How to log the ip addresses trying to connect to a port?

Question

Is it possible to log all IP addresses that trying to connect or connected to port "5901" in Linux Debian?

How can i do that?

Answer 1

You could do it using iptables

iptables -I INPUT -p tcp -m tcp --dport 5901 -m state --state NEW  -j LOG --log-level 1 --log-prefix "New Connection "

This will log new tcp connections on port 5901 to /var/log/syslog and /var/log/kernel.log like this

Dec 12 07:52:48 u-10-04 kernel: [591690.935432] New Connection IN=eth0 OUT= MAC=00:0c:29:2e:78:f1:00:0c:29:eb:43:22:08:00 SRC=192.168.254.181 DST=192.168.254.196 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40815 DF PROTO=TCP SPT=36972 DPT=5901 WINDOW=14600 RES=0x00 SYN URGP=0

Answer 2

if it's short term - this should do:

tcpdump -n -i eth0 -w file.cap "port 5901"

alternatively you can use the log target of iptables:

iptables -A INPUT -p tcp --dport 5901 -j LOG --log-prefix '** guests **'--log-level 4

this might flood your logs

Answer 3

you can use netstat with options -v,-n,-t, -a

e.g. netstat -anp | :8080 | grep ESTABLISHED | wc -l OR

root@user:/home# netstat -vatn

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.1.174:8080      192.168.1.126:53021     ESTABLISHED
tcp        0      0 192.168.1.174:8080      192.168.1.126:32950     ESTABLISHED
tcp        0      0 192.168.1.174:8080      192.168.1.126:39634     ESTABLISHED
tcp        0      0 192.168.1.174:8080      192.168.1.126:59300     ESTABLISHED
tcp        0      0 192.168.1.174:8080      192.168.1.188:49551     ESTABLISHED
tcp        0      0 192.168.1.174:9090      192.168.1.126:37865     ESTABLISHED
tcp        0      0 192.168.1.174:9090      192.168.1.188:51411     ESTABLISHED
tcp        0      0 192.168.1.174:8080      192.168.1.126:50824     ESTABLISHED