>>> I do that every two hours (which is my rotation time for 
>>> auth/ftp-logs), so if I ever need to check the IP-number, I just 
>>> grep hifrombuffalo in auth.log. Voila!
>>>
>>>
>>>
>>> Nate Byrnes wrote:
>>>
>>>> How about matching the message id in your mail logs to see what the 
>>>> hostname or IP of the sender was. If using sendmail grep 
>>>> /var/log/maillog (or your configured location) for the message id 
>>>> from the email header. The last entry in the brackets should be the 
>>>> system which passed the email to your mailserver. Hope this helps.
>>>>
>>>> Cyber Source wrote:
>>>>
>>>>> Darin Perusich wrote:
>>>>>
>>>>>> why not just have the cron job that runs email you the info from 
>>>>>> ifconfig? assuming that your clients are using unix routes then 
>>>>>> "ifconfig -a |mail peter at thecybersource.com" should send you that 
>>>>>> info your looking for.
>>>>>>
>>>>>> Cyber Source wrote:
>>>>>>
>>>>>>> Hello All,
>>>>>>> I need an idea where I can find the originating IP of an email. 
>>>>>>> I monitor alot of my clients servers, etc. and I have the cron 
>>>>>>> jobs and such email me, which I have filters for and then sort 
>>>>>>> them by who they are so things are organized. I also like to be 
>>>>>>> able to help my clients out from time to time and ssh in to do 
>>>>>>> things and I would like to not have to tell them to do a 
>>>>>>> /sbin/ifconfig or if they are behind a router, to go to my web 
>>>>>>> site and then I have a look at /var/log/httpd/access.
>>>>>>> For most of my clients, if I look at the message headers of the 
>>>>>>> cron emails, I can see the IP and then use that to log in, 
>>>>>>> mostly cable dhcp clients. However, I am finding more and more 
>>>>>>> dsl dhcp clients to be a problem because not only do they change 
>>>>>>> alot (and normally not a problem because each day has a new 
>>>>>>> email) but when I look at the dsl clients message headers I see 
>>>>>>> something like this
>>>>>>>
>>>>>>> Return-Path: <root at thecybersource.com>
>>>>>>> Received: from localhost.localdomain 
>>>>>>> (pool-71-251-164-250.bflony.east.verizon.net [71.251.164.250])
>>>>>>> by thecybersource.com (8.13.1/8.13.1) with ESMTP id k1K9AHeL024738
>>>>>>>
>>>>>>> If this were cable, the ip would be 71.251.164.250 but this does 
>>>>>>> not seem to work with dsl, it is not reporting the actual ip 
>>>>>>> that the client used when the box sent the email.
>>>>>>>
>>>>>>> So, I am looking for a way to have a cron run or something on 
>>>>>>> the box that can send me a daily email showing the public ip 
>>>>>>> they are using. I initially thought of doing a cron that could 
>>>>>>> do a traceroute but I that doesnt work either. I don't know if 
>>>>>>> something has changed on routers today to block such a process 
>>>>>>> but when I use traceroute today, alot of it just times out with 
>>>>>>> multiple ***.
>>>>>>> Anyway, ideas anyone?
>>>>>>> _______________________________________________
>>>>>>> nflug mailing list
>>>>>>> nflug at nflug.org
>>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>>
>>>>>>
>>>>>>
>>>>> That doesnt help when they are behind routers, it only shows the 
>>>>> internal stuff, I need to know the public IP.
>>>>> _______________________________________________
>>>>> nflug mailing list
>>>>> nflug at nflug.org
>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>
>>>>> !DSPAM:43f9d66b47272099511928!
>>>>>
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>> Perfect, that's it. But you could also set it up so the person 
>> actually has a key on the host so when they do ssh in or scp it still 
>> shows in the Logwatch file, as it shows all failed/passed ssh 
>> attempts and that gets emailed to me everyday already, Thanks!
>
> Yes, but I don't want to give access to my machine. An access attempt 
> is good enough for me. And now I can use names *I* find easy to use 
> (such as 'hifrombuffalo').
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
For us, we will be implementing a daemon that will monitor failed 
attempts and add the ip to the hosts.deny file, so we don't want to 
block them out too. Thanks for the idea.
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list