[stunnel-users] Fw: Reverse DNS lookup in stunnel log possible?

Michael D. Setzer II mikes at kuentos.guam.net
Fri Jul 26 23:17:38 CEST 2013 

On 26 Jul 2013 at 11:16, mkanet at yahoo.com wrote:

Date sent:	Fri, 26 Jul 2013 11:16:22 -0700 (PDT)
From:	"mkanet at yahoo.com" <mkanet at yahoo.com>
To:	"stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
Subject:	[stunnel-users] Fw: Reverse DNS lookup in stunnel log possible?
Send reply to:	"mkanet at yahoo.com" <mkanet at yahoo.com>
	patches" <stunnel-users.stunnel.org>
	<mailto:stunnel-users-request at stunnel.org?subject=unsubscribe>
	<mailto:stunnel-users-request at stunnel.org?subject=subscribe>

> I haven't posted on this mail list in a while.  Is there anyone still
> out there?  I hope I'm sending to the correct mail-list.  Is there a
> better place I can ask my question below?
> 
> I'm pretty sure I can't be the first person who wanted to see reverse
> DNS name lookup in the stunnel log.  I tried looking in the settings
> and documentation; but, didn't see anything related to this.
> 
> ----- Forwarded Message -----
> 
> I currently have stunnel strip SSL from incoming https connections;
> which then passes the connections to a proxy before ultimately
> reaching my web server.  So, the only easy way to see where incoming
> connections are coming from are in the stunnel log.
> 
> Below, is a small example of what my stunnel log looks like (no, those
> arent the real IPs *:) happy).  The information below would be much
> more useful to me if it included the DNS names in addition to their
> numeric IP.
> 
> I currently have the latest Windows version of stunnel installed.  It
> would be great to know how to get it to resolve DNS names as well in
> the log file; preferably without impeding general stunnel
> performance.  I tried several debug levels; but none them did reverse
> DNS lookup.  Hopefully someone know how to do this on a Windows
> stunnel setup.
> 
> 2013.07.23 10:16:00 LOG5[10152:15136]: Service [stunnel-sslh]
> connected remote server from 24.12.152.129:58773 2013.07.23 10:16:00
> LOG3[10152:15136]: SSL_read: Connection reset by peer (WSAECONNRESET)
> (10054) 2013.07.23 10:16:00 LOG5[10152:15136]: Connection reset: 272
> byte(s) sent to SSL, 96 byte(s) sent to socket 2013.07.23 10:17:53
> LOG5[10152:4000]: Service [stunnel-sslh] accepted connection from
> 71.194.51.232:5535 2013.07.23 10:17:53 LOG5[10152:4000]:
> connect_blocking: connected 24.12.152.129:7777 2013.07.23 10:17:53
> LOG5[10152:4000]: Service [stunnel-sslh] connected remote server from
> 24.12.152.129:58799 2013.07.23 10:17:53 LOG5[10152:13212]: Service
> [stunnel-sslh] accepted connection from 71.194.51.232:5508 2013.07.23
> 10:17:53 LOG5[10152:3348]: Service [stunnel-sslh] accepted connection
> from 71.194.51.232:5509 2013.07.23 10:17:53 LOG5[10152:2884]: Service
> [stunnel-sslh] accepted connection from 71.194.51.232:5519
> 
> 

Don't know on windows, but did a little test with a script to get the 
hostnames. First did a test using you records, and then used my 
current stunnel.log

script stlog.chk
==================
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' /var/log/stunnel.log | sort | uniq 
>stout

echo "" >stout2
for a in `cat stout` ; do 
  echo -n $a " ">>stout2; 
  host $a | awk '{print $5}' >>stout2; 
done


The results of stout2 are 
127.0.0.1  localhost.
173.194.74.108  qe-in-f108.1e100.net.
173.194.74.109  qe-in-f109.1e100.net.
192.168.128.201  3(NXDOMAIN)
74.125.25.108  pa-in-f108.1e100.net.
74.125.25.109  pa-in-f109.1e100.net.

Probable would want to add some code to filter out private 
address. 


Final step would be to scan original log and add the name on 
each of the lines with an ip. 
+----------------------------------------------------------+
  Michael D. Setzer II -  Computer Science Instructor      
  Guam Community College  Computer Center                  
  mailto:mikes at kuentos.guam.net                            
  mailto:msetzerii at gmail.com
  http://www.guam.net/home/mikes
  Guam - Where America's Day Begins                        
  G4L Disk Imaging Project maintainer 
  http://sourceforge.net/projects/g4l/
+----------------------------------------------------------+

http://setiathome.berkeley.edu (Original)
Number of Seti Units Returned:  19,471
Processing time:  32 years, 290 days, 12 hours, 58 minutes
(Total Hours: 287,489)

BOINC at HOME CREDITS
SETI        15540600.945971   |   EINSTEIN    12495097.479852
ROSETTA      8051875.704643   |   ABC         16197684.012277

More information about the stunnel-users mailing list