Organization of removal of traffic from Linux server for further analysis
Task: Organize the removal of traffic from the server and transfer it over the network to another server for further analysis. In the simplest case, the SPAN implementations of the Cisco switches by means of Linux OS. A similar problem arises if we want to analyze the content not on the existing server, but on a dedicated server for analysis. In the simplest case, we implement the scheme shown in the figure.
In this scheme, we check all user traffic passing through the gateway. For analysis, you can use an intrusion detection system, such as Snorm.
To implement this scheme, you need a kernelspace module for netfilter ipt_ROUTE and support for a ROUTE target in userspace iptables (available from the box in debian). The ipt_ROUTE.c kernel module was dropped from patch-o-matic and is not supported, so it is not built with new kernels> = 2.6.24. I ported it to new kernels and put it on google code .
To install, you must perform the following steps:
As a result, we installed the ipt_ROUTE module for netfilter.
')
Now we just have to organize the interface, where we will send the captured traffic. This can be a physical interface, a vlan-interface or a tunnel. Consider the simplest option shown in the figure:
eth0 - inet addr: 10.10.10.2 interface looking to the Internet
eth1 - inet addr: 192.168.1.1 interface looking to the local network
eth2 - inet addr: 172.16.0.1 interface removal, all traffic that our gateway passes through will be duplicated into it
Add a virtual server that will receive our traffic.
Duplicate all traffic passing through the FORWARD chain to the removal server 172.16.1.2:
After all the manipulations, we can analyze all traffic passing through our gateway; to do this, it is enough to join interface eth2.
In a similar way, you can easily analyze the traffic coming from the web or mail server.
Initially, such a scheme was invented to analyze traffic within encrypted PPtP and OpenVPN tunnels on a dedicated server.
In this scheme, we check all user traffic passing through the gateway. For analysis, you can use an intrusion detection system, such as Snorm.
To implement this scheme, you need a kernelspace module for netfilter ipt_ROUTE and support for a ROUTE target in userspace iptables (available from the box in debian). The ipt_ROUTE.c kernel module was dropped from patch-o-matic and is not supported, so it is not built with new kernels> = 2.6.24. I ported it to new kernels and put it on google code .
To install, you must perform the following steps:
$svn co iptroute.googlecode.com/svn/trunk iptroute
$cd iptroute
$make
$sudo make installAs a result, we installed the ipt_ROUTE module for netfilter.
')
Now we just have to organize the interface, where we will send the captured traffic. This can be a physical interface, a vlan-interface or a tunnel. Consider the simplest option shown in the figure:
eth0 - inet addr: 10.10.10.2 interface looking to the Internet
eth1 - inet addr: 192.168.1.1 interface looking to the local network
eth2 - inet addr: 172.16.0.1 interface removal, all traffic that our gateway passes through will be duplicated into it
Add a virtual server that will receive our traffic.
#arp -i eth2 -s 172.16.1.2 00:00:00:00:00:01Duplicate all traffic passing through the FORWARD chain to the removal server 172.16.1.2:
#iptables -t mangle -A FORWARD -j ROUTE --tee --gw 172.16.1.2After all the manipulations, we can analyze all traffic passing through our gateway; to do this, it is enough to join interface eth2.
In a similar way, you can easily analyze the traffic coming from the web or mail server.
Initially, such a scheme was invented to analyze traffic within encrypted PPtP and OpenVPN tunnels on a dedicated server.
Source: https://habr.com/ru/post/55256/
All Articles