FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 07-27-2008, 11:43 PM
Dan Farrell
 
Default Network monitoring

On Sun, 27 Jul 2008 19:49:49 -0400
Bart Silverstrim <bsilver@chrononomicon.com> wrote:

> Does anyone here have a program, preference, configuration,
> recommendation...etc...for monitoring your own network for what
> machines are connected to it, as in auditing for people that may
> have connected with unauthorized hardware somewhere or at least log
> when machines are on the wifi or wired network when that network is
> too small to have a managed switch or managed WAP?
>

It depends on the hardware that provides your wifi Access Point and your
internet router. It's pretty unlikely on a small network that somebody
could plug a network cable in to your network without your noticing
it, but wireless network connections are of course much less
transparent.

For these I would recommend looking into the options your AP gives
you. If your wireless AP allows you some access, it will probably show
you the list of wireless devices connected to it. If not, an
option might be to look at DHCP leases on your DHCP server, but this
may not be a perfect solution, because uninvited visitors could use a
static configuration instead.

The fail-safe solution would be to use
an internet gateway with good reporting (like a linux compuer!) that
can show you the traffic going through your internet connection, where
it's from, and where it's headed. You can then see if there's any
traffic you don't expect, and start to track down it's source.

I would highly recommend using WPA on your wireless AP so you don't
have to worry about unauthorized access.

Unfortunately, if your AP doesn't tell you these things, and you can't
get the information from another piece of hardware between the AP and
the internet connection, and you aren't on the same collision domain as
the AP (eg a hub rather than a switch) your only option is probably to
change your network topology to interpose a better statistics generator
between potential untrusted network segments and the internet.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-27-2008, 11:49 PM
Bart Silverstrim
 
Default Network monitoring

Does anyone here have a program, preference, configuration,
recommendation...etc...for monitoring your own network for what machines
are connected to it, as in auditing for people that may have connected
with unauthorized hardware somewhere or at least log when machines are
on the wifi or wired network when that network is too small to have a
managed switch or managed WAP?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 12:49 AM
"Brian McKee"
 
Default Network monitoring

On Sun, Jul 27, 2008 at 7:49 PM, Bart Silverstrim
<bsilver@chrononomicon.com> wrote:
> Does anyone here have a program, preference, configuration,
> recommendation...etc...for monitoring your own network for what machines
> are connected to it, as in auditing for people that may have connected
> with unauthorized hardware somewhere or at least log when machines are
> on the wifi or wired network when that network is too small to have a
> managed switch or managed WAP?

While I'm not sure how well it works in conjunction with wireless, I
use arpwatch to check for new hardware on a wired network.

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 06:39 AM
"Javier Palacios"
 
Default Network monitoring

On Mon, Jul 28, 2008 at 1:49 AM, Bart Silverstrim
<bsilver@chrononomicon.com> wrote:
> Does anyone here have a program, preference, configuration,
> recommendation...etc...for monitoring your own network for what machines
> are connected to it, as in auditing for people that may have connected
> with unauthorized hardware somewhere or at least log when machines are
> on the wifi or wired network when that network is too small to have a
> managed switch or managed WAP?

You are looking for SNMP. It's probably the only way to get unified
interface for heterogeneous devices, in particular to ARP tables.
Unfortunately that's only the protocol, I cannot recommend you any
piece of software which uses it, although probably every piece of
monitoring software offers you that functionality. I've not used it,
but the one that I know that closer resemebles a network-only
management one is opennms (http://www.opennms.org/).

