Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm just getting the hang of things with my Linux VM server and I'd like to find a monitoring tool that will let me view packets, connection attempts from outside, attacks, things of that nature. I realize this is a broad topic that could lead to many other questions but all I'm really looking for are suggestions for open source software that can accomplish the type of things I've mentioned above.
Wireshark is what your after. Tcpdump is alright too, but Wireshark has a nice GUI. I use it for monitoring network traffic and if one of the servers is having the blues.
Wireshark is what your after. Tcpdump is alright too, but Wireshark has a nice GUI.
Given servers usually are headless, risk should be minimized and resources should be spent wisely it IMHO should be the other way around: use tcpdump (or Wiresharks command line equivalent rawshark) for just capturing packets on the server and Wireshark, or any other network traffic analysis tool, on the analysis workstation.
Quote:
Originally Posted by gr0undzer0
I'd like to find a monitoring tool that will let me view packets, connection attempts from outside, attacks
First I'd like to add that proper hardening, in your case of the host and virtualization guest, should be aimed at reducing exposure and therefore risks. That should make regular auditing more efficient and less effort and time needed for monitoring. If you're only after logging network connections then you can use firewall rules with "-j LOG" filters, capturing packets I commented on above, and active traffic classification, possibly combined with packet capture, you can do with an IDS like Snort, Prelude or Suricata. I can't emphasize enough that proper hardening, preferably prior to exposing the server, is key.
Thank you for taking the time to respond. Your answers were both really helpful. I'll start having fun with these tools when I get home from work today. My Xen VM server is at home not at work unfortunately. Ah well you have to start somewhere.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.