Slackware :: What Software For Checking On Unauthorized Network Traffic?
May 8, 2010
I have been thinking lately about the number of computers connected to the internet that become "zombies" for sending out span (or worse) when they are attacked with ssh over the internet using some kind of script. Today, I read an article in a magazine about internet detective work when you find that there has been an unauthorized attempt to connect to your machine. According to this article, almost any computer connected to the internet is attacked very frequently and the log files of that computer will show this. I have seen these in my own log files in the past.
I have learned a number of ways to track down the attacker (to a very limited degree). But what I would like to know is a relatively easy application to run and understand to monitor my network traffic and find these attempts quicker. I know I have probably almost nothing to be concerned about, but I would like to be able to head this kind of problem off. I have a number of machines connected to the net and each other and my wife does a lot of business on the internet. So, besides becoming a bot for some criminal, I don't want any credit card details stolen.I have read about Wireshard, snort, etc. Is there an application (with gui preferrably, but not mandatory), that is novice compatible that will let me monitor this?
I've been using slackware since slack12.2 on a linux box as router at home with some servers running on it and it's been awesome and performs perfectly. But since I upgraded to slackware 13 there is something that drives me crazy. I use to manage the box through SSH but sometimes I have to do some configs localy and it's almost impossible because I have constant echos of some traffic the iptables is forwarding to other hosts on the network.
In the sys-log from server there a lot of message like this: Code: Apr 25 10:38:45 server portmap[2569]: connect from 192.168.1.3 to getport(nfs): request from unauthorized host Apr 25 10:38:46 server portmap[2570]: connect from 192.168.1.3 to getport(nfs): request from unauthorized host 192.168.1.3 is a client that want to boot from netwrok using PXE and NFS. However it doesn't boot and enters (initramfs) prompt. Seems that the server deny the connection from client.
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
I wanted to know if i can install mrtg on a client computer in network and measure the network's router traffic.i know that it can be installed on the server.
As too my question, at this time I dont control the router/firewall an I would like to block a port thats used for guild wars on my workstation for a while. The reason for blocking is children have abused it an lost it.In this case I am trying to block outgoing traffic on port 6112. I have tried setting up a proxy server on the workstation, but the game seems to ignore it an jump on. Due to the environment, I enabled the workstation SuSEFirewall2 firewall an tried setting up "lo" as a internal an configure the firewall as a router, then disable 0/0 an configured for 0/0,tcp,443 an re route port 80 traffic to proxy.
When I had my own internet, I had a transparent proxy enforcing rules for access times. So setting up a proxy on each machine would not be a bad thing, even if it took some creative thinking. I am trying, but seem to be missing something.Ideally, I would like to setup a transparent proxy, as my kids have learned alot about system administration an know to check the proxy module. If all they have to do is un check "Use Proxy" an by pass a local proxy server, then I am kinda defeated. An applications such as firefox have a proxy setting they could set to none instead of system
I downloaded Go-OpenOffice from SlackBuilds.org, but I can't build it. make terminates with configure error: checking for C compiler default output file name. configure: error: in `/tmp/SBo/ooo-build-3.1.1.5': configure: error: C compiler cannot create executables See `config.log' for more details.
(I can't find config.log anywhere) I use a quite 'light' installation (no xap, ap), and I suspect that I have some unmet dependencies, but the error message provides no information about what software is needed (I've installed all dependencies listed on SlackBuilds.org). I'm using Slackware64-13 with Xfce
I want to monitor an application lets say that it will be apache2 to see how many in real-time it takes network resources such as upload/download per second how can i do that in linux (cmd not gui) ? I know it's possible because i can see this in windows in my nod32 firewall monitoring.
When I try to add a printer using this web interface.I get stopped at authentication required.I put the root login and pass but
401 Unauthorized.Enter your username and password or the root username and password to access this page. If you are using Kerberos authentication, make sure you have a valid Kerberos ticket.
I'm using NuFW but I don't know how could I have a redirection if the user try to go on a unauthorized website... On this moment, my web browers continue to try to join the website, even if nufw has already send a negative response. I would like that my browers redirect me on a other page, how could I do?
I'm doing a research to protect my pc from physical access. What I'm facing here is that my company created a program for fedora 8 and plans to sell the unit away. We created a function where you can configure the program using any web browser from a network so we do not want anybody to have access to the fedora except for out personnel.
