LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-28-2012, 08:03 AM   #1
artaxerxe
LQ Newbie
 
Registered: Dec 2011
Posts: 13

Rep: Reputation: Disabled
Captive portal: how to log authenticated user data?


Hello everyone!

Can anybody give me some hints on how to implement a lawful interception system on my Linux (CentOS) server? I have installed on it CoovaChilli access portal that makes user authentication before providing network access. I would be glad to know what options I would have. I know I can use iptables logging capabilities for that, but I would like to be able to log some other data related to authenticated user. Also I would like to see what options would I have for implementing a CALEA/ETSI standards.
 
Old 11-28-2012, 08:38 AM   #2
steelneck
Member
 
Registered: Nov 2005
Distribution: Slackware, Arch
Posts: 43

Rep: Reputation: 8
You want advice on how to attack the integrity of your users communication?

I bet a user who want advice on how to protect them self from that get a lot more advice.
 
Old 11-28-2012, 09:21 AM   #3
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,373

Rep: Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911Reputation: 1911
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 11-28-2012, 10:44 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,543
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by artaxerxe View Post
(..) I would like to see what options would I have for implementing a CALEA/ETSI standards.
Does what you provide fall under the CALEA definition of "telecom carrier"? In other words: do you have a clear legal obligation to be in compliance with the Act?


Quote:
Originally Posted by artaxerxe View Post
Can anybody give me some hints on how to implement a lawful interception system on my Linux (CentOS) server?
If you answered the above questions with "yes" (and I do hope you'll be verbose about it) then please list the formal requirements you know and your idea on how to implement them.


Quote:
Originally Posted by artaxerxe View Post
(..) I would like to be able to log some other data related to authenticated user.
Unless you show you have a thorough understanding of CALEA requirements I would advise you to stay away from asking such questions, and if you must ask then be exact about what it is you (think you) must record and elaborate the reasons why.
 
1 members found this post helpful.
Old 11-29-2012, 12:21 AM   #5
artaxerxe
LQ Newbie
 
Registered: Dec 2011
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by steelneck View Post
You want advice on how to attack the integrity of your users communication?

I bet a user who want advice on how to protect them self from that get a lot more advice.
To be clear: I need to implement a lawful interception module for my system. I think if I would need to hack the communication of my users, I would need to write from scratch a module, and document on some other things that are worthless to write here. All what I want to tell you is that I need to write a lawful interception module for my server, and being a newbie to this, I just need some thoughts. Hope to be clear. Thanks!
 
Old 11-29-2012, 01:51 AM   #6
artaxerxe
LQ Newbie
 
Registered: Dec 2011
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Does what you provide fall under the CALEA definition of "telecom carrier"? In other words: do you have a clear legal obligation to be in compliance with the Act?
No. I only need to implement a simple LI module on my server that can be placed (the server) in a hotel or in a public place where different clients can have Internet access through a captive portal. I introduced CALEA and ETSI standard names because I read from wikipedia about them to be the common standards for LI in USA and Europe. If I would need to implement that standards I would need to do much more research and for now, my system does not need that. I think we can drop out the CALEA and ETSI terms. I beg your pardon for being misunderstood.

Quote:
Originally Posted by unSpawn View Post
If you answered the above questions with "yes" (and I do hope you'll be verbose about it) then please list the formal requirements you know and your idea on how to implement them.
My answer is definitely NO. All what I need to do is to have logged the IPs that a user accessed (maybe the url if possible), the user IP, related ports, protocols, access time and also I would need to log the username that this client used for authentication to captive portal - that data would need to be taken out from a database. For that I know iptables is a good tool, but I would be also curious (as not being a very experienced Linux user) if there are other tools that can be used for that. And also I'm not clear yet how to put the username related to request (as specified, that username being taken out from a database) in logs with iptables. I think that's all what I would need to implement for my LI module.

Thanks.
 
Old 11-29-2012, 06:47 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,543
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by artaxerxe View Post
No. I only need to implement a simple LI module on my server that can be placed (the server) in a hotel or in a public place where different clients can have Internet access through a captive portal. I introduced CALEA and ETSI standard names because I read from wikipedia about them to be the common standards for LI in USA and Europe. If I would need to implement that standards I would need to do much more research and for now, my system does not need that. I think we can drop out the CALEA and ETSI terms. I beg your pardon for being misunderstood.
Thanks for explaining your approach verbosely. While it would have been better had you not created the wrong impression in the first place, it is not too late to stop it (I already modified the thread title) by dropping your acronym usage altogether, especially usage of "LI". The latter implies you being subject to regulatory compliance and it remains unclear if you have any idea of what you're getting into. Some cause for concern should be voiced about you saying
Quote:
Originally Posted by artaxerxe View Post
I would need to do much more research and for now, my system does not need that.
because that decision does not seem to be based on a thorough understanding of any applicable Data Protection Act or Privacy Law and its implications. It rather seems to convey your eagerness to dodge comprehending any and dispose of any compliance in favor of chasing practicalities. Do tread carefully.


Quote:
Originally Posted by artaxerxe View Post
My answer is definitely NO. All what I need to do is to have logged the IPs that a user accessed (maybe the url if possible), the user IP, related ports, protocols, access time and also I would need to log the username that this client used for authentication to captive portal - that data would need to be taken out from a database. For that I know iptables is a good tool, but I would be also curious (as not being a very experienced Linux user) if there are other tools that can be used for that. And also I'm not clear yet how to put the username related to request (as specified, that username being taken out from a database) in logs with iptables. I think that's all what I would need to implement for my LI module.
Netfilter logging will (have to) do because the alternative, Deep Packet Inspection, would be way disproportional. As for mixing in user names I would first look at what the Captive Portal software you currently use offers in terms of API hooks or tools.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
remove log and consumed quota from a authenticated user in squid Jack1987 Linux - Server 0 12-16-2011 08:08 AM
Setting up a Captive portal VeeDubbs Linux - Networking 3 05-31-2009 11:55 AM
Captive Portal for IPCop waelaltaqi Linux - Networking 0 03-05-2007 10:54 AM
captive portal and iptables dutch1918 Linux - Wireless Networking 0 12-16-2005 09:21 AM


All times are GMT -5. The time now is 01:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration