Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to document which computer on network is reaching out to porn sites

Posted on 2012-08-31
12
Medium Priority
?
858 Views
Last Modified: 2013-12-07
We have opendns for content filtering at our school.  Every few days I am getting a report saying hundreds of porn sites are being accessed.

I do know that when a porn search is done, opendns blocks all links resulting from that search.  So if I search for porn, even though I do not click on anything, it will register a bunch of sites blocked.

Since the filtering is occurring at the opendns server, it can only tell me when requests are made and what has been blocked.  It cannot tell me which computer is making the search request.

I have spent the last 2 hours searching for network monitoring programs, proxy servers, how to set up a proxy server and I am either using the wrong terms, stupid or there is nothing that will do what I am asking.

There is a nifty little log in my router, but it only reports the last +/- 75web sites accessed.  It shows me the internal address making the request and the external destination address.  But it is only a temporary log and only stores the last batch of requests.  So to use it effectively, I would have to looking at the log and know the IP address of the porn site right when it happened and that is not going to happen.

So I am looking for a way to collect the internal ip or mac addresses and ideally the human readable .com web address or ip address that each machine requested on the network.

Can anyone tell me how to do that?

Thank you.
0
Comment
Question by:Jerry Thompson
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 2

Expert Comment

by:rumytaulu
ID: 38358387
What kind of Operating System used for your OpenDNS server? was it Linux or Windows?

--
rumy
0
 
LVL 6

Expert Comment

by:mo_patel
ID: 38358590
thats a bit crap if it doesnt tell you the machine name or ip of the machines causing the alerts...

might need to look at some new monitoring software,
0
 
LVL 35

Expert Comment

by:Bembi
ID: 38358677
If your current devices doesn't log what you want to see, a proxy server can do the job and much more. Ie. MS ISA / TMG, but also other products have good logging options.

As you talk about a school, I guess TMG should not be such expensive investment and does a good job. Even TMG with URL filtering (additional licence) can block traffic to such sites.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 21

Assisted Solution

by:Rick_O_Shay
Rick_O_Shay earned 375 total points
ID: 38358742
A quick and dirty way would be to do a Wireshark capture on a port mirror of your Internet router's port. Just do a capture filter of outbound DNS packets. You can have it save to files to get a longer time period.

Of course that would capture all DNS requests and you would have to weed through it to see what you are looking for.

A proxy server or packet shaper will get you the same information but at a cost.

Would setting the parental control tools on your PC's record this type of behavior?
0
 

Author Comment

by:Jerry Thompson
ID: 38359735
The Server has windows 2008 std server, 32 bit.

We are a small private school with minimal budget, so even several hundred dollars is a challenge.

The OpenDNS is on the internet side of the network, so it does not surprise me that it cannot read the internal IP address.

I don't have access to all devices.  Currently, personal devices are allowed and I suspect it is a personal device.  So mac or ip address would positively identify the culprit.

I have wireshark installed on the server, but it looks like it is monitoring just the local server traffic, not the requests made by other individual computers.

I have a couple of older boxes I might be able to configure for a proxy server.  I know enough to know it can be done, but not enough to tackle without complete instructions.  Plus if I do install a proxy server, what software do I run to track the traffic? Wireshark?

Thanks for your ideas.
0
 
LVL 2

Expert Comment

by:rumytaulu
ID: 38359759
If you have a linux machine (ubuntu for example) I suggest iptraf (http://iptraf.seul.org/) it's a simple iptraffic monitor, there's a windows port too.

--
rumy
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 1125 total points
ID: 38360235
Let me put some things together...
Dependend from your client configuration, only the device, which gets the request from the client can log the traffic. So, if your clients point to a router via default gateway, only this router can catch, what is going out over it.

If this device is not capable to log what you want to see, you need either a differnt device, or your need a "proxy" between the client and your router, which can catch the traffic. In this case, the default gateway of the clients point to the proxy, and the proxy point to the router.

If you use wireshark to catch the traffic, you need to config this machine as a router, means your clients point to this machine as default gateway and this machine routes the traffic to your router. So you can build up something like a "proxy" with a windows machine

If you don't have a budget i.e. for TMG or other commercial proxy devices or new router, a linux machine or any other freeware proxy, which can do the same is fine, as long as you are aware to manage it.
0
 

Author Comment

by:Jerry Thompson
ID: 38360756
When I so a search for setting up a proxy server, I find configurations for a web proxy so someone can skirt a content filter of some kind.  But no specifics for an internal box.  I have to wonder if I am using the wrong search terms.

Here is 2hat I have learned in the past.  Is my memory and method sound?

You need a box with 2 nic cards.  One connects to the internal network and the second to the internet.  You can use a flavor of linux, but which one?  One thing I found said debian, another ubuntu.  Does it matter?

I found the command to install squid which is proxy server software.  Is that the only type or is there another to consider?

Will squid do the monitoring I want or is this where wireshark comes in?  I assume it will run on a linux box.

Ideally, I would give this box the same address as the linksys router, then I can just swap devices and not have to alter the gateway on a mess of computers.

Can someone point me to specific instructions or is there other software to consider?

Thank you.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 1125 total points
ID: 38360848
So, I'm not a Linux Guru, so some partly comments...

A Web Proxy is mostly what is needed. All other protocols beside http, https, ftp are more or less routed (or natted). Nevertheless maybe logged.
A pure Web Proxy works with http, https and ftp and has sometimes some features, which are connected to such kind of traffic (like filtering etc.). The Web-Proxy on the client is setup in the Browser and this maybe done for all my Group Policies.

All network traffic, which is not routed to a web-proxy configured in the browser follows the default gateway.

Default Gateway can be changes by DHCP, if used on the clients.

Software can be found in the internet. Try to search for "proxy server freeware / shareware" or something similar. Or have a look on portals like http://download.cnet.com

If you use Windows or Linux doesn't matter, if the software do what you like to do.
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 1125 total points
ID: 38360855
0
 

Author Comment

by:Jerry Thompson
ID: 38374228
HI All,

While I did not get as clean an answer as I had hoped, bembi did offer the most constructive suggestions.  

I did find several windows based proxy software that looks like it will run on a local machine as opposed to a web server.

And I think I gleaned enough info to put together a box.  I have already downloaded debian and will try the squid solution first with wireshark.

Thank you.

Jerlo
0
 

Author Closing Comment

by:Jerry Thompson
ID: 38374232
Thanks all for the help
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses
Course of the Month21 days, 1 hour left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question