How to get a list of all the IP Adresses accessing your server...

socceroos · 04-19-2006, 12:30 AM

Hello All,

I was asked by my boss to create him a web-page that would give him a list of all the IP Addresses currently connected to our FreeBSD server and possibly give him the option of killing certain connections.

I know that you can view current connections through 'netstat -a' but is there a solution to the problem mentioned above? If so, could you show me where to start?

I have been Googling for a while now but have not come accross any solutions.

Your help is greatly appreciated.

Socceroos

jschiwal · 04-19-2006, 12:44 AM

What kind of server are you talking about. If it is a web server, I think you could extract the ip addresses from the logs.

Poetics · 04-19-2006, 12:47 AM

The dangerous thing about having a "kill" button is that you need root (or similar) permissions to do such a thing ... I have no doubt your boss wants to have a single button he can click to kill a connection; that's some pretty insecure scriptwork, though it is possible through some 'exec' commands (depending on your programming language of choice, PHP most likely)

paragn · 04-19-2006, 12:51 AM

hi,
Does netstat -at will answer to your question?

socceroos · 04-19-2006, 01:18 AM

I agree, having the 'kill' button leaves a huge hole in security.

Forget having a 'kill' button for the moment: is it possible to use php or perl to get a list of the CURRENTLY active IP Addresses on the Server (using Apache 2.2).

While I COULD use some sophisticated perl to parse the log files and glean IP Addresses - this still wouldn't tell me who was still ACTIVELY connected (ESTABLISHED).

socceroos · 04-20-2006, 12:11 AM

So, noone knows of any solutions to this problem?

I need to be able to display a list of currently connected IP Addresses IN A WEB PAGE - prefferably written in PHP or PERL.

gilead · 04-20-2006, 03:58 AM

Have you had a look at http://www.phildev.net/iptstate/? You can display all of the iptables connection states - it's not too hard to take that output and format it for a web page. I haven't checked to see if it runs under BSD though (do you use iptables?)...

socceroos · 04-20-2006, 06:51 PM

Gilead:

I have looked at the program your reccommended and, although it looks good, it doesn't actually compile on FreeBSD 5.4.

iptstate.cc: In function `int main(int, char**)':
iptstate.cc:385: error: `AF_INET' undeclared (first use this function)

I've had a look at the source code and tried hashing out the AF_NET variable - which makes it compile correctly - but it doesn't work (AF_NET must be an essential part of the program).

Thanks for your help

ataraxia · 04-20-2006, 07:12 PM

Can't you have your Perl or PHP script shell out, run netstat -a, and parse it in your script? This is quick and dirty, but it should work:

Code:

#!/usr/bin/env perl

print "<html><head><title>Current connections</title></head>\n";
print "<body><h1>Current connections</h1></pre>\n";

@Conns = `netstat -a`;

for $conn (@Conns) {
  print "$conn\n";
}

print "</pre></body></html>\n";

(And yes, since iptstate depends on iptables, it only works on Linux.)

ZST · 04-20-2006, 10:26 PM

suexec-apache might be what your looking for, google for that.

If that does not help solve your problem, you can look for patterns in the IP's that access your site, and have a cron job add the ip's to the drop list in pf filter for bsd, and have another cron job remove them when they meet a certain requirement.

I set this up on a bank website for brute force attacks. Its not really hard, it may or may not work for you. Let me know.

socceroos · 04-21-2006, 12:54 AM

This is what I've got so far...

Any improvements? (Much appreciated)

Thankyou!

Code:

#!/usr/bin/env perl

print "Content-type: text/html\n\n";
print "<html><head><title>Current connections</title>\n<link rel='stylesheet' type='text/css' href='../htdocs/main/style.css' />
</head>\n";
print "<font class='title'>Active Internet Connections</font>";
print "<table>";
print "<tr>";
print "<td>Protocol</td><td>Recv-Q</td><td>Send-Q</td><td>Local Address</td><td>Remote Address</td><td>(state)</td>\n";
print "</tr>\n";


@Conns = `netstat -aW | tr -s " "`;
$i=0;


open(infile,">conn.tmp");
print infile @Conns;
close(infile);


open(outfile,"<conn.tmp");
@current=<outfile>;
 foreach $line (@current) {
  ($proto,$recv,$send,$ladd,$radd,$state)=split(/ /,$line);
   if ($i <= 1)
    {
    }
   else
    {
     print "<tr>\n";
     print "<td>$proto</td>\n";
     print "<td>$recv</td>\n";
     print "<td>$send</td>\n";
     print "<td>$ladd</td>\n";
     print "<td>$radd</td>\n";
     print "<td>$state</td>\n";
     print "</tr>\n";
    }
     $i++;
 }
close(outfile);


print "</table>";
print "</body></html>\n";

ataraxia · 04-21-2006, 08:36 PM

Only a couple of comments:

What's with the tempfile?
Suggest using "th" tags rather than "td" for the table headers. Blind folks with screenreaders appreciate it, anyway.

socceroos · 04-23-2006, 05:44 PM

Yeah, I realise I don't need the tempfile. :S

But since only me and my fellow SysOps are going to be viewing this page I'm not sure I'll need to change the td tags, except to encourage good habbit.

ataraxia · 04-23-2006, 06:13 PM

"th" tags also have the effect of bolding the text for you, which (at least to me) makes it easier to read.