Solved

Linux 2.4 firewall, how can I monitor usage?

Posted on 2001-08-01
6
335 Views
Last Modified: 2010-03-18
We have a Linux box (mandrake 8.0 with kernel 2.4) set up as a firewall.

It has 2 NIC's, one for our link and one into our switch. I noticed today that the usage looks fishy. i.e. : Received bytes (970MB) Transmitted bytes (2790MB).

As the link is only used for mail and www surfing I suspect either misuse of mail (all those porn videos) or someone running a warez server on our network.

I need a way to monitor traffic by host in our network. Overall usage statistics will also be usefull of course.

I had a look on the web but got lost in all the pre-ipchains and other old methods (which I did not bother to even read. I am trying the easy way out here).

Thus what I need is pointers to the best network usage/firewall traffic usage software that will work with our current setup to catch the culprit.

Fire away ...

PS. Please do not tell me to run tcpdump. I am very capable of doing that but doing the math in my head is too much and writing scripts to do it will hog the server too much.
0
Comment
Question by:gysbert1
6 Comments
 
LVL 1

Accepted Solution

by:
batkung earned 300 total points
Comment Utility
try ntop, or snort

either require that you monitor what's on the display.

I'm not sure if they are included as default in your install, but they can be obtained from freshmeat.net

have you checked your local file integrity on your machine to make sure that you haven't been root-kitted from outside?

if not, most of the root-kits install trojaned versions of ls, ps, top, netstat.....I found a rootkit on a machine by doing a updatedb, and then locate log...

0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
Are you able to insist that users on the network use proxy software on the firewall box, eg squid for web browsing? If you also install a mail server on the box, eg sendmail, and insist that all emails sent out from your network have to be relayed by it, you will get immediate logging of all mail and web surfing activity.

Having done that, you could then shut down all ip forwarding and let the proxy software take over the ipchains functions.

What was said earlier about checking for possible compromise of your system is very valid. If you have your original installation cd, reinstall the system utilities from the cd and check that everything is ok.

Vijay
0
 
LVL 2

Author Comment

by:gysbert1
Comment Utility
Ok, am looking into the above.

I am running a proxy as well as mailserver on the machine as suggested already. Unfortunately we are a development company, developing some custom tcp/ip communications software amongst other things. I can thus not force all traffic through the proxy.

Am pretty sure the machine is still OK though. I can see that most of my traffic is coming from inside our network. I suspect mail or some gnutella or similar server but I cannot audit every machine on the lan.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Expert Comment

by:ifincham
Comment Utility
Hi,

If you are using a iptables firewall, you can add logging quite easily. For example,

/sbin/iptables -A FORWARD -p tcp --dport 21 -j LOG --log-level warning --log-prefix "FTP inbound connex."
/sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

This should put entries into /var/log/messages.

Above assumes ftp server is on port 21 which for a warez server might well not be the case. What you could  also do is exploit the 'not' option to log everything that was not going to a well-known port, e.g. '! --dport 1:1024'

/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j LOG --log-level warning --log-prefix "Unpriveleged port."
/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j ACCEPT


Regards

0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
Gnutella or something similar is quite possible, and the user may be completely unaware of the load it's putting on the network.

If you suspect that someone within the network is abusing the system, whether intentionally or not, then I would suggest you talk to whoever is in charge of the development team, and tell them that you need to tighten up security on the gateway. Ask them to specify which ports they need left open, and then you can shut everything else down (or you can leave it open, but log it). You will then have a much better chance of finding the pcs within the network that are imposing the load, and then investigating in more detail.

Vijay
0
 
LVL 2

Author Comment

by:gysbert1
Comment Utility
Had a look at both, NTOP does the trick!

The latest version does not need monitoring of the display. It runs as a daemon and writes data to a GDB database on the server.

I can now monitor usage per src/dest host by protocol and time, and all of this via the web from my browser ...

Thanks

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now