With my zoo of docker containers and multiple servers hosted locally or on some cloud providers, I feel the need more and more to understand what kind of network traffic is happening. Seeing my outbound traffic on some cloud providers I’m sometimes wondering “huh-where did that traffic come from?”.
And honestly I have to say: I don’t know. Monitoring traffic is a real hurdle since I’m doing a lot via tunnels / wireguard in between servers or to my clients. When I spin up a network analysis tool such as ntopng, I do see a lot of traffic happening that is “Wireguard”. Cool. That doesn’t help me one bit.
I would have to do some deep package inspection I suppose and SSL interception to actually understand WHAT is doing stuff / where network traffic comes from. Honestly I wouldn’t be sure what stuff would be happening if there were some malicious thing running on the server and I really don’t like that. I want to see all traffic and be able to assign it to “known traffic” or in other words - “this traffic belongs to Jellyfin”, “That traffic is my gitea instance”, “the other traffic is syncthing” or something along those lines.
Is there a solution you beautiful people in this subreddit recommend or use? Don’t you care?
I have a pfsense and use ntopng
Depending on what you run for a perimeter device, but elasticsearch is free and can give you incredible visibility into your network.
That said, it can be a bit of a beast to learn.
Simpler deployment is how I have it, running as Zenarmor Sensei inside my opnsense router/firewall which IS my edge.
There’s also Prometheus and grafana. Grey log.
Lots and lots of options however, just need to feed these log engines your syslogs.
That’s the magic ticket!
I use my fortigate router as it logs everything natively. Logs DNS request, outbound traffic, internal lan local traffic, and so much more
I’ve been a network engineer, security analyst, security engineer, and SOAR engineer over the course of the last 20 years; I don’t want to think about any of that shit when I’m not being paid for it. I have backups of the things I can’t replace, no port forwarding/ingress rules from WAN on the firewall, and the network is heavily segmented and uses least privilege. The random security stuff I leverage is set to drop/block and my family does a good job being vocal when something isn’t working. If I needed to start over tomorrow, I’d just build a new server with Ansible playbooks on my GitHub.
ReminMe! 2 days
RemindMe! 7 days
I wrote a couple scripts that ingest my Apache and SSHD logs to tell me how many hits I had, how many unique hosts they came from and where they are in the world. It even spits out a nice map at the end of the day: https://imgur.com/aJ6aVZp
RemindMe! 3 days
Ok it’s time bro
Awesome, thank you mate 😉🤝
Following
I do. I monitor it in a lot of ways.
- IDS at the router
- Anomoli Detection at the router
- Host based agents on everything I can
- L7 Firewalls on everything I can
- DNS based monitoring for everything
Wireguard and Cloudflare Tunnels make network traffic monitoring difficult because it’s all encrypted traffic.
What do you use for l7 firewalls?
RemindMe! 8 hours
Securityonion is a great ids system. I used their distributed system, so I have 1 mini pc as a sensor and another as a manager/search. Works wonderful.
RemindMe! 2 days
RemindMe! 2 Days
I would suggest looking at Wazuh and setting up a SIEM stack based on it. It would provide what you need and is highly customisable to needs.