Monitor Hardware Firewall from F21 WS
 

I'm a Linux newbie. I have Fedora 21 Workstation installed. What I want to do is monitor my Hardware Router/Firewall via syslog SNMP in realtime. With MS windows I used a program called, WallWatcher. It monitored in real time and auto generated a log everyday, for all my hardware router/firewall activity. This way I can watch who's trying to access my system and when they're doing it, both as they do so, and reference past occurrences.

So far I have installed SNMP Daemon with "sudo yum install net-snmp". But I have no idea what comes next, except that it requires configuring. I have no idea if it has a GUI interface of not, which is what I want.

Has anyone done this before? Or does anyone have another solution for monitoring their network traffic.

Actually I'd also like a local software firewall to monitor outgoing 'attempts,' giving me the option of stopping them if I so choose. With MS Windows I started with ZoneAlarm, thanks to Steve Gibsons (GRC.com) recommendation. Then I switched to Comodo. I firmly agree that monitoring outgoing 'attempts' can be a valuable tool, letting one know they have been compromised, so as to stop someone that's done so.

Any Ideas?

TIA

Can you retrive information through SNMP on Windows?

Does the firewall have snmp[d] installed?

Yep, here's a link to the software I was using with windows XP Pro x86, if you care to check it out. It trapped either SNMP or Syslog, I'm not really sure, I assumed it was SNMP. It did this via the routers brocasting IP, of course. I was hoping that something like it existed for Linux because I feel pretty bare at the moment, security wise. One of the major problems with Linux as I see it, i.e. no sense of knowing one's secure, unless they're a Linux pro. And as I said I'm a newbie. Do you know of such software for Linux?

TIA

Yep, see the above post to "nini09". You can follow the link as well, if you have any questions as to the software I was using with Windows XP Pro x86. The site is no longer active though, no more upgrades, he's moved on.

Any ideas for a solution?

TIA

P.S. That's weird, this message showed up while nini09's did not, supposedly it's awaiting approval, so here's the link again:

You installed the SNMP daemon on your system, which could be used to monitor it, once it's configured.
Look into either Zabbix or Nagios. They are the 'standard' methods of Linux monitoring, and both support SNMP. You can easily configure things for custom events. That said, the 'real time' part may be difficult...not sure you can get that fine-grained, although you probably could get things to go ever 60 seconds or so, if that's enough.

And while it may seem a daunting task for someone new in Linux, you actually have lots of options. You could have the logs from your firewall/router sent to the Linux system, and use syslog-ng to separate the firewall logs into their own file, and have a script examine that file. Logwatch can also be used for such things, and you can have it run near-constantly, and email you if things go awry. And that's just one thing you could do...there are others, like using a script to poke the logs in-situ on the firewall and examine them. You can also use Snort (different approach), to monitor things even further. although that's not really going to parse the logs, but it might give you further depth to your monitoring.

You can find sample scripts easily, and we'll be more than happy to give you a hand with them. There's a bash scripting tutorial in my posting signature, and the documentation on configuring syslog-ng is easy to find/follow as well.

I assume your SNMP access is Ok.
For monitoring their network traffic, there are two ways to minitor, active and passive.
Your way like active, retriving information periodicaly through SNMP.
Another way is passive through sys-log. All information will go to database at first. And then retriving later.

I want to thank you for your time and help. It seems pretty dead around here, and I was beginning to worry that everyone finally sold out to MS. ;)

I was thinking about trying syslog-ng and went to their site. I was going to download but then realized that I can only get the source code. I'm having a problem with compiling source code into object code. I've already tried to do so using realtek's source code drivers for my sound chip. There seems to be some software missing as far as I can tell. I assumed the Fedora 21 distribution would have everything I needed in that area, because compiling source seems to be somewhat the norm in Linux, or at least I've been led to that conclusion.

I have a funny feeling I'm going to require quite a bit of help switching from Windows to Linux. :D

Is there any tutorial resource for compiling object code that lists what one requires to do so, and where to get it? Of course I can keep asking for your help, but I have a feeling you'll get tired after a bit.

