We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate?
Thanks for any help.
steve campbell
How about tcpdump?
Mike
On 06/14/2012 01:07 PM, Steve Campbell wrote:
We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate?
Thanks for any help.
steve campbell
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Jun 14, 2012 at 12:07 PM, Steve Campbell campbell@cnpapers.com wrote:
We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate?
If you can catch it while the event is happening, wireshark can help you analyze the traffic. Do a short capture, then Statistics/Converstation list/ipv4 (or endpoint/ipv4) will give you a sortable list of the bulk of the traffic.
If you are monitoring the traffic on all interfaces and switch ports with SNMP (Cacti/OpenNMS etc.) you would probably see it too. OpenNMS generates nightly reports of 'top 20' interface usage although backups sometimes show up there. 'Ntop' is also good at identifying traffic and can summarize in different ways, but you have to run it on the server where the traffic is happening.
Hi all,
Just like to know which secure FTP servers are popular in use on Linux, the FTP server should provides HTTPS, FTPS and SFTP methods.
Current we are with Serv-U FTP server, but it has been crashed all the time for unknown reasons -- can not find any causes in its log file at all. Although we like its interfaces, but our customers complain its reliability a lot. Finally we are tired of it and would like an alternative. If you are satisfied with your ftp server, Please feel free to share with me. :)
Thanks.
--David
On 06/14/12 3:39 PM, Gelen James wrote:
Just like to know which secure FTP servers are popular in use on Linux, the FTP server should provides HTTPS, FTPS and SFTP methods.
sftp is part of SSH, not FTP. https is HTTP not FTP.
ftps (FTP over SSL) is a non-standard mess and should be banned.
I use vsftp for a straight FTP server, and apache for a https server, openssh for a SSH server. these are all standard CentOS components.
Hi John,
I had the same idea with you just a few years back that the ftp only servers FTP protocol. But nowadays a FTP server provides same contents over a lot of protocols at the same time: FTP/FTPS/SFTP/HTTP/HTTPS.
Please check the wiki page http://en.wikipedia.org/wiki/List_of_FTP_server_software. There are so many choices but it is difficult to find one that is reliable, secure and at the same time easy to use.
Thanks.
--David
________________________________ From: John R Pierce pierce@hogranch.com To: centos@centos.org Sent: Thursday, June 14, 2012 3:59 PM Subject: Re: [CentOS] any reliable FTP server with HTTPS/FTPS, commercial or not
On 06/14/12 3:39 PM, Gelen James wrote:
Just like to know which secure FTP servers are popular in use on Linux, the FTP server should provides HTTPS, FTPS and SFTP methods.
sftp is part of SSH, not FTP. https is HTTP not FTP.
ftps (FTP over SSL) is a non-standard mess and should be banned.
I use vsftp for a straight FTP server, and apache for a https server, openssh for a SSH server. these are all standard CentOS components.
On 06/14/12 4:08 PM, Gelen James wrote:
I had the same idea with you just a few years back that the ftp only servers FTP protocol. But nowadays a FTP server provides same contents over a lot of protocols at the same time: FTP/FTPS/SFTP/HTTP/HTTPS
thats just silly. I suppose we should call NFS FTP too, because it serves files?
the classic FTP protocol is a hangover from the 1970s and really should be sent to pasture and allowed to die a peaceful death. I generally use http for serving anonymous read only files, and sftp/scp for authenticated transfers
On Thu, Jun 14, 2012 at 6:18 PM, John R Pierce pierce@hogranch.com wrote:
thats just silly. I suppose we should call NFS FTP too, because it serves files?
What do you call something like Alfresco that emulates all kinds of file/web services while imposing additional logic compared to what the OS would do?
On 06/14/12 4:22 PM, Les Mikesell wrote:
What do you call something like Alfresco that emulates all kinds of file/web services while imposing additional logic compared to what the OS would do?
"useless"
hey, you asked what *I* would call it. I have no use for that sort of silliness. Maybe someone running a 'warez' server does, not me.
On 06/14/12 4:08 PM, Gelen James wrote:
Please check the wiki pagehttp://en.wikipedia.org/wiki/List_of_FTP_server_software. There are so many choices
psst? most of those are for MS Windows, which doesn't come with a decent FTP server built in. many of them are commercial. there's really only a couple on that list suitable for a linux server, headed up with vsftpd, the default ftp server in CentOS.
