Tracking Open Ports

Home » CentOS » Tracking Open Ports
CentOS 6 Comments

Hi All,

I was wondering if anyone knew of a way to notify or log when a specific remote port is openened? I have an old LDAP server that I am looking to get rid of, but there is still a few queries reaching it.

The sytem authentication is setup correctly (as is Postfix), so I am thinking there must be some script or program that is setup to query the older LDAP server.

I tried using lsof -i|grep 389, but I am not quick enough to get results before the socket is closed. Is there any program or script I could write to detect when this socket gets opened, and what PID and/or program owns it?

Thanks, Eric Falbe

6 thoughts on - Tracking Open Ports

  • You could setup an iptables rule on the OUTPUT chain to log attempted accesses, then watch the log file, like outlined here:

    http://stackoverflow.com/questions/11584824/run-a-system-command-when-an-iptables-rule-is-matched

    You could use “lsof -n …” to find the command trying to open the port.

    Another option might be to setup tcpdump to capture all packets (including payload data) going to that server/port, then review that and see if you find any clues about the program making the requests.

    ❧ Brian Mathis
    @orev

    CentOS mailing list CentOS@CentOS.org http://lists.CentOS.org/mailman/listinfo/CentOS

  • it’s a fairly interesting problem (at least to me); I’m not wizard enough to be able to redirect the connection, but you could write a perl script that sits on the port and logs the remote IP connecting, although that would break the service while you’re figuring out who’s still connecting. the other thing I’d consider (although my quick little experiment didn’t quite work)
    is turning on/adding to iptables for some logging.

    you could also potentially do something with tcp wrappers if the daemon has the libraries, or maybe some xinetd magic.

  • I’d run tcpdump or wireshark with a ‘port 389’ filter on the old ldap server to capture the source IPs of the queries if you don’t know the host(s) doing it. And if you know the host(s) but not the program(s)
    configured to do it, you might try a ‘grep -R ‘pattern’ /etc where the pattern is the name or ip of the ldap server.

  • That’s what I am currently doing, (grep -R “old_server”) and letting it chug along. I tried the iptables rule, but I still could not find the connection is lsof output, so the connection must close before the log proccessing takes place.

    Thanks for the suggestions. Eric Falbe

  • Em 30-05-2014 13:12, Eric Falbe escreveu:

    I’m not sure how critical this server is but you may LOG and DROP it (at least the first SYN attempt), so TCP will keep retrying to connect. It should last longer then..

    One other option is a systemtap script, but that’s more intrusive.

    Marcelo