Feature Requests item #1510966, was opened at 2006-06-22
22:22
Message generated for change (Comment added) made by
code_slave
You can respond by visiting:
https://sourcefo
rge.net/tracker/?func=detail&atid=725142&aid=1510966
&group_id=132104
Please note that this message will contain a full copy of
the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Interface Improvements (example)
Group: None
Status: Open
Priority: 5
Submitted By: Code_Slave (code_slave)
Assigned to: Nobody/Anonymous (nobody)
Summary: no way to analize frightning traffic
Initial Comment:
see enclosed graphs
i noticed that there was significant incomming traffic into
the firwall for
over 4 hours
then after that my firewall peaked for out going traffic
every hour
did someone ccompromisew my system, the firewall? and upload
some
sort of bot?
who knows, but even with all the logs from the firewall,
trying to track
down the cause seems very difficult.
we really need some sort of system where we can track this
sort of traffic
down, either by having a log that can group all the traffic
by ip address
(instead of just filetering 1 item), or some system where an
aloarm can be
set to catch such traffic
------------------------------------------------------------
----------
>Comment By: Code_Slave (code_slave)
Date: 2006-06-25 22:31
Message:
Logged In: YES
user_id=413743
I finally got the thing under control, but its threading
& exit code needs some
work
perhaps a re-read of the FAQ is in order:
http://www.ntopsu
pport.com/faq.html
Q. The plugins aren't very secure.
A. True.
Q. How do I prevent users from turning plugins on/off?
A. The default configuration of ntop does not protect the
plugin pages - no
password is required to access showPlugins.html.
This allows any user who can connect to the ntop web server
to view reports
FROM the plugins, but also allows them to make plugin
configuration
changes.
This may not be desirable. You may wish to add additional
URLs to the
Default list of those which require entry of a
userid/password.
You can prevent unauthorized individuals from turning
plugins on/off by
adding this URL: "showPlugins.html?" to the list
via Add URL.
Q. Ok, but they can still get into the configuration pages
and change things.
A. Yes. Add the following URLs to the controlled list:
plugins/sFlow*
plugins/netFlow*
plugins/rrdPlugin*
This will keep everybody who doesn't know the
userid/password out of the
configurable plugins. Unfortunately, it will also
prevent them from seeing
the rrd graphs, because those are created out of the rrd
plugin.
A. Instead of plugins/rrdPlugin*, create these:
plugins/rrdPlugin?d*
plugins/rrdPlugin?h*
plugins/rrdPlugin?i*
plugins/rrdPlugin?r*
It's still not perfect, the reasons why are left as an
exercise for the user.
------------------------------------------------------------
----------
Comment By: Adam Pavelec (adampavelec)
Date: 2006-06-25 04:04
Message:
Logged In: YES
user_id=814392
Which FAQ? The one at http://www.efw.it/wiki/faq
doesn't
seem to include anything about plugins. At any rate, I
agree -- ntop should have some sort of access control --
hopefully that can be addressed if/when it's merged into
Endian's GUI. BTW, I've had ntop running for almost two
days now and haven't experienced any issues whatsoever.
------------------------------------------------------------
----------
Comment By: Code_Slave (code_slave)
Date: 2006-06-24 07:24
Message:
Logged In: YES
user_id=413743
green is a net that all your users have access to,
red is a net that hte rest of the world & ur users have
access to.
this should be an admin tool , the same way that data in
endian should not be
available to users on red or green.
pls read the FAQ specifically about the plugins, before you
consider exposing
the ntop to your green network.
it would be an extreamly good tool to include in endian ,but
it is an unstable
tool, and requirs a lot of work, and i can see why it is
disabled by default.
also i have managed to break my copy, in that it just will
not display the
webpages as before, i suspect that because i enabled it on
all interfaces it did
not like it, and now will not function correctly.
I am also unable to find out exactly where it puts it's
pref files , so that i can
delete , and start from scratch.
------------------------------------------------------------
----------
Comment By: Nobody/Anonymous (nobody)
Date: 2006-06-24 02:29
Message:
Logged In: NO
I guess I'm having a difficult time understanding something
here. If the ntop service is only accessible from the green
side of things (or at least in my rather limited testing,
it's definitely *not* accessible from red), how could it
possibly be a threat to the security of the firewall?
All things considered, I can appreciate your comments about
its (in-)stabilities; but in my environment, it's been
running for ~12 hours and hasn't choked yet, so only time
can tell how reliable this application is, in my particular
environment, at least.
I'm not sure where it fits into the scope of Endian, but I
hope that it will be integrated into its GUI in the near
future! Many thanks to Peter for including it at this point
in development! It's a very useful tool!
------------------------------------------------------------
----------
Comment By: Code_Slave (code_slave)
Date: 2006-06-23 21:55
Message:
Logged In: YES
user_id=413743
when you start up the Daemon, the default action is to
alllow any access, but
to block andmin requirements.
you have to log in as admin, then change the web interface
options to "hide"
all NTOP pages.
