Hi there!

So I have been thinking about monitoring my network traffic on my server but I don't really have the greatest idea where I should start. Having said that I have played with "Wireshark" for Windows and I know that there is a version available for Linux. So can someone point me in the right direction of a good "How To" or an example of something that you have done for monitoring traffic (in/out) on your own server. I need to be able to LOG the traffic and monitor it as its happening.

The reason I want to monitor and more importantly LOG the traffic coming in/out of my server is because I want to track authorized access and un-authorized access (that is if there is any)!!!!

I know the first thing a administrator should do (or at least in my mind) is disable root access. I've done that and now I want to try a few more things to protect my self. I have a firewall on my router so I am not to worried about that (unless I should be???). I also have Watchdog which runs weekly and e-mails me a report - not to sure if its any good.

This thread could go under "Linux Security" but my question is for networking as I want to log and monitor inbound and outbound connections on my server (the other security stuff was just a side note).

Any and all help would be great, thanks!

well firstly, wireshark is a unix package first, a windows package second ;-) that said though wireshark is totally not what you want at all, wireshark is for exceptions, not the norm. for that i'd probably suggest ntop, but you're pretty vague on what "LOG" really means to you here. You can easily log traffic within iptables using the LOG target, or send it into userspace using the ULOG target. Generally unauthorized access shouldn't need to be monitored as it should just be impossible in the first place due to good firewall rules.

Fair enough but this world is not perfect and there is no way you can guarantee that someone will not be able to access your system!!! However if you want to believe that there isn't someone out there who can break your security then thats fine

As for logging the access I simply want to know when someone successfully accesses the system, I know that there is built in logging in Linux but I need to make it more specific - like you said I can log with iptables but is that really logging what I need?

I will take a look at ntop, thank you!

Have a look at the logging features in iptables. No sense in installing anything else if that's enough for you. Wireshark use in Linux is just like in Windows, but it's overkill if you want to just check ip addresses that are trying to log in. And also, most of your server daemons will (should) be creating their own activity logs.

edit: For some reason I didn't notice the other replies, and only saw your first question, so I've repeated what's been said.

When you say you need it more specific,in what way? For example, sshd can log verbosely, giving you all the info you want.

To define unauthorised access I think you first need to define what you allow. This depends on what services you run, who should be able to access those and what your network policy is.

For a simplified example take for instance a mailserver serving one domain. Its only purpose is to store and shove e-mail back and fro and for that it only needs to accept traffic related to DNS, SMTP, IMAP, POP3, their related secure versions and only for that domain. (It'll probably allow an admin to SSH in.) Since it shouldn't provide any other services to world this means the tcp_wrappers and firewall policy can be quite simple denying all other traffic which defines what's not allowed. If you configure the MTA to only accept e-mail from certain domains, only relay for certain domains, require users to use POP-before-SMTP for sending e-mail and require users to use IMAPS for reading, then any other type of login becomes unauthorised. With SSH, if you deny root account access and require public key auth instead of passwords and restrict access to only ranges the admins can come in from you've restricted access. On top of that you can use an IDS to monitor allowed traffic for people trying to exploit services. Since you deny all other traffic it cuts down on the amount of monitoring you need, the amount of logging to process which in turn is better for overall performance. Top down:
- restrictions in the MTA gives you logged auth violations you can act on (Logwatch, Sma),
- restrictions in the sshd gives you logged auth violations you can act on (see http://www.linuxquestions.org/questi...tempts-340366/),
- sniffing packet contents (Snort, Prelude) gives you information on usage violations like exploits (Guardian etc, etc),
- A default DENY policy (and only opening up for necessary ports) and -j LOG target rules in iptables gives you access violations (but only relevant wrt address and port) you can act on automagically (for example the iptables recent module, fwlogwatch),
- Filling in /etc/hosts.allow with allowed services and domains don't provide extra logging by default but can be a basis.

Mind you, this is only a simplified example, but it should show that monitoring is a combination of policy (think), configuration (act) and auditing (react). Tools are just things to help you accomplish your goal.

Perhaps iptraf will do what you want.