[nflug] need idea

Cyber Source peter at thecybersource.com
Mon Feb 20 12:22:53 EST 2006 

Mark Musone wrote:
> Why not just have them to go a url on your web site?
>
> from there you'll know their ip address, and they can even do more stuff
> (open up a service ticket, or it can even automatically add their ip address
> into your email/firewall/whatever settings.
>
> or if you already have access to their machines, setup a cron job that runs
> wget to a specific url on your site. again, I'd go the web/url way. I
> wouldn't screw around with dealing with and parsing email and tracking down
> mail relays and the such. too fugly..
>
> ..Just my $.02
>
> -Mark
>
>
> -----Original Message-----
> From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
> Cyber Source
> Sent: Monday, February 20, 2006 12:14 PM
> To: nflug at nflug.org
> Subject: Re: [nflug] need idea
>
> Roelant Ossewaarde wrote:
>   
>> Cyber Source wrote:
>>     
>>> Roelant Ossewaarde wrote:
>>>
>>>       
>>>> I had the same problem. I now have one machine that has scp enabled. 
>>>> I have my client scp to that machine, but with a wrong 
>>>> username/password (in my case: hifrombuffalo). Since the username 
>>>> doesn't exist, the IP shows up in my ftp and auth-log, together with 
>>>> the username that tried to log on.
>>>>
>>>> I do that every two hours (which is my rotation time for 
>>>> auth/ftp-logs), so if I ever need to check the IP-number, I just 
>>>> grep hifrombuffalo in auth.log. Voila!
>>>>
>>>>
>>>>
>>>> Nate Byrnes wrote:
>>>>
>>>>         
>>>>> How about matching the message id in your mail logs to see what the 
>>>>> hostname or IP of the sender was. If using sendmail grep 
>>>>> /var/log/maillog (or your configured location) for the message id 
>>>>> from the email header. The last entry in the brackets should be the 
>>>>> system which passed the email to your mailserver. Hope this helps.
>>>>>
>>>>> Cyber Source wrote:
>>>>>
>>>>>           
>>>>>> Darin Perusich wrote:
>>>>>>
>>>>>>             
>>>>>>> why not just have the cron job that runs email you the info from 
>>>>>>> ifconfig? assuming that your clients are using unix routes then 
>>>>>>> "ifconfig -a |mail peter at thecybersource.com" should send you that 
>>>>>>> info your looking for.
>>>>>>>
>>>>>>> Cyber Source wrote:
>>>>>>>
>>>>>>>               
>>>>>>>> Hello All,
>>>>>>>> I need an idea where I can find the originating IP of an email. 
>>>>>>>> I monitor alot of my clients servers, etc. and I have the cron 
>>>>>>>> jobs and such email me, which I have filters for and then sort 
>>>>>>>> them by who they are so things are organized. I also like to be 
>>>>>>>> able to help my clients out from time to time and ssh in to do 
>>>>>>>> things and I would like to not have to tell them to do a 
>>>>>>>> /sbin/ifconfig or if they are behind a router, to go to my web 
>>>>>>>> site and then I have a look at /var/log/httpd/access.
>>>>>>>> For most of my clients, if I look at the message headers of the 
>>>>>>>> cron emails, I can see the IP and then use that to log in, 
>>>>>>>> mostly cable dhcp clients. However, I am finding more and more 
>>>>>>>> dsl dhcp clients to be a problem because not only do they change 
>>>>>>>> alot (and normally not a problem because each day has a new 
>>>>>>>> email) but when I look at the dsl clients message headers I see 
>>>>>>>> something like this
>>>>>>>>
>>>>>>>> Return-Path: <root at thecybersource.com>
>>>>>>>> Received: from localhost.localdomain 
>>>>>>>> (pool-71-251-164-250.bflony.east.verizon.net [71.251.164.250])
>>>>>>>> by thecybersource.com (8.13.1/8.13.1) with ESMTP id k1K9AHeL024738
>>>>>>>>
>>>>>>>> If this were cable, the ip would be 71.251.164.250 but this does 
>>>>>>>> not seem to work with dsl, it is not reporting the actual ip 
>>>>>>>> that the client used when the box sent the email.
>>>>>>>>
>>>>>>>> So, I am looking for a way to have a cron run or something on 
>>>>>>>> the box that can send me a daily email showing the public ip 
>>>>>>>> they are using. I initially thought of doing a cron that could 
>>>>>>>> do a traceroute but I that doesnt work either. I don't know if 
>>>>>>>> something has changed on routers today to block such a process 
>>>>>>>> but when I use traceroute today, alot of it just times out with 
>>>>>>>> multiple ***.
>>>>>>>> Anyway, ideas anyone?
>>>>>>>> _______________________________________________
>>>>>>>> nflug mailing list
>>>>>>>> nflug at nflug.org
>>>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>>>>                 
>>>>>>>
>>>>>>>               
>>>>>> That doesnt help when they are behind routers, it only shows the 
>>>>>> internal stuff, I need to know the public IP.
>>>>>> _______________________________________________
>>>>>> nflug mailing list
>>>>>> nflug at nflug.org
>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>>
>>>>>> !DSPAM:43f9d66b47272099511928!
>>>>>>
>>>>>>             
>>>>> _______________________________________________
>>>>> nflug mailing list
>>>>> nflug at nflug.org
>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>>         
>>> Perfect, that's it. But you could also set it up so the person 
>>> actually has a key on the host so when they do ssh in or scp it still 
>>> shows in the Logwatch file, as it shows all failed/passed ssh 
>>> attempts and that gets emailed to me everyday already, Thanks!
>>>       
>> Yes, but I don't want to give access to my machine. An access attempt 
>> is good enough for me. And now I can use names *I* find easy to use 
>> (such as 'hifrombuffalo').
>>
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
>>     
> For us, we will be implementing a daemon that will monitor failed 
> attempts and add the ip to the hosts.deny file, so we don't want to 
> block them out too. Thanks for the idea.
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
>   
That's a good idea too but I prefer the ssh way, I look at the logs 
daily anyway, no parsing. I do the web server thing(as mentioned 
initially) but that can be a pain too with as busy a web server as we have.
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list