[SOLVED] monitoring internet access (IP logs) of computer on my LAN
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
monitoring internet access (IP logs) of computer on my LAN
I need to monitor everything that is being done, especially internet-wise on a computer on my LAN. I'm not exactly sure what the best solution is.
I mean I specifically want to know what sites are surfed, or at least what IPs are accessed by the computer on my LAN, and actually it would be fine if it just monitored all traffic from my LAN to the internet, that would also work. A keylogger would also work, but maybe as a last resort, because I've tried them before and they all seem to suck, and again it is internet traffic that is the important part.
So far I've tried packet sniffers like ethereal, but these would require that I install it on said computer, the question is this: How would I make sure the user does not simply modify the logs or kill the program. Also, it would be nice if the program e-mail the logs to me once in a while, so I don't have to go get them myself. Again, I have root access to this machine, it is my computer, but the user also has root access. Maybe I should just restrict root access to the user, but this causes other problems, then I'd need to setup sudo properly or something, and where would I keep the log so it is safe, and make sure the program runs and cannot be killed, etc.
I've heard that ethereal can actually sniff packets for all computers on a switched network, but I'm not sure if this appiles to my network.
The easiest solution would probably be the best one here, so nothing too complicated please.
I've also checked my router, and it has a log function, but it only logs system errors for itself, not IPs, so it's useless I guess.
I need to monitor everything...Maybe I should just restrict root access to the user, but this causes other problems, then I'd need to setup sudo properly or something
*Everything* is asking a lot. You can't effectively monitor logs for every action a user takes. If the user has root access, you can't be sure of anything. If you restrict access and set him/her up in sudoers, then you can regulate the kinds of things they can do and the security logs will show what those things are. Set the sticky bit on .bash_history, too.
Quote:
Originally Posted by H_TeXMeX_H
I've heard that ethereal can actually sniff packets for all computers on a switched network, but I'm not sure if this appiles to my network.
All traffic can be monitored by tcpdump or ethereal. Ask yourself, "How many hours a day do I want to review logs?"
One more thing, if they have physical access to a machine, they "own it". Boot from CD, boot from USB, etc. Is this business or personal? If business, you can build a case for violation of terms of use/policy.
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
Don't give the user a login to that system.
Solution 1:
An hardware gateway. Some free OS exist for that like ipcop, smoothwall, astaro (free for small network), pfsense (my own choice), endian and engarde. The "netstat" command can list every connection with the website url. PFsense also have a display mode if you connect a screen on it displaying every active connection (source and destination IP)
Solution 2:
A hub with a computer connected to it and a packet sniffer. You will see all packets passing in the hub nomather where they come from or where they go, you will just see everything.
Solution 3:
Using a bash/dos script on client collecting information and sending them, it is quite a trivial script to do.
So if you had a list of hostnames or IP addresses visited over http/s by a single client on your LAN, that would solve your problem?
Yes, I think that would solve it.
Quote:
Originally Posted by wfh
One more thing, if they have physical access to a machine, they "own it". Boot from CD, boot from USB, etc. Is this business or personal? If business, you can build a case for violation of terms of use/policy.
Both I and them have physical access to the machine, and it is for personal use, not business. In fact, I bought the machine, so it's technically mine in any case.
Quote:
Originally Posted by wfh
All traffic can be monitored by tcpdump or ethereal. Ask yourself, "How many hours a day do I want to review logs?"
You know that's a very good point, I guess I'll need to write a script to parse the log for info I might need. It's true that I'm not going to read thousands of lines of IP logs. Yet another problem to solve.
Quote:
Originally Posted by Elv13
Solution 1:
An hardware gateway. Some free OS exist for that like ipcop, smoothwall, astaro (free for small network), pfsense (my own choice), endian and engarde. The "netstat" command can list every connection with the website url. PFsense also have a display mode if you connect a screen on it displaying every active connection (source and destination IP)
Solution 2:
A hub with a computer connected to it and a packet sniffer. You will see all packets passing in the hub nomather where they come from or where they go, you will just see everything.
Solution 3:
Using a bash/dos script on client collecting information and sending them, it is quite a trivial script to do.
All very useful info, thank you. I didn't know netstat listed that. I might just use solution #3. Any recommendation on the best program to use for such a script ... netstat ? or is there a better solution. I'm quite competent at scripting so I can probably handle that, but I still need a good program that collects the data I need.
Last edited by H_TeXMeX_H; 10-15-2009 at 01:57 PM.
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
Don't give the user a login to that system.
I think chrism01's suggestion could potentially be the most elegant solution. A proxy would give you much more control over traffic, and your logging would be much simpler.
I used to work in an R&D lab where they tried, in vain, to clamp down on all sorts of traffic. Of course, that just led to tunneling and remote login to other hosts to get around the restrictions. In the end, management reached a place where they accepted that they were herding cats and we honored a gentleman's agreement not to abuse access.
Is that a possibility? Is this a loose cannon about to fall through your deck?
@H_TeXMeX_H: yes, use netstat if you want to go that way. Other tools exist, but netstat is installed by default and will do the job just fine
Code:
netstat --inet -avW --program
is probably the command you are looking for. But warning, as all other solution, the connection time may be quite small, if the script does not run during this tiny timeframe, as every solution except squid will miss many websites.
I think chrism01's suggestion could potentially be the most elegant solution. A proxy would give you much more control over traffic, and your logging would be much simpler.
I used to work in an R&D lab where they tried, in vain, to clamp down on all sorts of traffic. Of course, that just led to tunneling and remote login to other hosts to get around the restrictions. In the end, management reached a place where they accepted that they were herding cats and we honored a gentleman's agreement not to abuse access.
Is that a possibility? Is this a loose cannon about to fall through your deck?
Hmm, so this would mean that I would need to setup squid on one of my computers and keep it running for all time I need it to be monitoring, right ? I'm not sure I can do that, the power goes out here a lot.
Maybe I'll try the script solution at certain intervals. Maybe I don't need all the internet traffic, I just want to sample it here and there, that might be good enough.
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
I like the squid solution, but I have to point out that it might not do what you need, in a couple of respects:
depending on your network arch, a 'clever' user may be able to divert packets around the squid box, if they want to
squid will tell you which sites (and even which pages on which sites) have been accessed from your network. That doesn't, at least by default, tell you which machine, or more particularly which user, has been doing the accessing
If those aren't problems to you (and you haven't really explained the background...I can see there might be reasons that you don't want to do that), go with squid!
Otherwise, I think my next idea would be to look at wireshark and its ability to filter packets. All of what wireshark does is primarily by ip addresses rather than by URL, so you'd have to manually convert suspect URLs to suspect IPs, but if the number of suspect URLs is small, this shouldn't be a problem...until the association between URLs and IPs is changed (so, if this is a long term problem, you might have to keep re-mapping that association).
Well, for the background, let's just say this user is not to be trusted, and I have been deemed with the task of monitoring the connection and making sure certain sites are not accessed. I know I could probably use programs to block these services and sites, but I know that there exist easy ways to bypass this (proxy). Besides, I don't actually have a list of sites to be banned.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.