Javier Palacios

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 03:40 PM
Bart Silverstrim
 
Default Network monitoring

Javier Palacios wrote:
> On Mon, Jul 28, 2008 at 1:49 AM, Bart Silverstrim
> <bsilver@chrononomicon.com> wrote:
>> Does anyone here have a program, preference, configuration,
>> recommendation...etc...for monitoring your own network for what machines
>> are connected to it, as in auditing for people that may have connected
>> with unauthorized hardware somewhere or at least log when machines are
>> on the wifi or wired network when that network is too small to have a
>> managed switch or managed WAP?
>
> You are looking for SNMP. It's probably the only way to get unified
> interface for heterogeneous devices, in particular to ARP tables.
> Unfortunately that's only the protocol, I cannot recommend you any
> piece of software which uses it, although probably every piece of
> monitoring software offers you that functionality. I've not used it,
> but the one that I know that closer resemebles a network-only
> management one is opennms (http://www.opennms.org/).

To clarify...

What I have is a wireless AP on a small network (a Netgear AP), and it
does have SNMP but I didn't see the docs on accessing it or polling it.

What I'd like to do is have a way for my Linux system to periodically
poll the AP (or the network), get a basic list of items on the network,
and if anything comes up as "new" or "foreign" to just alert me about it
so I know and have a record of it.

I know there are those that would be recommending encryption methods and
lockouts and etc. etc...but for this situation I'm mainly just looking
for logging and auditing of activity. Is this something that can be
accomplished easily? Arpwatch seems to bury entries in the logs that
would have to be periodically checked manually. I would prefer some way
to have it give a more timely alert, such as by email. SNMP can be used,
but I still need a way to script the actions and wouldn't I also be
broadcasting access information such as the administration password for
the AP in the clear over the network?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 03:43 PM
Bart Silverstrim
 
Default Network monitoring

Dan Farrell wrote:
> On Sun, 27 Jul 2008 19:49:49 -0400
> Bart Silverstrim <bsilver@chrononomicon.com> wrote:
>
>> Does anyone here have a program, preference, configuration,
>> recommendation...etc...for monitoring your own network for what
>> machines are connected to it, as in auditing for people that may
>> have connected with unauthorized hardware somewhere or at least log
>> when machines are on the wifi or wired network when that network is
>> too small to have a managed switch or managed WAP?
>>
>
> It depends on the hardware that provides your wifi Access Point and your
> internet router. It's pretty unlikely on a small network that somebody
> could plug a network cable in to your network without your noticing
> it, but wireless network connections are of course much less
> transparent.
>
> For these I would recommend looking into the options your AP gives
> you. If your wireless AP allows you some access, it will probably show
> you the list of wireless devices connected to it. If not, an
> option might be to look at DHCP leases on your DHCP server, but this
> may not be a perfect solution, because uninvited visitors could use a
> static configuration instead.
>
> The fail-safe solution would be to use
> an internet gateway with good reporting (like a linux compuer!) that
> can show you the traffic going through your internet connection, where
> it's from, and where it's headed. You can then see if there's any
> traffic you don't expect, and start to track down it's source.
>
> I would highly recommend using WPA on your wireless AP so you don't
> have to worry about unauthorized access.
>
> Unfortunately, if your AP doesn't tell you these things, and you can't
> get the information from another piece of hardware between the AP and
> the internet connection, and you aren't on the same collision domain as
> the AP (eg a hub rather than a switch) your only option is probably to
> change your network topology to interpose a better statistics generator
> between potential untrusted network segments and the internet.

This AP does have SNMP (disabled at the moment) and does track
associations made to it; the component I'm kind of missing is polling it
periodically and reporting back to me...perhaps the suggestion of SNMP
might work? I just need help cobbling together scripts to do this if I
do that route, though.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 04:49 PM
"Mario Spinthiras"
 
Default Network monitoring

zenoss

On Mon, Jul 28, 2008 at 6:43 PM, Bart Silverstrim <bsilver@chrononomicon.com> wrote:

Dan Farrell wrote:

> On Sun, 27 Jul 2008 19:49:49 -0400

> Bart Silverstrim <bsilver@chrononomicon.com> wrote:

>

>> Does anyone here have a program, preference, configuration,

>> recommendation...etc...for monitoring your own network for what

>> machines are connected to it, as in auditing for people that may

>> have connected with unauthorized hardware somewhere or at least log

>> when machines are on the wifi or wired network when that network is

>> too small to have a managed switch or managed WAP?

