Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just wondering, when you detect a sudden big spike in traffic, are there ways to find out, whether in real time or afterwards what the culprit might be? Not sure what to type in ssh. Checked the logs, including mail, but don't see anything suspicious.
In realtime, immediately fireup tcpdump and capture packets to get an idea of the type of traffic and destination. For a more friendly interface, try using ethereal. Using the top command can often provide you with some insight in determining which process is creating loads of traffic. Trying to identify it in hindsight is a little more difficult. Probably the best way is to use iptables to log abnormal or excessive outbound traffic. You can then use something like logwatch or syslog-ng to pull out the iptables messages and send you a summary alert.
Last edited by Capt_Caveman; 03-19-2005 at 10:29 AM.
Thanks. It seems it's a little more complicated than I expected I tried running top, though didn't seem anything. Will running netstat using something like:
netstat -an|grep :80|awk '{print $5}'|sort |more
help if I change the port to ones often used by outbound traffic? If so what ports should I be monitoring?
Netstat isn't really going to provide you much information on the relative amounts of traffic. So you couldn't really distinguish between 1 packet and 1 million packets. Top is only going to be informative if the process sending packets is CPU intensive. Something sending a few packets per second likely would not show up, but something like a udp flooder which is sending out as many packets as possible likely would.
If you really want to do realtime monitoring, use ethereal. It can show you amounts of packets captured, perform tcp stream re-assembly, and decode packet payloads. It's a great tool. If you want to long term traffic monitoring, you might want to look at an intrusion detection system (IDS) that has an traffic anomaly detection feature. SPADE and even Nagios might be useful.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.