- How to log the ip addresses trying to connect to a port?
- 3 Answers 3
- Logging outgoing connections as they happen
- 4 Answers 4
- You must log in to answer this question.
- Linked
- Related
- Hot Network Questions
- Subscribe to RSS
- Logging incoming connections (TCP, Linux)
- Recent Posts
- Linux: Looking for a network log for server connections
- Where are network manager logs? (16.04)
- 2 Answers 2
How to log the ip addresses trying to connect to a port?
Is it possible to log all IP addresses that trying to connect or connected to port «5901» in Linux Debian? How can i do that?
I didn’t downvote it, but one of the reasons for a downvote on SF is that the question «does not show any research effort» and I’m sorry, but yours doesn’t.
3 Answers 3
You could do it using iptables
iptables -I INPUT -p tcp -m tcp --dport 5901 -m state --state NEW -j LOG --log-level 1 --log-prefix "New Connection "
This will log new tcp connections on port 5901 to /var/log/syslog and /var/log/kernel.log like this
Dec 12 07:52:48 u-10-04 kernel: [591690.935432] New Connection IN=eth0 OUT= MAC=00:0c:29:2e:78:f1:00:0c:29:eb:43:22:08:00 SRC=192.168.254.181 DST=192.168.254.196 LEN=60 TOS=0x10 PREC=0x00 TTL=64 DF PROTO=TCP SPT=36972 DPT=5901 WINDOW=14600 RES=0x00 SYN URGP=0
if it’s short term — this should do:
tcpdump -n -i eth0 -w file.cap "port 5901"
alternatively you can use the log target of iptables:
iptables -A INPUT -p tcp --dport 5901 -j LOG --log-prefix '** guests **'--log-level 4
this might flood your logs
you can use netstat with options -v,-n,-t, -a
e.g. netstat -anp | :8080 | grep ESTABLISHED | wc -l OR
root@user:/home# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.174:8080 192.168.1.126:53021 ESTABLISHED tcp 0 0 192.168.1.174:8080 192.168.1.126:32950 ESTABLISHED tcp 0 0 192.168.1.174:8080 192.168.1.126:39634 ESTABLISHED tcp 0 0 192.168.1.174:8080 192.168.1.126:59300 ESTABLISHED tcp 0 0 192.168.1.174:8080 192.168.1.188:49551 ESTABLISHED tcp 0 0 192.168.1.174:9090 192.168.1.126:37865 ESTABLISHED tcp 0 0 192.168.1.174:9090 192.168.1.188:51411 ESTABLISHED tcp 0 0 192.168.1.174:8080 192.168.1.126:50824 ESTABLISHED
Logging outgoing connections as they happen
Is there a way to log to file all the outgoing connections that a process creates? I am aware of netstat but that seems to be more of a snapshot of a point in time rather than something that runs and logs information over a period. I only need the IP or hostname, port and the process making the connection.
Well, you could do something like watch -n 2 netstat in the meantime, but that’s not a proper solution, is it.
4 Answers 4
On Linux, you can set up the audit subsystem to log every attempt to establish a network connection. For information about the audit subsystem, read the auditctl man page or this tutorial or other examples on this site. Install your distribution’s auditd package if necessary, then
auditctl -A exit,always -S connect
The logs are in /var/log/audit/audit.log on all the distributions that I know of. You can also search them with ausearch .
I needed to identify which process was making an outgoing connection. This did it instantly. To avoid flooding the logs, remove the rule afterward: auditctl -d exit,always -S connect
This seems to log a huge amount of data, though having tried a curl — the ip address was NOT logged in the /var/log/audit/audit.log file.
If you’re able to install a custom kernel, you should have a look at SystemTap. There are plenty of examples how to trace network activity.
On Linux, you can use ip_conntrack to accomplish this. It’s a connection tracking module, used normally to monitor connections for oddly behaving protocols (like FTP) to be managed by a firewall/NAT box.
modprobe ip_conntrack cat /proc/net/ip_conntrack
You can grep the pseudo-file to see established connections, and further grep the source IP to see when it originates from your box.
I would look into using tcpdump on the outbound interface looking at the outbound SYN requests.
If you feel really adventurous you could make utilities like: strace or truss report all connect system calls while tracing the execution of the program but this is a bit more dangerous and has drawbacks when dealing with multithreaded processes.
You must log in to answer this question.
Linked
Related
Hot Network Questions
Subscribe to RSS
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.7.14.43533
Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group.
