When securing a Linux system, monitoring incoming connections to specific ports is crucial. For VNC services (typically using port 5901) or other sensitive ports, logging connection attempts provides valuable security insights.
The most effective method is leveraging iptables with logging rules. Here's how to implement it:
# First, create a custom logging chain
sudo iptables -N PORT5901_LOG
# Then add rules to log connections
sudo iptables -A INPUT -p tcp --dport 5901 -j PORT5901_LOG
sudo iptables -A PORT5901_LOG -j LOG --log-prefix "PORT5901-ACCESS: " --log-level 4
sudo iptables -A PORT5901_LOG -j DROP
# Make the rules persistent
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
To store these logs separately for easier analysis:
# Create a custom log file configuration
echo ':msg, contains, "PORT5901-ACCESS" /var/log/port5901.log' | sudo tee /etc/rsyslog.d/port5901.conf
# Restart rsyslog
sudo systemctl restart rsyslog
For temporary monitoring or debugging, tcpdump works well:
sudo tcpdump -i eth0 -nn 'tcp port 5901' -l | tee port5901_connections.log
Extract IP addresses from logs using these commands:
# From iptables logs
grep -oP 'SRC=\K[0-9.]+' /var/log/port5901.log | sort | uniq
# From tcpdump output
awk '{print $3}' port5901_connections.log | cut -d. -f1-4 | sort | uniq
Create a Python script to monitor and alert on suspicious activity:
#!/usr/bin/env python3
import subprocess
from collections import defaultdict
def monitor_port():
ip_count = defaultdict(int)
threshold = 5 # Alert after 5 attempts
process = subprocess.Popen(['tcpdump', '-i', 'eth0', '-nn', 'tcp port 5901', '-l'],
stdout=subprocess.PIPE,
universal_newlines=True)
for line in process.stdout:
ip = line.split()[2].split('.')[0:4]
ip_str = '.'.join(ip)
ip_count[ip_str] += 1
if ip_count[ip_str] >= threshold:
print(f"ALERT: Suspicious activity from {ip_str} ({ip_count[ip_str]} attempts)")
if __name__ == "__main__":
monitor_port()
Remember that exposed ports should always be protected with:
- Firewall rules limiting access to trusted IPs
- Fail2ban integration to block repeated attempts
- Regular log rotation to prevent disk space issues
Monitoring incoming connections to specific ports is a common security practice. If you're running a VNC server (default port 5901) or any service on this port, logging connection attempts helps detect unauthorized access. Here's how to implement this on Debian-based systems.
The most efficient method is using iptables to log connection attempts before they reach your service:
sudo iptables -A INPUT -p tcp --dport 5901 -j LOG --log-prefix "VNC_CONNECTION: "
sudo iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
This will log all connection attempts to /var/log/kern.log or /var/log/syslog with your specified prefix.
To survive reboots, install iptables-persistent:
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
For temporary monitoring without modifying firewall rules:
sudo tcpdump -i any -nn 'tcp port 5901' -l | tee port_5901_connections.log
This captures all traffic to port 5901 and saves it to a file while displaying output in real-time.
Extract IP addresses from syslog entries:
grep "VNC_CONNECTION" /var/log/syslog | awk '{print $10}' | cut -d'=' -f2 | sort | uniq
Or from tcpdump output:
awk '/IP/ {print $3}' port_5901_connections.log | cut -d. -f1-4 | sort | uniq
Automatically block suspicious IPs by creating a Fail2ban filter:
[vnc-connect]
enabled = true
filter = vnc-connect
logpath = /var/log/syslog
maxretry = 3
findtime = 600
bantime = 3600
Create /etc/fail2ban/filter.d/vnc-connect.conf:
[Definition]
failregex = ^.*VNC_CONNECTION: .* SRC=
ignoreregex =
Combining iptables logging with automated tools like Fail2ban creates a robust monitoring solution for port 5901. Regular log review helps identify potential security threats early.