LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-14-2009, 02:45 PM   #1
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
monitoring internet access (IP logs) of computer on my LAN


I need to monitor everything that is being done, especially internet-wise on a computer on my LAN. I'm not exactly sure what the best solution is.

I mean I specifically want to know what sites are surfed, or at least what IPs are accessed by the computer on my LAN, and actually it would be fine if it just monitored all traffic from my LAN to the internet, that would also work. A keylogger would also work, but maybe as a last resort, because I've tried them before and they all seem to suck, and again it is internet traffic that is the important part.

So far I've tried packet sniffers like ethereal, but these would require that I install it on said computer, the question is this: How would I make sure the user does not simply modify the logs or kill the program. Also, it would be nice if the program e-mail the logs to me once in a while, so I don't have to go get them myself. Again, I have root access to this machine, it is my computer, but the user also has root access. Maybe I should just restrict root access to the user, but this causes other problems, then I'd need to setup sudo properly or something, and where would I keep the log so it is safe, and make sure the program runs and cannot be killed, etc.

I've heard that ethereal can actually sniff packets for all computers on a switched network, but I'm not sure if this appiles to my network.

The easiest solution would probably be the best one here, so nothing too complicated please.

I've also checked my router, and it has a log function, but it only logs system errors for itself, not IPs, so it's useless I guess.
 
Old 10-14-2009, 03:39 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
So if you had a list of hostnames or IP addresses visited over http/s by a single client on your LAN, that would solve your problem?
 
Old 10-14-2009, 03:45 PM   #3
wfh
Member
 
Registered: Sep 2009
Location: Northern California
Distribution: Ubuntu Debian CentOS RHEL Suse
Posts: 164

Rep: Reputation: 44
Quote:
Originally Posted by H_TeXMeX_H View Post
I need to monitor everything...Maybe I should just restrict root access to the user, but this causes other problems, then I'd need to setup sudo properly or something
*Everything* is asking a lot. You can't effectively monitor logs for every action a user takes. If the user has root access, you can't be sure of anything. If you restrict access and set him/her up in sudoers, then you can regulate the kinds of things they can do and the security logs will show what those things are. Set the sticky bit on .bash_history, too.

Quote:
Originally Posted by H_TeXMeX_H View Post
I've heard that ethereal can actually sniff packets for all computers on a switched network, but I'm not sure if this appiles to my network.
All traffic can be monitored by tcpdump or ethereal. Ask yourself, "How many hours a day do I want to review logs?"
 
Old 10-14-2009, 03:54 PM   #4
wfh
Member
 
Registered: Sep 2009
Location: Northern California
Distribution: Ubuntu Debian CentOS RHEL Suse
Posts: 164

Rep: Reputation: 44
One more thing, if they have physical access to a machine, they "own it". Boot from CD, boot from USB, etc. Is this business or personal? If business, you can build a case for violation of terms of use/policy.
 
Old 10-14-2009, 07:40 PM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,873

Rep: Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
Don't give the user a login to that system.
 
Old 10-14-2009, 07:47 PM   #6
Elv13
Member
 
Registered: Apr 2006
Location: Montreal,Quebec
Distribution: Gentoo
Posts: 825

Rep: Reputation: 129Reputation: 129
Solution 1:
An hardware gateway. Some free OS exist for that like ipcop, smoothwall, astaro (free for small network), pfsense (my own choice), endian and engarde. The "netstat" command can list every connection with the website url. PFsense also have a display mode if you connect a screen on it displaying every active connection (source and destination IP)

Solution 2:
A hub with a computer connected to it and a packet sniffer. You will see all packets passing in the hub nomather where they come from or where they go, you will just see everything.

Solution 3:
Using a bash/dos script on client collecting information and sending them, it is quite a trivial script to do.
 
Old 10-15-2009, 01:56 PM   #7
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928

Original Poster
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
Thanks for the responses so far.

Quote:
Originally Posted by anomie View Post
So if you had a list of hostnames or IP addresses visited over http/s by a single client on your LAN, that would solve your problem?
Yes, I think that would solve it.

Quote:
Originally Posted by wfh View Post
One more thing, if they have physical access to a machine, they "own it". Boot from CD, boot from USB, etc. Is this business or personal? If business, you can build a case for violation of terms of use/policy.
Both I and them have physical access to the machine, and it is for personal use, not business. In fact, I bought the machine, so it's technically mine in any case.

Quote:
Originally Posted by wfh View Post
All traffic can be monitored by tcpdump or ethereal. Ask yourself, "How many hours a day do I want to review logs?"
You know that's a very good point, I guess I'll need to write a script to parse the log for info I might need. It's true that I'm not going to read thousands of lines of IP logs. Yet another problem to solve.

Quote:
Originally Posted by Elv13 View Post
Solution 1:
An hardware gateway. Some free OS exist for that like ipcop, smoothwall, astaro (free for small network), pfsense (my own choice), endian and engarde. The "netstat" command can list every connection with the website url. PFsense also have a display mode if you connect a screen on it displaying every active connection (source and destination IP)

Solution 2:
A hub with a computer connected to it and a packet sniffer. You will see all packets passing in the hub nomather where they come from or where they go, you will just see everything.

