Monitor network connections

[Dominik Werder]

Hi all!

I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?

Just an idea

bye!
Dominik

 

[Randy Lawrence]

Hi all!

I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?

Just an idea

bye!
Dominik

Here are some highly recommended security tools you might want to
consider using in addition to your firewall.

You'll probably want to take a look before handcoding in ruby or any
other language to avoid reinventing the wheel.

Look at this simple utility (if snort is too complex/fat):

portsentry

For Apache, use these which work great together (and easy setup):

mod_dosevasive (detect and handle denial of service attacks)
mod_security (detect and handle hacking/abuse)
***mod_throttle (for Apache 1.3.x only so I haven't used this)

For comprehensive detection, see:

Nessus (discover your vulnerabilities)
Snort (intrusion detection)

 

[Lennon Day-Reynolds]

In addition, I'd recommend you take a look at the documentation for
the stateful packet filter on your firewall (what? you don't have a
stateful packet filter? shame on you!) and see how its connection
tracking and logging can help.

You might take a look at the documentation for PF, the packet filter
in recent versions of OpenBSD. It supports stateful connection
filtering, load balancing, logging of any and all events, etc., and
probably does it all much more efficiently than you ever could in
Ruby.

If you're looking for a way to bring Ruby in on the whole project, a
Ruby library or application that could generate the PF configuration
files (which use their own, somewhat baroque rule format) would be
very nice.

Lennon

 

[David Morton]

I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?

I did a little work on this problem in perl once. There are several
aspects to manage, and perl and or ruby can do some of the work.

Allow me to ramble... move along if this doen't interest you.

First you have to detect whatever it is you want to detect. You can
watch logfiles (syslog, firewall, or snort) and parse the results. This
is something perl or ruby can handle, since it's basic regex stuff.

To watch how much traffic and how many connections, it depends on where
you are watching from. You can set up netflows on a cisco network,
parse snmp data from various devices, or to track individual
connections, use ip connection tracking on Linux.

Once a threshold for a given problem was reached, an entry can be made
in a database, and orders given in the database to firewall the
connection. On the firewall(s), a daemon (again, possibly in perl or
ruby) reads the database and exucutes the block.

A connection may be left hanging open, though, which can fill up all
available connections to a server. I found a solution somewhere, though
the implentation never got finished. Using Linux ip connection tracking,
you can spoof a TCP RST packet both ways to close the connection, which
frees up the connection on the server.

In addition to all this, I wanted to have a backoff algorithm that
gradually unblocked IP's, as they may get reassigned to legit people.
If an IP address immediately abuses again, it gets a longer timeout.

I had some perl code that did a lot of this, but it needed reworking,
and now I no longer have access to it. (I'm no longer employed there.)

Ruby could play a large role in such a system, indeed, though it would
also depend on a lot of other systems as well.

 

[Dominik Werder]

Hi All!

Thanks for all the good hints!
Exploration should take some time

bye!
Dominik