How to monitor my connections?

[DoHITB]

Hello:

I have few notions for server administration, so I wanted to get a bit more of knowledge and I turned my Raspberry PI into a internet connected Server.
So, I installed no-ip to have a fixed DNS, installed apache, and some other tools like ufw to keep my server the most secured I can.

But on later days, I see that my ethernet lights are blinking way too much (like there's a continuous communication to the Internet). That's not a bad thing per se, but I don't ever had that much traffic... I mean, I have a small API that on it's best day holds 100 queries (holded on an Apache server), and a small Minecraft server.

The point here is that I don't know where this ethernet usage comes from, and I fear it can be a sort of intrussion attempt. I checked all the logs I am aware of and I don't see anyting weird.

• ss -t only shows my ssh connection (as I have public/private key auth enabled, and no passwrod access can be done)
• apache log does not show any relevant information (a bunch of bot attempts to get some specific pages, but then apache returns a 404)
• minecraft log did not show any connected player at that time
• ssh log was all OK
• glances was not showing any relatable information (eth0 intetrface was showing 256kb/s, I assume that was by my ssh connection, and disk storage have no changes at all)
• fail2ban was working as usual

This behaviour had been keep repeating for last three days. Now I have the machine powered off just in case, but as soon I let it 2-3 hours powered on and idle, it again keeps doing this.

So, I was searching for a way to fully monitor my server as an entity (I mean, not just apache server or minecraft server, but the entire machine), but I was not able to find any information on Google (I'm sure there's plenty of information, but I guess I did not provide the correct word combination ).

May please anyone provide some information and/or directions on how can I monitor my computer from remote side? I have sftp/ssh/https connections availables on my machine.

Thanks in advance.

 

[f33dm3bits]

The best thing you can do is setup fail2ban and have it watch the the log files of the services you are suspicious about, it allows you to monitor different services such as ssh, http(s) and others.

How to Setup an IPS (Fail2ban) to Protect from Different Attacks

IPS or Intrusion Prevention System is a technology used in network security to examine network traffic and prevent different attacks by detecting malicious inputs. IPS are placed just behind the firewall, and they can send alarms, drop malicious packets and block offending IP addresses. How to...

linuxhint.com

 

[DoHITB]

The best thing you can do is setup fail2ban and have it watch the the log files of the services you are suspicious about, it allows you to monitor different services such as ssh, http(s) and others.

How to Setup an IPS (Fail2ban) to Protect from Different Attacks

IPS or Intrusion Prevention System is a technology used in network security to examine network traffic and prevent different attacks by detecting malicious inputs. IPS are placed just behind the firewall, and they can send alarms, drop malicious packets and block offending IP addresses. How to...

linuxhint.com

Hi!

I have fail2ban enabled with permanent ban for IP that makes 3 erroneous login attempt, but on this scenarios I don't see any different activity than normal.

I mean, I have it on my studio, so when I'm working sometimes I see a quick blink (2-3 seconds), then stop... and on end-of-they if I check fail2ban-server status sshd, I see new banned IP's. But on this cases the blinking is continous and I see no new banned IP's, so I'm confident on that is not a ssh login attempt-like attack.

But I will also take a look on how to configure fail2ban to protect Apache server (I already found a tutorial on that!) I didn't know that was possible

Thanks.

 

[dcbrown73]

Obviously, you can run tcpdump and see what traffic is flowing and to what port, but if you want a more intuitive view of network traffic. You can install "iftop". It's like regular "top" for Linux, but is specific to network traffic views.

 

[DoHITB]

Obviously, you can run tcpdump and see what traffic is flowing and to what port, but if you want a more intuitive view of network traffic. You can install "iftop". It's like regular "top" for Linux, but is specific to network traffic views.

Thanks for the suggestion!
Today I had a few minutes for putting both suggestions onto practice, so now fail2ban is taking care of Apache, and also I can have a network overview with iftop!

Now I think I can be able to check where this suspicious connections comes from

Thanks.

 

[stan]

I see that my ethernet lights are blinking way too much (like there's a continuous communication to the Internet).

I see that kind of blinking with my Raspberry Pi 4, but not with my 3B+. What model Pi are you using? I never investigated it further (like you, nothing weird in the logs), but I did not think it was actual traffic on the network.

