Solved

Linux 2.4 firewall, how can I monitor usage?

Posted on 2001-08-01
6
350 Views
Last Modified: 2010-03-18
We have a Linux box (mandrake 8.0 with kernel 2.4) set up as a firewall.

It has 2 NIC's, one for our link and one into our switch. I noticed today that the usage looks fishy. i.e. : Received bytes (970MB) Transmitted bytes (2790MB).

As the link is only used for mail and www surfing I suspect either misuse of mail (all those porn videos) or someone running a warez server on our network.

I need a way to monitor traffic by host in our network. Overall usage statistics will also be usefull of course.

I had a look on the web but got lost in all the pre-ipchains and other old methods (which I did not bother to even read. I am trying the easy way out here).

Thus what I need is pointers to the best network usage/firewall traffic usage software that will work with our current setup to catch the culprit.

Fire away ...

PS. Please do not tell me to run tcpdump. I am very capable of doing that but doing the math in my head is too much and writing scripts to do it will hog the server too much.
0
Comment
Question by:gysbert1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Accepted Solution

by:
batkung earned 300 total points
ID: 6344686
try ntop, or snort

either require that you monitor what's on the display.

I'm not sure if they are included as default in your install, but they can be obtained from freshmeat.net

have you checked your local file integrity on your machine to make sure that you haven't been root-kitted from outside?

if not, most of the root-kits install trojaned versions of ls, ps, top, netstat.....I found a rootkit on a machine by doing a updatedb, and then locate log...

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6345970
Are you able to insist that users on the network use proxy software on the firewall box, eg squid for web browsing? If you also install a mail server on the box, eg sendmail, and insist that all emails sent out from your network have to be relayed by it, you will get immediate logging of all mail and web surfing activity.

Having done that, you could then shut down all ip forwarding and let the proxy software take over the ipchains functions.

What was said earlier about checking for possible compromise of your system is very valid. If you have your original installation cd, reinstall the system utilities from the cd and check that everything is ok.

Vijay
0
 
LVL 2

Author Comment

by:gysbert1
ID: 6354788
Ok, am looking into the above.

I am running a proxy as well as mailserver on the machine as suggested already. Unfortunately we are a development company, developing some custom tcp/ip communications software amongst other things. I can thus not force all traffic through the proxy.

Am pretty sure the machine is still OK though. I can see that most of my traffic is coming from inside our network. I suspect mail or some gnutella or similar server but I cannot audit every machine on the lan.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:ifincham
ID: 6363669
Hi,

If you are using a iptables firewall, you can add logging quite easily. For example,

/sbin/iptables -A FORWARD -p tcp --dport 21 -j LOG --log-level warning --log-prefix "FTP inbound connex."
/sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

This should put entries into /var/log/messages.

Above assumes ftp server is on port 21 which for a warez server might well not be the case. What you could  also do is exploit the 'not' option to log everything that was not going to a well-known port, e.g. '! --dport 1:1024'

/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j LOG --log-level warning --log-prefix "Unpriveleged port."
/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j ACCEPT


Regards

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6363852
Gnutella or something similar is quite possible, and the user may be completely unaware of the load it's putting on the network.

If you suspect that someone within the network is abusing the system, whether intentionally or not, then I would suggest you talk to whoever is in charge of the development team, and tell them that you need to tighten up security on the gateway. Ask them to specify which ports they need left open, and then you can shut everything else down (or you can leave it open, but log it). You will then have a much better chance of finding the pcs within the network that are imposing the load, and then investigating in more detail.

Vijay
0
 
LVL 2

Author Comment

by:gysbert1
ID: 6403948
Had a look at both, NTOP does the trick!

The latest version does not need monitoring of the display. It runs as a daemon and writes data to a GDB database on the server.

I can now monitor usage per src/dest host by protocol and time, and all of this via the web from my browser ...

Thanks

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question