(im listening on the external interface, and port
forwarding)
that said , the NTOP is a little unstable, I left it running
all night on 3
interfaces, hooked to a T3 optical, and this morning I
cannot log into it even
though it was allright last night.(running for 10 hours)
running "top" ,shows that the deamon is still
running , but it will not respond
on the web interface
------------------------------------------------------------
----------
Comment By: Adam Pavelec (adampavelec)
Date: 2006-06-23 21:04
Message:
Logged In: YES
user_id=814392
> yep i got it working , but watch out!!, it is almost
totally exposed to
> the net, unless you set the correct options, the
password
only controls
> the admin options.
I cannot access mine from the external interface. What
exactly do you mean by it being "almost totally
exposed to
the net"?
------------------------------------------------------------
----------
Comment By: Code_Slave (code_slave)
Date: 2006-06-23 13:37
Message:
Logged In: YES
user_id=413743
yep i got it working , but watch out!!, it is almost totally
exposed to the net,
unless you set the correct options, the password only
controls the admin
options.
also there are a couple of double free, in the clib under
certain situations.
i have used it to trace 1 SYN attack from China, that is
currenlty eating 16% of
my bandwidth.
------------------------------------------------------------
----------
Comment By: Adam Pavelec (adampavelec)
Date: 2006-06-23 12:44
Message:
Logged In: YES
user_id=814392
Wow! Way cool! Thanks for pointing this out, mastrboy. No
problems getting it to run on my install -- here's what I
did:
1) touch /var/efw/ntop/enabled
2) ntop --user ntop --daemon \
--db-file-path /var/ntop \
--interface br0 \
--trace-level 3 \
--https-server 3001 \
--http-server 0 \
--disable-schedyield
3) visit https://endian.firewall:
3001
------------------------------------------------------------
----------
Comment By: Code_Slave (code_slave)
Date: 2006-06-23 09:23
Message:
Logged In: YES
user_id=413743
it did nto seem to like that , i had a segmentation fault on
exit
also it complained the following:
**WARNING** INIT: Unable to create pid file
(/var/ntop/ntop.pid)
**ERROR** RRD: Disabled - unable to create directory (err
13, /var/ntop/rrd/
graphics)
on trying to restart it
Fri Jun 23 17:21:34 2006 NOTE: Interface merge enabled by
default
Fri Jun 23 17:21:34 2006 Initializing gdbm databases
Fri Jun 23 17:21:34 2006 **ERROR** ....open of
/var/ntop/prefsCache.db
failed: Can't be writer
Fri Jun 23 17:21:34 2006 Possible solution: please use '-P
<directory>'
Fri Jun 23 17:21:34 2006 **FATAL_ERROR** GDBM open failed,
ntop shutting
down...
Fri Jun 23 17:21:34 2006 CLEANUP[t3086530240]: ntop caught
signal 2
Fri Jun 23 17:21:34 2006 THREADMGMT[t3086530240]: ntop
RUNSTATE:
SHUTDOWN(7)
Fri Jun 23 17:21:34 2006 CLEANUP[t3086530240] catching
thread is MAIN
Fri Jun 23 17:21:34 2006 CLEANUP: Running threads
Fri Jun 23 17:21:34 2006 CLEANUP: Locking purge mutex (may
block for a
little while)
Fri Jun 23 17:21:34 2006 CLEANUP: Locked purge mutex,
continuing
shutdown
Fri Jun 23 17:21:34 2006 CLEANUP: Continues
Fri Jun 23 17:21:34 2006 PLUGIN_TERM: Unloading plugins (if
any)
Fri Jun 23 17:21:34 2006 CLEANUP: Clean up complete
Fri Jun 23 17:21:34 2006 THREADMGMT[t3086530240]: ntop
RUNSTATE:
TERM(8)
Fri Jun 23 17:21:34 2006
===================================
Fri Jun 23 17:21:34 2006 ntop is shutdown...
Fri Jun 23 17:21:34 2006
===================================
------------------------------------------------------------
----------
Comment By: mastrboy (mastrboy)
Date: 2006-06-23 08:06
Message:
Logged In: YES
user_id=795009
you can try ntop, it's already integrated into ntop, it's
just not documented anywhere.
I think the way to start it is to touch a file:
touch /var/efw/ntop/enabled
(look at the file: /etc/rc.d/ntop)
you can access it at https://0.0.0.0:3001
where 0.0.0.0 is your EFW IP adress.
------------------------------------------------------------
----------
You can respond by visiting:
https://sourcefo
rge.net/tracker/?func=detail&atid=725142&aid=1510966
&group_id=132104
Using Tomcat but need to do more? Need to support web
services, security?
Get stuff done quickly with pre-integrated technology to
make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache Geronimo
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Efw-devel mailing list
Efw-devel lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-devel
|