9

Besides for using iptables to log incoming connections..

Is there a way to log established inbound connections to a service that you don't have the source to (suppose the service doesn't log stuff like this on its own)? What I'm wanting to do is gather some information based on who's connecting to be able to tell things like what times of the day the service is being used the most, where in the world the main user base is, etc.

I am aware I can use netstat and just hook it up to a cron script, but that might not be accurate, since the script could only run as frequently as a minute.

Here is what I am thinking right now:

  • Write a program that constantly polls netstat, looking for established connections that didn't appear in the previous poll. This idea seems like such a waste of cpu time though, since there may not be a new connection..
  • Write a wrapper program that accepts inbound connections on whatever port the service runs on, but then I wouldn't know how to pass that connection along to the real service.

Edit: Just occurred to me that this question might be better for stackoverflow, though I am not certain. Sorry if this is the wrong place.

Zac
  • 93
  • 4
  • Why are you excluding the use of iptables ? Which port is our application listening on? – user9517 Oct 06 '12 at 07:31
  • Mainly because I'd like to have more control over the logging. Ideally I'd just like to be able to handle the logging how I want whenever a new connection is detected. Any port. There isn't a sole specific application I would use this for, which is why I'm not asking how to log anything in depth like a username or something such as that. – Zac Oct 06 '12 at 08:16
  • You could use iptables only to log new incoming connections, to any port. I do that, on a couple of boxes. So I repeat Iain's excellent question: why are you excluding the use of iptables? – MadHatter Oct 06 '12 at 08:45
  • Are you able to place a proxy before the application? It only needs to be a very simple one that receives the requests, logs them and passes them on. You could port forward the incoming signal to the proxy, which then relays to the application on the original port. – John Gardeniers Oct 06 '12 at 09:00

3 Answers3

4

You can log new connections with iptables thus

iptables -I INPUT -m state --state NEW -j LOG --log-level 1 --log-prefix "New Connection "

This will add a message like this for a new ssh conenction

Oct 6 10:58:23 centos kernel: New Connection IN=eth0 OUT= MAC=00:0c:29:5b:a5:ea:00:0c:29:2d:94:a0:08:00 SRC=192.168.1.72 DST=192.168.254.187 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=15498 DF PROTO=TCP SPT=59221 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0

or like this for a new http connection

Oct 6 11:03:56 centos kernel: New Connection IN=eth0 OUT= MAC=00:0c:29:5b:a5:ea:00:0c:29:d2:2c:38:08:00 SRC=192.168.254.188 DST=192.168.254.187 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=10345 DF PROTO=TCP SPT=52488 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

and so on for each new connection to your system. The will be logged to wherever your syslog is configured to send kern.warning messages.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • After doing more looking around, this way seems to be my best bet. I'll just combine this with rsyslog to log to a separate file. Thank you very much for your informative answer Iain! – Zac Oct 10 '12 at 05:40
0

you can use auditd and at the end of the day calculate some statistics based on those loglines. Or you could also go to an snmp solution but probably you have write your own mib

Nikolaidis Fotis
  • 2,032
  • 11
  • 13
0

How about tcpdump or wireshark ?

Guntis
  • 683
  • 1
  • 10
  • 22
  • Please expand your answer a little more. Perhaps suggesting to the user how tcpdump and wireshark would benefit troubleshooting efforts. – Magellan Oct 11 '12 at 23:29
  • [tcpdump manual](http://www.tcpdump.org/tcpdump_man.html) with that you could log full packets. You can also capture packets with tcpdump and then analyze them in wireshark `tcpdump -i -s 65535 -w ` In addition, you will have to terminate the capture with ^C when you believe you have captured enough packets. – Guntis Oct 16 '12 at 11:32