Based on my research, I've found [URL] this guide to protect people from accessing grub and single user. I am currently researching on preventing others to clone the harddisk. I would like to know if there are any other methods to prevent people from unauthorized access to fedora.
Sometimes at startup I get this message "Checking disk 1 of 1". Does that mean it's checking all partitions on the hd? After a bad shutdown there is no prompt for fsck to run and the system just boots up. In fstab I have both options set to "1" for the partition Ubuntu is on, all others set to "0". Any ideas on both?
I am on a slow Internet connection and it really makes me mad if something gets downloaded in background (like automatic update of any software) without my knowledge.
How can I monitor my network traffic sorted according to the "which binary file is using how much"? I can find the total transfer rate in "System Monitor" in Gnome, but what if I want to find for individual process. There are softwares like netmonitor in Windows, but how can I achieve that in UBUNTU LINUX.
GUI application will be nice, command line software will also be fine..
I noticed a huge data transfer to my computer. I wasn't downloading anything big, I have just opened Firefox, Thunderbird etc. It stopped after a minute but I'd like to know, what that was - this wasn't the first time something like this happened. I promptly started Wireshark and captured a few packets, all of them look like this:
[code]...
I tried to look at [URL]... but that webpage does not work. what the traffic might be caused by? Couldn't anyone hacked my pc?
I am manually capturing and injecting Ethernet traffic (using lib_net/lib_pcap libraries) for an application. At the moment , both capturing and injecting are done on the same physical interface (e.g. eth0). The problem is that all the traffic that I inject, are captured again by my application causing an unwanted feedback of injected traffic. This caused that I had to implement traffic filtering when capturing traffic, which is consuming resources and eventually will become too complicated to support.
I have tried using virtual interfaces to separate the capturing and injecting streams, but that also presented the same problem as all the traffic from eth0 is forwarded to both eth0:1 and eth0:2. If possible I would like both streams to go through 1 physical device, using more PDs will be the last resort. I am also looking at using TUN/TAP devices to try and separate the two streams, maybe writing a user-space program that lies between the physical device and the TUN/TAP devices to do the routing of traffic.
Via a network traffic monitoring tool I see that my laptop is generating lots of outgoing (EDIT : incoming !!) network traffic. Although no download program is running or any other program of which I know that could be generating this much traffic. Something strange is going on and I need to know how I can find out which program( s ) are generating network traffic.
how to configure my network for web traffic.Here is my setup:I have the following virtual machines, (all guest are running on CentOS 5.3);
firewall: Smoothwall 3.0, (hardware, not virtual) guest # 1: Apache http server guest # 2: Qmail server guest # 3: Proftp server
I want all of these services on different machines for security reasons, (mainly the ftp server) how do I route the traffic from the firewall to the different machines? I have been looking at setting up a reverse proxy, however, everything that I have read says that a reverse proxy will not handle the smtp/pop3 traffic. Can I just use a DNS server to route the traffic?
Is there a program that monitors and displays 'who' is on your wireless Internet signal that one may not be aware of? Like, the ability to see when someone that you don't know is accessing your locked wireless?
what I want to achieve is just to be able to say to who ever is killing our relatively fast connect that they aren't the only person using the network. Everyone just says "I hardly download anything." which is obviously untruthful as normally I can download at 1.5 MB/s but now loading even google.com takes way too long (same with pinging and all other sites). Once I do this, I can determine whether or not I need to call my ISP and do the long 'on hold' dance and "have you tried rebooting the router" BS.
I have installed conky from soft manager after knowing its power today. I'm using 10.10. I want to design a conky script which monitor the network traffic ie total upload + download on monthly basis as I'm on limited internet plan which is too common here. I have free usage from 2am to 8am in the morning and want to exclude this traffic. So I'm in search of a custom script which can accomplish this.
I am running Ubuntu 10.10, upgraded a few weeks ago from 10.04. I noted from the system monitor that the system was generating a lot of network traffic, on the order of 10Mbps if the information is correct (using system monitor and iftop). From the process table, it appears that smbd is accumulating a lot of CPU time, which sort of makes sense as I use Samba for printing from a Windows 7 laptop. But the traffic seems to be making a round trip as I just rebooted the system and it reports in about 10 minutes of uptime 1.2GB was send and 1.2GB was received. Laptop is used for work, it is sitting idle for the last 30 minutes (VPN connection, etc); no backup or other interaction with the Ubuntu system.
