Track an event when connecting to a port in Linux?

A

Alexander Nazarov2019-01-08 20:33:43

linux

Alexander Nazarov, 2019-01-08 20:33:43

Prompt how it is possible to execute something at event of connection to the server.
For example, there is port 21 (this is an example, I don’t need to advise you to do something with FTP), how to systemically get the client’s ip when it connects, check it in the spam database and block it if necessary
(this is also an example, the execution can be anything ).
Can you tell me at least superficially the scheme for implementing this?
Maybe there are already ready-made solutions and programs for Linux?

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

A

Alexander Glukhov, 2019-01-08
@wergio

There is a standard package, fail2ban.
It parses the application logs (in this case, ftp), and, in accordance with the jail settings, automatically blocks when the ip address is suspiciously active.

C

CityCat4, 2019-01-08
@CityCat4

1. Refine the program :)
2. Parse the logs into which the program displays connection data
There is no general technique here and cannot be. A client connection to a port is a standard event for the server and is handled however they like. And the format of the logs is generally arbitrary. See fail2ban - it's already been suggested.

A

Andrej Gessel, 2019-01-09
@andiges

sudo iptables -I INPUT -p udp --dport 21 -d a.b.c.d -j LOG --log-prefix="TRIGGER_ME_NOW"

Well, then you can check the logs, there are IP addresses and other details.
fail2ban A great option, or something simpler:

tail -f /var/log/firewall.log | awk '/TRIGGER_ME_NOW/ {system("/usr/local/bin/script.sh")}'

M

maniac_by, 2019-01-08
@maniac_by

Shouldn't the FTP server do this, not Linux? In the same Filezilla there is an excellent IP FIlter

R

Radjah, 2019-01-09
@Radjah

> to execute something at the connection event to the server
"something" - is it something specific or a Wishlist from the category of "I want strange"?