>>

>

> It depends on the hardware that provides your wifi Access Point and your

> internet router. *It's pretty unlikely on a small network that somebody

> could plug a network cable in to your network without your noticing

> it, but wireless network connections are of course much less

> transparent.

>

> For these I would recommend looking into the options your AP gives

> you. *If your wireless AP allows you some access, it will probably show

> you the list of wireless devices connected to it. *If not, an

> option might be to look at DHCP leases on your DHCP server, but this

> may not be a perfect solution, because uninvited visitors could use a

> static configuration instead.

>

> The fail-safe solution would be to use

> an internet gateway with good reporting (like a linux compuer!) that

> can show you the traffic going through your internet connection, where

> it's from, and where it's headed. *You can then see if there's any

> traffic you don't expect, and start to track down it's source.

>

> I would highly recommend using WPA on your wireless AP so you don't

> have to worry about unauthorized access.

>

> Unfortunately, if your AP doesn't tell you these things, and you can't

> get the information from another piece of hardware between the AP and

> the internet connection, and you aren't on the same collision domain as

> the AP (eg a hub rather than a switch) your only option is probably to

> change your network topology to interpose a better statistics generator

> between potential untrusted network segments and the internet.



This AP does have SNMP (disabled at the moment) and does track

associations made to it; the component I'm kind of missing is polling it

periodically and reporting back to me...perhaps the suggestion of SNMP

might work? I just need help cobbling together scripts to do this if I

do that route, though.



--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
Warm Regards,
Mario A. Spinthiras


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 05:44 PM
"Javier Palacios"
 
Default Network monitoring

> What I have is a wireless AP on a small network (a Netgear AP), and it
> does have SNMP but I didn't see the docs on accessing it or polling it.
>
> What I'd like to do is have a way for my Linux system to periodically
> poll the AP (or the network), get a basic list of items on the network,
> and if anything comes up as "new" or "foreign" to just alert me about it
> so I know and have a record of it.

The tools are net-snmp. They allow you to get a single value, or to
traverse a tree.
Just in case, I'll give you a very short intro to snmp, just in case.
Each variable is identified by a long dot separated number (the OID).
There are ways that allow you to use sensible names for that, and that
will happen with net-snmp out of the box if you don't use any
extensions provided by your AP manufacturer. The most useful command
will be probably snmptable, that shows you a table in terse format.
Running `snmptable ifTable` will show you info about your interfaces
(similar to `ifconfig -a`). I know there is a table showing the MAC,
IP address and port number, but I don't remember the name (this is for
wired switches at least).
You probably need to use a community name (version 2c, usually is
'public' to query.
And if you configure the snmptrap host on your AP to a linux box, and
run there the snmptrapd, you will get notified (via syslog, but can be
also piped to email) about events such a new address given or a device
plugged/unplugged. Unless you use traps, you will need some kind of
crontab polling.

Javier Palacios

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 05:44 PM
"Brian McKee"
 
Default Network monitoring

On Mon, Jul 28, 2008 at 11:40 AM, Bart Silverstrim
<bsilver@chrononomicon.com> wrote:
> Arpwatch seems to bury entries in the logs that
> would have to be periodically checked manually. I would prefer some way
> to have it give a more timely alert, such as by email.

arpwatch can email alerts....

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-28-2008, 06:06 PM
Bart Silverstrim
 
Default Network monitoring

Brian McKee wrote:
> On Mon, Jul 28, 2008 at 11:40 AM, Bart Silverstrim
> <bsilver@chrononomicon.com> wrote:
>> Arpwatch seems to bury entries in the logs that
>> would have to be periodically checked manually. I would prefer some way
>> to have it give a more timely alert, such as by email.
>
> arpwatch can email alerts....

Okay, I'll dig into that part of the conf then. Thanks!

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 05:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org