Solution 3:
Using a bash/dos script on client collecting information and sending them, it is quite a trivial script to do.
All very useful info, thank you. I didn't know netstat listed that. I might just use solution #3. Any recommendation on the best program to use for such a script ... netstat ? or is there a better solution. I'm quite competent at scripting so I can probably handle that, but I still need a good program that collects the data I need.

Last edited by H_TeXMeX_H; 10-15-2009 at 01:57 PM.
 
Old 10-15-2009, 08:27 PM   #8
wfh
Member
 
Registered: Sep 2009
Location: Northern California
Distribution: Ubuntu Debian CentOS RHEL Suse
Posts: 164

Rep: Reputation: 44
Quote:
Originally Posted by chrism01 View Post
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
Don't give the user a login to that system.
I think chrism01's suggestion could potentially be the most elegant solution. A proxy would give you much more control over traffic, and your logging would be much simpler.

I used to work in an R&D lab where they tried, in vain, to clamp down on all sorts of traffic. Of course, that just led to tunneling and remote login to other hosts to get around the restrictions. In the end, management reached a place where they accepted that they were herding cats and we honored a gentleman's agreement not to abuse access.

Is that a possibility? Is this a loose cannon about to fall through your deck?
 
Old 10-16-2009, 12:53 AM   #9
Elv13
Member
 
Registered: Apr 2006
Location: Montreal,Quebec
Distribution: Gentoo
Posts: 825

Rep: Reputation: 129Reputation: 129
@H_TeXMeX_H: yes, use netstat if you want to go that way. Other tools exist, but netstat is installed by default and will do the job just fine

Code:
netstat --inet -avW --program
is probably the command you are looking for. But warning, as all other solution, the connection time may be quite small, if the script does not run during this tiny timeframe, as every solution except squid will miss many websites.
 
Old 10-16-2009, 04:12 AM   #10
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928

Original Poster
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
Quote:
Originally Posted by wfh View Post
I think chrism01's suggestion could potentially be the most elegant solution. A proxy would give you much more control over traffic, and your logging would be much simpler.

I used to work in an R&D lab where they tried, in vain, to clamp down on all sorts of traffic. Of course, that just led to tunneling and remote login to other hosts to get around the restrictions. In the end, management reached a place where they accepted that they were herding cats and we honored a gentleman's agreement not to abuse access.

Is that a possibility? Is this a loose cannon about to fall through your deck?
Hmm, so this would mean that I would need to setup squid on one of my computers and keep it running for all time I need it to be monitoring, right ? I'm not sure I can do that, the power goes out here a lot.

Maybe I'll try the script solution at certain intervals. Maybe I don't need all the internet traffic, I just want to sample it here and there, that might be good enough.
 
Old 10-16-2009, 05:39 AM   #11
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by chrism01 View Post
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
I like the squid solution, but I have to point out that it might not do what you need, in a couple of respects:
  • depending on your network arch, a 'clever' user may be able to divert packets around the squid box, if they want to
  • squid will tell you which sites (and even which pages on which sites) have been accessed from your network. That doesn't, at least by default, tell you which machine, or more particularly which user, has been doing the accessing
If those aren't problems to you (and you haven't really explained the background...I can see there might be reasons that you don't want to do that), go with squid!

Otherwise, I think my next idea would be to look at wireshark and its ability to filter packets. All of what wireshark does is primarily by ip addresses rather than by URL, so you'd have to manually convert suspect URLs to suspect IPs, but if the number of suspect URLs is small, this shouldn't be a problem...until the association between URLs and IPs is changed (so, if this is a long term problem, you might have to keep re-mapping that association).
 
Old 10-16-2009, 05:52 AM   #12
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928

Original Poster
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
Well, for the background, let's just say this user is not to be trusted, and I have been deemed with the task of monitoring the connection and making sure certain sites are not accessed. I know I could probably use programs to block these services and sites, but I know that there exist easy ways to bypass this (proxy). Besides, I don't actually have a list of sites to be banned.
 
Old 10-16-2009, 08:59 AM   #13
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928

Original Poster
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
Ok, I think I've found the best solution to the problem, I'm marking this solved. Thanks to everyone for they help.
 
Old 10-17-2009, 08:47 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by H_TeXMeX_H View Post
Ok, I think I've found the best solution to the problem
So what did you judge as the best solution?
 
Old 10-17-2009, 09:14 AM   #15
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928

Original Poster
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
A script, either for network monitoring, or I recently found keylogging.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet access control & monitoring for LAN & WLAN DJ_Cyberdance Linux - Networking 1 07-01-2008 03:38 AM
MASTER lan to internet monitoring. joncolby Linux - Networking 1 06-24-2004 03:03 PM
MASTER lan to internet monitoring. joncolby Linux - Software 1 06-24-2004 01:09 PM
Restrict Access to Internet from one computer on LAN fuzzie Linux - Networking 1 06-06-2004 02:16 AM
Internet access monitoring bmckee Linux - Security 2 02-09-2002 11:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration