Обсуждение: tracing users ip address
Running PostgreSQL 7.2.1 on RedHat Linux 7.2 kernel 2.4.7-10
I'm looking at my logs / messages and I'm trying to figure out
how to trace some users. For example, I am trying to make
the server a bit more secure and in some of the logs I see
someone called 'Admin' trying to access the database (and
failing ... but for how long?)
I don't know who this is, but, I'd like to know. Is there a way
I can track down the IP address of users trying to access
the database? I would imagine the debug that is running - currently
I'm running debug level 2 ... seems that any higher would
slow my server down.
I don't seem to be able to see them ('Admin') using things like 'last', 'w' or
anything like that.
Suggestions? Thank you.
-X
Enable the following in your $PGDATA/postgresql.conf
log_connections = true
log_timestamp = true
log_pid = true
And run your postmaster at debug level 2.....
Whence you find out enough...thurn the debug back to zero or just keep
it at 2
Johnson, Shaunn wrote:
> Running PostgreSQL 7.2.1 on RedHat Linux 7.2 kernel 2.4.7-10
>
> I'm looking at my logs / messages and I'm trying to figure out
> how to trace some users. For example, I am trying to make
> the server a bit more secure and in some of the logs I see
> someone called 'Admin' trying to access the database (and
> failing ... but for how long?)
>
> I don't know who this is, but, I'd like to know. Is there a way
> I can track down the IP address of users trying to access
> the database? I would imagine the debug that is running - currently
> I'm running debug level 2 ... seems that any higher would
> slow my server down.
>
> I don't seem to be able to see them ('Admin') using things like
> 'last', 'w' or
> anything like that.
>
> Suggestions? Thank you.
>
> -X
>
Couldn't you just run something like ethereal and "filter/capture to
log" all requests to the port? More then likely it's all in clear text.
> Running PostgreSQL 7.2.1 on RedHat Linux 7.2 kernel 2.4.7-10
>
> I'm looking at my logs / messages and I'm trying to figure out
> how to trace some users. For example, I am trying to make
> the server a bit more secure and in some of the logs I see
> someone called 'Admin' trying to access the database (and
> failing ... but for how long?)
>
> I don't know who this is, but, I'd like to know. Is there a way
> I can track down the IP address of users trying to access
> the database? I would imagine the debug that is running - currently
> I'm running debug level 2 ... seems that any higher would
> slow my server down.
>
> I don't seem to be able to see them ('Admin') using things like 'last', 'w'
> or
> anything like that.
>
> Suggestions? Thank you.
>
> -X
>
Johnson, Shaunn wrote:
> I don't know who this is, but, I'd like to know. Is there a way
> I can track down the IP address of users trying to access
> the database? I would imagine the debug that is running - currently
> I'm running debug level 2 ... seems that any higher would
> slow my server down.
PostgreSQL listens on port 5432 by default. So at the time the perp
is connected, you can do:
netstat -an | grep ':5432.*ESTABLISHED'
and get a list of every IP address connected to your server at the
time.
This works for netstat under Linux, at the very least. I expect the
output format under other flavors of Unix is close enough for the
above to work, but you may have to adjust it if your netstat output is
too different.
This won't tell you which one is the 'Admin' connection, but it may
help you to track down the perp anyway...
--
Kevin Brown kevin@sysexperts.com