Written by Zoran on 11-November-2002.
Once you set up your firewall you might start getting log entries from hosts maybe trying to do things they shouldn't. IPchains/IPtables does a nice job by logging a lot of valuable info about the connection: One of it being the offenders IP address. While a lot of scans aren't worth bothering about, there're some you might want to know more about.
The amount of stubborn and amazingly motivated hosts who "like" to tickle my firewall made me create the "getip" script which uses "fwhois" to query a whois database. It's an ASCII menu fascilitating the search for info about any hosts IP, the service name it's trying to connect to, the type of protocol used, the hosts abuse mail address, the amount of occurences of the hosts IP in your logs, etc...
Put the script in a dir where you keep your other scripts. I keep mine in /usr/local. This location isn't mandatory, just make sure to keep it in a location that's in your path. To see how your path looks like type this in xterm or kterm:
The result might look like this:
The dir's are seperated by a colon. This means that executable files in any of the dir's will be found by the shell.
Keeping it in /usr/local makes it simpler to manage. The permission for this dir can be set to be accessible by normal users. The dir /usr, /bin are system dir's and shouldn't have their permissions changed.
Once you've found the location, typing "getip" or any name you want
to give the script will launch the menu.
Open the script in your editor (vi, pico, etc...) and add or remove options. Each line is documented. Don't forget to set the permissions: chown [user]:[user] getip and chmod 770 getip.
The script doesn't manipulate system files and doesn't install anything before or after being used. To get rid of the script you just delete it.
Read WARNING on http://www.linux-sxs.org/stepbystep.htm before you start implementing tips found on this and other pages.
Shift + click here to download the gzipped script.