This site is not affiliated with Linus Torvalds or The Open Group in any way.
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.
Logging incoming connections (TCP, Linux)
On a server that I am running MRTG showed me some spikes in incoming connections. It seems that about 800 incoming tcp connections were made within a few minutes. Nagios reported that there were so many connections that no further connections could be created. To examine the problem I wanted to log all incoming TCP … Continue reading “Logging incoming connections (TCP, Linux)”
On a server that I am running MRTG showed me some spikes in incoming connections. It seems that about 800 incoming tcp connections were made within a few minutes. Nagios reported that there were so many connections that no further connections could be created. To examine the problem I wanted to log all incoming TCP connections. This can be done with a single command:
iptables -I INPUT -p tcp --syn -j LOG --log-prefix='[tcpconnections] '
It temporarily adds a rule to the firewall’s INPUT chain to write all incoming TCP packets that have the SYN flag set, i.e. that try to initiate a connection, into the system’s log with the prefix “[tcpconnections] “. Afterward you can see the connections e.g. in /var/log/syslog.
However now the syslog is quickly filled with entries if your server has a lot of TCP traffic. To separate these entries and write them into a different log, add a file “tcpconnections.conf” to “/etc/rsyslog.d“:
:msg,contains,"[tcpconnections] " /var/log/tcpconnections.log & ~
The first line copies the matching entries into the file /var/log/tcpconnections.log. The second line discards the same entries so that they are not additionally copied into the main syslog. The ampersand means that another action should be applied to the filter in the previous line. A good overview of these parameters can be found in the RedHat documentation here:
To activate the changes, restart rsyslog:
Now all connections are logged to tcpconnections.log but the file can get large. So it should be rotated. To do this create a file “tcpconnections” in /etc/logrotate.d and write this into it:
It will create a new log each day and keep the last 12 logs.
Recent Posts
Linux: Looking for a network log for server connections
The only sure way to get a single centralized log of all TCP connections would be to add LOG rules to your iptables software firewall configuration that would log any packet with a SYN and ACK bits set, i.e. the second packet of any TCP connection. These would appear as kernel log messages in /var/log/messages by default.
Essentially you would want to add iptables rules like this:
iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "Inbound connection established: " iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "Outbound connection established: "
(You may want to place these rules in your existing ruleset so that they won’t apply to the loopback interface, as that might generate two entries for each local connection between application processes within the host.)
And yes, the rule in OUTPUT chain records inbound connections and vice versa, because this will only log connections that are actually being responded to: recording just the SYN packets would also record connection attempts that will be rejected. Because of port scans executed by malware-ridden systems on the internet, that would often give you a lot of useless log entries: you would have to cross-check with other logs, only to find out that either you don’t have such a service running at all, or that the connection was rejected by another iptables rule or by the service in question.
For UDP protocols it’s trickier, because UDP is connectionless and basically just a platform on which an application-specific protocol can be built. So there is no easy way to detect «the first packet of a connection» or anything like that, because all that will be entirely application-specific.
Where are network manager logs? (16.04)
I have new Ubuntu and I want to debug some errors in network settings. I cannot find log for NetworkManager. /var/log/syslog and /var/log/daemon.log — what people recommend on this stack exchange in other questions — are both empty. Python script from this page — https://wiki.ubuntu.com/DebuggingNetworkManager — doesn’t exist anymore. sudo service network-manager status displays a few lines of the log, but not all.
2 Answers 2
journalctl -u NetworkManager.service
-u , —unit=UNIT|PATTERN Show messages for the specified systemd unit UNIT (such as a service unit), or for any of the units matched by PATTERN. [. ]
Yes. Since the question is on askubuntu, it talks about systemd, because all ubuntu installations are with systemd (except for ancient ones).
What are You saying exactly? That Ubuntu 14.04 is not Ubuntu? Or users of those «ancient» versions, as You say, are not accepted in this StackExchange network site? You did ask the question without specifying Your Ubuntu version, so.
You can also try this one. You’ll see some Network Manager state changes with this one.
sudo journalctl -fu NetworkManager
Mar 15 09:06:37 macbookair NetworkManager[1098]: [xxx] keyfile: add connection in-memory (xxx,"tun0") Mar 15 09:06:37 macbookair NetworkManager[1098]: [xxx] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external') Mar 15 09:06:37 macbookair NetworkManager[1098]: [xxx] device (tun0): Activation: starting connection 'tun0' (xxx)
-f , —follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal.