Network traffic -- monitor my incoming and outgoing ports
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: RHEL 4 and up, CentOS 5.x, Fedora Core 5 and up, Ubuntu 8 and up
Posts: 251
Rep:
Network traffic -- monitor my incoming and outgoing ports
Hi there!
So I have been thinking about monitoring my network traffic on my server but I don't really have the greatest idea where I should start. Having said that I have played with "Wireshark" for Windows and I know that there is a version available for Linux. So can someone point me in the right direction of a good "How To" or an example of something that you have done for monitoring traffic (in/out) on your own server. I need to be able to LOG the traffic and monitor it as its happening.
The reason I want to monitor and more importantly LOG the traffic coming in/out of my server is because I want to track authorized access and un-authorized access (that is if there is any)!!!!
I know the first thing a administrator should do (or at least in my mind) is disable root access. I've done that and now I want to try a few more things to protect my self. I have a firewall on my router so I am not to worried about that (unless I should be???). I also have Watchdog which runs weekly and e-mails me a report - not to sure if its any good.
This thread could go under "Linux Security" but my question is for networking as I want to log and monitor inbound and outbound connections on my server (the other security stuff was just a side note).
well firstly, wireshark is a unix package first, a windows package second ;-) that said though wireshark is totally not what you want at all, wireshark is for exceptions, not the norm. for that i'd probably suggest ntop, but you're pretty vague on what "LOG" really means to you here. You can easily log traffic within iptables using the LOG target, or send it into userspace using the ULOG target. Generally unauthorized access shouldn't need to be monitored as it should just be impossible in the first place due to good firewall rules.
Distribution: RHEL 4 and up, CentOS 5.x, Fedora Core 5 and up, Ubuntu 8 and up
Posts: 251
Original Poster
Rep:
Fair enough but this world is not perfect and there is no way you can guarantee that someone will not be able to access your system!!! However if you want to believe that there isn't someone out there who can break your security then thats fine
As for logging the access I simply want to know when someone successfully accesses the system, I know that there is built in logging in Linux but I need to make it more specific - like you said I can log with iptables but is that really logging what I need?
Have a look at the logging features in iptables. No sense in installing anything else if that's enough for you. Wireshark use in Linux is just like in Windows, but it's overkill if you want to just check ip addresses that are trying to log in. And also, most of your server daemons will (should) be creating their own activity logs.
edit: For some reason I didn't notice the other replies, and only saw your first question, so I've repeated what's been said.
When you say you need it more specific,in what way? For example, sshd can log verbosely, giving you all the info you want.
Last edited by beadyallen; 04-01-2008 at 07:42 PM.
I want to track authorized access and un-authorized access
To define unauthorised access I think you first need to define what you allow. This depends on what services you run, who should be able to access those and what your network policy is.
For a simplified example take for instance a mailserver serving one domain. Its only purpose is to store and shove e-mail back and fro and for that it only needs to accept traffic related to DNS, SMTP, IMAP, POP3, their related secure versions and only for that domain. (It'll probably allow an admin to SSH in.) Since it shouldn't provide any other services to world this means the tcp_wrappers and firewall policy can be quite simple denying all other traffic which defines what's not allowed. If you configure the MTA to only accept e-mail from certain domains, only relay for certain domains, require users to use POP-before-SMTP for sending e-mail and require users to use IMAPS for reading, then any other type of login becomes unauthorised. With SSH, if you deny root account access and require public key auth instead of passwords and restrict access to only ranges the admins can come in from you've restricted access. On top of that you can use an IDS to monitor allowed traffic for people trying to exploit services. Since you deny all other traffic it cuts down on the amount of monitoring you need, the amount of logging to process which in turn is better for overall performance. Top down:
- restrictions in the MTA gives you logged auth violations you can act on (Logwatch, Sma),
- restrictions in the sshd gives you logged auth violations you can act on (see http://www.linuxquestions.org/questi...tempts-340366/),
- sniffing packet contents (Snort, Prelude) gives you information on usage violations like exploits (Guardian etc, etc),
- A default DENY policy (and only opening up for necessary ports) and -j LOG target rules in iptables gives you access violations (but only relevant wrt address and port) you can act on automagically (for example the iptables recent module, fwlogwatch),
- Filling in /etc/hosts.allow with allowed services and domains don't provide extra logging by default but can be a basis.
Mind you, this is only a simplified example, but it should show that monitoring is a combination of policy (think), configuration (act) and auditing (react). Tools are just things to help you accomplish your goal.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.