Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Linux 2.4 firewall, how can I monitor usage?

Posted on 2001-08-01
Medium Priority
Last Modified: 2010-03-18
We have a Linux box (mandrake 8.0 with kernel 2.4) set up as a firewall.

It has 2 NIC's, one for our link and one into our switch. I noticed today that the usage looks fishy. i.e. : Received bytes (970MB) Transmitted bytes (2790MB).

As the link is only used for mail and www surfing I suspect either misuse of mail (all those porn videos) or someone running a warez server on our network.

I need a way to monitor traffic by host in our network. Overall usage statistics will also be usefull of course.

I had a look on the web but got lost in all the pre-ipchains and other old methods (which I did not bother to even read. I am trying the easy way out here).

Thus what I need is pointers to the best network usage/firewall traffic usage software that will work with our current setup to catch the culprit.

Fire away ...

PS. Please do not tell me to run tcpdump. I am very capable of doing that but doing the math in my head is too much and writing scripts to do it will hog the server too much.
Question by:gysbert1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

batkung earned 1200 total points
ID: 6344686
try ntop, or snort

either require that you monitor what's on the display.

I'm not sure if they are included as default in your install, but they can be obtained from freshmeat.net

have you checked your local file integrity on your machine to make sure that you haven't been root-kitted from outside?

if not, most of the root-kits install trojaned versions of ls, ps, top, netstat.....I found a rootkit on a machine by doing a updatedb, and then locate log...


Expert Comment

ID: 6345970
Are you able to insist that users on the network use proxy software on the firewall box, eg squid for web browsing? If you also install a mail server on the box, eg sendmail, and insist that all emails sent out from your network have to be relayed by it, you will get immediate logging of all mail and web surfing activity.

Having done that, you could then shut down all ip forwarding and let the proxy software take over the ipchains functions.

What was said earlier about checking for possible compromise of your system is very valid. If you have your original installation cd, reinstall the system utilities from the cd and check that everything is ok.


Author Comment

ID: 6354788
Ok, am looking into the above.

I am running a proxy as well as mailserver on the machine as suggested already. Unfortunately we are a development company, developing some custom tcp/ip communications software amongst other things. I can thus not force all traffic through the proxy.

Am pretty sure the machine is still OK though. I can see that most of my traffic is coming from inside our network. I suspect mail or some gnutella or similar server but I cannot audit every machine on the lan.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 6363669

If you are using a iptables firewall, you can add logging quite easily. For example,

/sbin/iptables -A FORWARD -p tcp --dport 21 -j LOG --log-level warning --log-prefix "FTP inbound connex."
/sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

This should put entries into /var/log/messages.

Above assumes ftp server is on port 21 which for a warez server might well not be the case. What you could  also do is exploit the 'not' option to log everything that was not going to a well-known port, e.g. '! --dport 1:1024'

/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j LOG --log-level warning --log-prefix "Unpriveleged port."
/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j ACCEPT



Expert Comment

ID: 6363852
Gnutella or something similar is quite possible, and the user may be completely unaware of the load it's putting on the network.

If you suspect that someone within the network is abusing the system, whether intentionally or not, then I would suggest you talk to whoever is in charge of the development team, and tell them that you need to tighten up security on the gateway. Ask them to specify which ports they need left open, and then you can shut everything else down (or you can leave it open, but log it). You will then have a much better chance of finding the pcs within the network that are imposing the load, and then investigating in more detail.


Author Comment

ID: 6403948
Had a look at both, NTOP does the trick!

The latest version does not need monitoring of the display. It runs as a daemon and writes data to a GDB database on the server.

I can now monitor usage per src/dest host by protocol and time, and all of this via the web from my browser ...



Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question