Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
Thanks, Eric Falbe
You could setup an iptables rule on the OUTPUT chain to log attempted accesses, then watch the log file, like outlined here:
http://stackoverflow.com/questions/11584824/run-a-system-command-when-an-ipt...
You could use "lsof -n ..." to find the command trying to open the port.
Another option might be to setup tcpdump to capture all packets (including payload data) going to that server/port, then review that and see if you find any clues about the program making the requests.
❧ Brian Mathis @orev
On Fri, May 30, 2014 at 11:14 AM, Eric Falbe ericf706@gmail.com wrote:
Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
Thanks, Eric Falbe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Brian,
You can enable iptables to track the network behavior.
Best regards,
------------ Banyan Email: banyan@rootong.com Web: www.rootong.com
On 5/30/2014 11:35 PM, Brian Mathis wrote:
You could setup an iptables rule on the OUTPUT chain to log attempted accesses, then watch the log file, like outlined here:
http://stackoverflow.com/questions/11584824/run-a-system-command-when-an-ipt...
You could use "lsof -n ..." to find the command trying to open the port.
Another option might be to setup tcpdump to capture all packets (including payload data) going to that server/port, then review that and see if you find any clues about the program making the requests.
❧ Brian Mathis @orev
On Fri, May 30, 2014 at 11:14 AM, Eric Falbe ericf706@gmail.com wrote:
Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
Thanks, Eric Falbe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 05/30/2014 11:14 AM, Eric Falbe wrote:
Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
it's a fairly interesting problem (at least to me); I'm not wizard enough to be able to redirect the connection, but you could write a perl script that sits on the port and logs the remote IP connecting, although that would break the service while you're figuring out who's still connecting. the other thing I'd consider (although my quick little experiment didn't quite work) is turning on/adding to iptables for some logging.
you could also potentially do something with tcp wrappers if the daemon has the libraries, or maybe some xinetd magic.
On Fri, May 30, 2014 at 10:14 AM, Eric Falbe ericf706@gmail.com wrote:
Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
I'd run tcpdump or wireshark with a 'port 389' filter on the old ldap server to capture the source IPs of the queries if you don't know the host(s) doing it. And if you know the host(s) but not the program(s) configured to do it, you might try a 'grep -R 'pattern' /etc where the pattern is the name or ip of the ldap server.
On 05/30, Les Mikesell wrote:
On Fri, May 30, 2014 at 10:14 AM, Eric Falbe ericf706@gmail.com wrote:
Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
I'd run tcpdump or wireshark with a 'port 389' filter on the old ldap server to capture the source IPs of the queries if you don't know the host(s) doing it. And if you know the host(s) but not the program(s) configured to do it, you might try a 'grep -R 'pattern' /etc where the pattern is the name or ip of the ldap server.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That's what I am currently doing, (grep -R "old_server") and letting it chug along. I tried the iptables rule, but I still could not find the connection is lsof output, so the connection must close before the log proccessing takes place.
Thanks for the suggestions. Eric Falbe
Em 30-05-2014 13:12, Eric Falbe escreveu:
On 05/30, Les Mikesell wrote:
On Fri, May 30, 2014 at 10:14 AM, Eric Falbe ericf706@gmail.com wrote:
Hi All,
I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.
The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.
I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?
I'd run tcpdump or wireshark with a 'port 389' filter on the old ldap server to capture the source IPs of the queries if you don't know the host(s) doing it. And if you know the host(s) but not the program(s) configured to do it, you might try a 'grep -R 'pattern' /etc where the pattern is the name or ip of the ldap server.
I'm not sure how critical this server is but you may LOG and DROP it (at least the first SYN attempt), so TCP will keep retrying to connect. It should last longer then..
One other option is a systemtap script, but that's more intrusive.
Marcelo
-
Banyan -
Brian Mathis -
Eric Falbe -
Les Mikesell -
Marcelo Ricardo Leitner -
zep