Monitor network connections

Hi all!

I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?

Just an idea

bye!
Dominik

Dominik Werder wrote:

Hi all!

I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?

Just an idea

bye!
Dominik

Here are some highly recommended security tools you might want to consider using in addition to your firewall.

You'll probably want to take a look before handcoding in ruby or any other language to avoid reinventing the wheel.

Look at this simple utility (if snort is too complex/fat):

portsentry

For Apache, use these which work great together (and easy setup):

mod_dosevasive (detect and handle denial of service attacks)
mod_security (detect and handle hacking/abuse)
***mod_throttle (for Apache 1.3.x only so I haven't used this)

For comprehensive detection, see:

Nessus (discover your vulnerabilities)
Snort (intrusion detection)

Dominik Werder wrote:

I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?

I did a little work on this problem in perl once. There are several aspects to manage, and perl and or ruby can do some of the work.

Allow me to ramble... move along if this doen't interest you.

First you have to detect whatever it is you want to detect. You can watch logfiles (syslog, firewall, or snort) and parse the results. This is something perl or ruby can handle, since it's basic regex stuff.

To watch how much traffic and how many connections, it depends on where you are watching from. You can set up netflows on a cisco network, parse snmp data from various devices, or to track individual connections, use ip connection tracking on Linux.

Once a threshold for a given problem was reached, an entry can be made in a database, and orders given in the database to firewall the connection. On the firewall(s), a daemon (again, possibly in perl or ruby) reads the database and exucutes the block.

A connection may be left hanging open, though, which can fill up all available connections to a server. I found a solution somewhere, though the implentation never got finished. Using Linux ip connection tracking, you can spoof a TCP RST packet both ways to close the connection, which frees up the connection on the server.

In addition to all this, I wanted to have a backoff algorithm that gradually unblocked IP's, as they may get reassigned to legit people.
If an IP address immediately abuses again, it gets a longer timeout.

I had some perl code that did a lot of this, but it needed reworking, and now I no longer have access to it. (I'm no longer employed there.)

Ruby could play a large role in such a system, indeed, though it would also depend on a lot of other systems as well.

In addition, I'd recommend you take a look at the documentation for
the stateful packet filter on your firewall (what? you don't have a
stateful packet filter? shame on you!) and see how its connection
tracking and logging can help.

You might take a look at the documentation for PF, the packet filter
in recent versions of OpenBSD. It supports stateful connection
filtering, load balancing, logging of any and all events, etc., and
probably does it all much more efficiently than you ever could in
Ruby.

If you're looking for a way to bring Ruby in on the whole project, a
Ruby library or application that could generate the PF configuration
files (which use their own, somewhat baroque rule format) would be
very nice.

Lennon

Hi All!

Thanks for all the good hints!
Exploration should take some time

bye!
Dominik