Captive portal: how to log authenticated user data?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Captive portal: how to log authenticated user data?
Hello everyone!
Can anybody give me some hints on how to implement a lawful interception system on my Linux (CentOS) server? I have installed on it CoovaChilli access portal that makes user authentication before providing network access. I would be glad to know what options I would have. I know I can use iptables logging capabilities for that, but I would like to be able to log some other data related to authenticated user. Also I would like to see what options would I have for implementing a CALEA/ETSI standards.
(..) I would like to see what options would I have for implementing a CALEA/ETSI standards.
Does what you provide fall under the CALEA definition of "telecom carrier"? In other words: do you have a clear legal obligation to be in compliance with the Act?
Quote:
Originally Posted by artaxerxe
Can anybody give me some hints on how to implement a lawful interception system on my Linux (CentOS) server?
If you answered the above questions with "yes" (and I do hope you'll be verbose about it) then please list the formal requirements you know and your idea on how to implement them.
Quote:
Originally Posted by artaxerxe
(..) I would like to be able to log some other data related to authenticated user.
Unless you show you have a thorough understanding of CALEA requirements I would advise you to stay away from asking such questions, and if you must ask then be exact about what it is you (think you) must record and elaborate the reasons why.
You want advice on how to attack the integrity of your users communication?
I bet a user who want advice on how to protect them self from that get a lot more advice.
To be clear: I need to implement a lawful interception module for my system. I think if I would need to hack the communication of my users, I would need to write from scratch a module, and document on some other things that are worthless to write here. All what I want to tell you is that I need to write a lawful interception module for my server, and being a newbie to this, I just need some thoughts. Hope to be clear. Thanks!
Does what you provide fall under the CALEA definition of "telecom carrier"? In other words: do you have a clear legal obligation to be in compliance with the Act?
No. I only need to implement a simple LI module on my server that can be placed (the server) in a hotel or in a public place where different clients can have Internet access through a captive portal. I introduced CALEA and ETSI standard names because I read from wikipedia about them to be the common standards for LI in USA and Europe. If I would need to implement that standards I would need to do much more research and for now, my system does not need that. I think we can drop out the CALEA and ETSI terms. I beg your pardon for being misunderstood.
Quote:
Originally Posted by unSpawn
If you answered the above questions with "yes" (and I do hope you'll be verbose about it) then please list the formal requirements you know and your idea on how to implement them.
My answer is definitely NO. All what I need to do is to have logged the IPs that a user accessed (maybe the url if possible), the user IP, related ports, protocols, access time and also I would need to log the username that this client used for authentication to captive portal - that data would need to be taken out from a database. For that I know iptables is a good tool, but I would be also curious (as not being a very experienced Linux user) if there are other tools that can be used for that. And also I'm not clear yet how to put the username related to request (as specified, that username being taken out from a database) in logs with iptables. I think that's all what I would need to implement for my LI module.
No. I only need to implement a simple LI module on my server that can be placed (the server) in a hotel or in a public place where different clients can have Internet access through a captive portal. I introduced CALEA and ETSI standard names because I read from wikipedia about them to be the common standards for LI in USA and Europe. If I would need to implement that standards I would need to do much more research and for now, my system does not need that. I think we can drop out the CALEA and ETSI terms. I beg your pardon for being misunderstood.
Thanks for explaining your approach verbosely. While it would have been better had you not created the wrong impression in the first place, it is not too late to stop it (I already modified the thread title) by dropping your acronym usage altogether, especially usage of "LI". The latter implies you being subject to regulatory compliance and it remains unclear if you have any idea of what you're getting into. Some cause for concern should be voiced about you saying
Quote:
Originally Posted by artaxerxe
I would need to do much more research and for now, my system does not need that.
because that decision does not seem to be based on a thorough understanding of any applicable Data Protection Act or Privacy Law and its implications. It rather seems to convey your eagerness to dodge comprehending any and dispose of any compliance in favor of chasing practicalities. Do tread carefully.
Quote:
Originally Posted by artaxerxe
My answer is definitely NO. All what I need to do is to have logged the IPs that a user accessed (maybe the url if possible), the user IP, related ports, protocols, access time and also I would need to log the username that this client used for authentication to captive portal - that data would need to be taken out from a database. For that I know iptables is a good tool, but I would be also curious (as not being a very experienced Linux user) if there are other tools that can be used for that. And also I'm not clear yet how to put the username related to request (as specified, that username being taken out from a database) in logs with iptables. I think that's all what I would need to implement for my LI module.
Netfilter logging will (have to) do because the alternative, Deep Packet Inspection, would be way disproportional. As for mixing in user names I would first look at what the Captive Portal software you currently use offers in terms of API hooks or tools.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.