Again thanks much for your time, the one thing we'll always want more of in the end. ;)



JustAnotherHuman

Yeah, I'm thinking Syslog right about now, passive is all I need. I just want to view a window, from time to time, that hopefully updates in real time, and creates a running log of the days events, complete. I hope that's not too tall an order. ;)

Thanks for your time, I really do appreciate it.



JustAnotherHuman

No idea why nobody emphasized this but 0) SNMPd, the SNMP daemon, is only necessary if you want to expose SNMP counters to other systems and 1) Fedora is a binary package system. This means you use 'yum' or a desktop tool like 'apper' to install packages and dependencies. Only when Fedora or EPEL don't provide packages would you look for building packages from source tar ball your self. As for your router: configure it to send its syslog to your machine (must be on always obviously) and configure Rsyslog to accept the log entries and stash it in a separate log. Then run Logwatch regularly to generate reports you send to an email address or save to file. As for SNMP: install 'snmpwalk' then see if you can access the router OIDs you want. Your choice would be to fetch them regularly via a cron job using (as mentioned earlier) tools like Nagios, Icinga or Zabbix, or use a command line tool like collectd, collectls daemon, and store data in a database or scrape logs. Really not that hard once you got the concepts, know what you're looking for and where to look.

Yea, I had a feeling that I could get most of what I needed, from the repositories, but I had no idea how to browse the packages. But now I've installed the Yum Extender, and was able to browse "all" the packages. I saw Zabbix, Rsyslog and syslog-ng. So now I need to know which solution, of the ones available, will suit my wants the most. What do you guys think?

I prefer the solution that lets me know as close to real time as possible, would prefer a separate window process so as to monitor whenever I feel the need, and of course logs kept for later analysis. You guys are the pros, which way should I go? ;)

Also how about that rule based firewall that watches both in/out bound connection attempts, where I can set either allow, deny or ask, per process. Does any such animal like that exist?

Thanks guys!




JustAnotherHuman

In that case it's good to know that Fedora, just like its parent companies OSes, come with extensive documentation. Familiarizing yourself with the basic installation, user and security documentation will help introducing the concepts, get you accustomed to basic tasks and therefore be more efficient and productive using Linux. One of the indications this is necessary is new Linux users talking about antivirus, firewalls and specific applications as if they were still running (with a) Windows (mindset). Also its good to know LQ has a pretty good search function (although you have to kind of know what you're looking for). Also realize that not every advice is good advice: ensure you understand what you're doing or knowing where to find specific documentation to check things is crucial, but that goes for about anything, right?..


Before answering that we have to look back and correct this first:
...because the latter is not true without some thought and effort from you. Most of this is explained in your distributions user documentation security section so I'll be terse:
- Threats should be avoided and breaches of security should be prevented.
- After-the-fact reporting does not equal taking proactive measures.
- Linux is not Windows: know what threats affect Linux.

More generally speaking:
- Know what you're doing, use common sense and read up on securing your machine,
- Install only software you need and only packages from known good sources and update when updates are released,
- Don't open ports in your firewall and don't forward ports in your statefull NAT router unless you know you need it,
- Make regular backups and regularly check your machine for problems.

...or as I'd like to say: Linux may be free to use but using it should not be free of responsibilities.


That said, Tuxguardian, Leopardflower, Fireflier and Pgrd (all on Sourceforge.net BTW) were some examples of "ZoneAlarm-for-Linux"-like applications. None of them are maintained anymore, indicating the idea that with Linux things are done differently. It may be hard to understand now but once you've read the documentation and if you understand and adhere to the points I mentioned above you'll find there simply is no need to monitor and block outgoing processes. So I strongly suggest you get acquainted and read the basic user documentation, if unsure examine your system to verify its integrity and then ask detailed questions. You'll be saving yourself a lot of worrying for nothing, time and effort.

Thanks for your help my friend, it was greatly appreciated. I shall check out those programs you've mentioned.

JustAnotherHuman