 

[DoHITB]

I see that kind of blinking with my Raspberry Pi 4, but not with my 3B+. What model Pi are you using? I never investigated it further (like you, nothing weird in the logs), but I did not think it was actual traffic on the network.

Hi:

I have the pi 4 (I think revision 1.1 or something like that) with 8gb of RAM.

It never did the blinking before so that made me aware of it... Its not like a regular thing on my case.

 

[stan]

I have the pi 4 (I think revision 1.1 or something like that) with 8gb of RAM.

That is the same as mine with the blinking issue (not sure about revision number). I have not used mine in awhile, but I'll fire it up and look at it better, if I can. It may not have been continuous for me either, but it was frequent.

 

[DoHITB]

That is the same as mine with the blinking issue (not sure about revision number). I have not used mine in awhile, but I'll fire it up and look at it better, if I can. It may not have been continuous for me either, but it was frequent.

Well, after the changes I made I hope I can find new information. Will update the thread if I see something!

 

[stan]

I can't find anything with Google that others are having this experience, so that's interesting. But I'm fairly convinced this is some kind of quirk with the Pi 4 ethernet port, and I'm not very worried about it. Here's what I'm finding....

1. The fast blinking is pretty much continuous for me, and only on the Pi 4, not the 3B+. I swapped cables between them with no change.

2. The fast blinking does NOT show on the Pi 4 light... it shows only on the light at the switch I use (on any port), and it will also fast blink on the router light if plugged directly into the router.

3. There is no traffic going to the internet. This is easily confirmed because while the light on the switch is fast blinking, the light on the router from the switch is behaving normally. But if I download a large file, then the router light (and switch light) also blinks faster too, as it should with real traffic. It's for this reason that I'm not too worried about it.

Note: I use different operating systems, the 3B+ has Raspberry Pi OS 64-bit, and the Pi 4 is running OpenBSD 6.9. That could be a factor, but I'm not wanting to change OS'es to test that idea.

 

[DoHITB]

Well, after the changes I made I hope I can find new information. Will update the thread if I see something!

Hello:

After +24h of continuous running, there are still no blinking issues... also for time to time I go to ssh and make some fail2ban-server status to check the jails, and I found some failed attempts on http-get-dos jail (configured as)

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/*access.log
maxretry = 400
findtime = 400
bantime = 200
action = iptables[name=HTTP, port=http, protocol=tcp]


So, I think there was maybe some bots messing around with my web server, now everything looks OK.
Also, with iftop I found a bunch of sites accessing the server... I didn't know how many bots there are out there haha.

Thanks all for the support and the insight!

 

[jpnilson]

You most likely started to attract a lot of traffic when you set up dynamic DNS. Fail2ban is good. A lot of the really good options are to large to load onto Raspberry PI. One thing that will cut down on the unwanted traffic is to use a nonstandard port. For example I set up a site using port 4443. I have another running on 443. Even using PFsense firewall and snort I still have an average of 25 to 30 addresses a day attempting to scan my website. The site using 4443 almost never gets scanned. Always set up your security before connecting to the Internet. The minute you come online its like throwing fresh meat in a lion pit.

 

[KGIII]

I didn't know how many bots there are out there haha.

From what I've read, estimates are that about 90% of all web traffic is computers talking to computers, or bots.

Note: Not all bots are malicious. I've read various estimates of how much traffic is malicious. Around 20% is an often cited number and that jives well with my experience.

 

[jpnilson]

Fun site full of the gee wiz statistics https://www.broadbandsearch.net/blog/internet-statistics. It is true that there are bots such as web crawlers make the various search engines work for example. It all comes down to what is your goal of your site. In my case I use internet interfaces to allow access or protect data while on the road. I don't want them to be found by anyone. The smaller the attack surface the easier it is to protect. For educational purposes it can be fun set up a poorly protected site and watch it being attacked "Honey Pot". I don't recommend that unless you have an affective method to isolate that from your network. In any case I peek at my firewall logs each day to see what gets blocked and more importantly my web server syslog to see who has managed actually get all the way to my server and what they are up to. All of those things are necessary to tune your defenses.

 

[KGIII]

What strikes me most is the change in search terms for 2020.

Anyhow, there are things you can do to discourage bots, but you can't really stop them. If there's a web site, you can tell robots to not index the site, for example. You can avoid linking to it anywhere else, maybe even putting it on its own subdomain and things like that.

I use a honey pot, actually a couple, to detect and ban poorly behaved bot traffic.