On 6/14/2012 7:23 PM, John R Pierce wrote:
On 06/14/12 4:08 PM, Gelen James wrote:
Please check the wiki pagehttp://en.wikipedia.org/wiki/List_of_FTP_server_software. There are so many choices
psst? most of those are for MS Windows, which doesn't come with a decent FTP server built in. many of them are commercial. there's really only a couple on that list suitable for a linux server, headed up with vsftpd, the default ftp server in CentOS.
I do hear good things about ProFTP and actually have it on one of my new installs, but haven't yet messed with it. I found it odd that it didn't make the wiki list. Maybe some others can give some feedback on it?
On 06/15/2012 01:28 AM, John Hinton wrote:
On 6/14/2012 7:23 PM, John R Pierce wrote:
On 06/14/12 4:08 PM, Gelen James wrote:
Please check the wiki pagehttp://en.wikipedia.org/wiki/List_of_FTP_server_software. There are so many choices
psst? most of those are for MS Windows, which doesn't come with a decent FTP server built in. many of them are commercial. there's really only a couple on that list suitable for a linux server, headed up with vsftpd, the default ftp server in CentOS.
I do hear good things about ProFTP and actually have it on one of my new installs, but haven't yet messed with it. I found it odd that it didn't make the wiki list. Maybe some others can give some feedback on it?
If you are running a recent distro you should go with sftp. With the Match directive you can even selectively create chroots for users and groups which should cover most use-cases. FTP is just insecure (plaintext passwords) and the secure variant FTPS makes firewall setups a pain because the "fixes" for FTPs protocol layering violations (the conntrack and nat modules for iptables) stop working. Don't use FTP unless you absolutely have to.
Regards, Dennis
On Jun 15, 2012 12:39 AM, "Gelen James" hahaha_30k@yahoo.com wrote:
Just like to know which secure FTP servers are popular in use on Linux,
the FTP server should provides HTTPS, FTPS and SFTP methods.
Proftpd, hands down for the (s)ftp(s) but for http you have to look somewhere else.
Mikael
Proftpd, hands down for the (s)ftp(s) but for http you have to look somewhere else.
k +1 for ProFTPD. I have not used it for sftp, but I have for ftps. Make sure on ftps to use ccc - clear command channel which allows the command channel to be picked up by firewalls that need to know about the port change conversation. Also .. limit your passive ports as well. 1 for administration + 2*number of concurrent users. Use apache for https.
On Jun 14, 2012, at 1:07 PM, Steve Campbell campbell@cnpapers.com wrote:
We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate?
Setup a nettop server and netflow on the routing interfaces and you will find tour culprit.
-Ross
On Jun 14, 2012, at 6:44 PM, Ross Walker rswwalker@gmail.com wrote:
On Jun 14, 2012, at 1:07 PM, Steve Campbell campbell@cnpapers.com wrote:
We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate?
Setup a nettop server and netflow on the routing interfaces and you will find tour culprit.
Nettop -> ntop
-Ross
On 14/06/2012 18:07, Steve Campbell wrote:
We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate? tp://lists.centos.org/mailman/listinfo/centos
I used to quite like iptraf for a quick summary view of the traffic use. Don't know if there is a CentOS package for it.
On 06/15/2012 06:43 AM, Giles Coochey wrote:
On 14/06/2012 18:07, Steve Campbell wrote:
We have a situation here that is a real mystery.
Our MRTG on our outgoing router and a firewall server that protects our web servers is showing a spike every six hours. I can't find the server behind the firewall that is generating such an extreme amount of packets, even though I've looked through the crontabs of nearly all servers, performed "ps" variations, and other types of investigation.
Is there any type of package I can install that will monitor traffic and report abnormal, over-threshold packets similar to what wireshark might do in a manner that would allow me to determine where these packets might be going or from where they originate? tp://lists.centos.org/mailman/listinfo/centos
I used to quite like iptraf for a quick summary view of the traffic use. Don't know if there is a CentOS package for it.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
iptraf-ng.i686 1.1.1-2.el6 epel trafshow.i686 5.2.3-6.el6 epel
are both pretty good.
-
Barry Brimer -
Dennis Jacobfeuerborn -
Gelen James -
Giles Coochey -
John Hinton -
John R Pierce -
Les Mikesell -
Mikael Fridh -
Mike McCarthy -
Ross Walker -
Steve Campbell -
Steve Clark