With my zoo of docker containers and multiple servers hosted locally or on some cloud providers, I feel the need more and more to understand what kind of network traffic is happening. Seeing my outbound traffic on some cloud providers I’m sometimes wondering “huh-where did that traffic come from?”.

And honestly I have to say: I don’t know. Monitoring traffic is a real hurdle since I’m doing a lot via tunnels / wireguard in between servers or to my clients. When I spin up a network analysis tool such as ntopng, I do see a lot of traffic happening that is “Wireguard”. Cool. That doesn’t help me one bit.

I would have to do some deep package inspection I suppose and SSL interception to actually understand WHAT is doing stuff / where network traffic comes from. Honestly I wouldn’t be sure what stuff would be happening if there were some malicious thing running on the server and I really don’t like that. I want to see all traffic and be able to assign it to “known traffic” or in other words - “this traffic belongs to Jellyfin”, “That traffic is my gitea instance”, “the other traffic is syncthing” or something along those lines.

Is there a solution you beautiful people in this subreddit recommend or use? Don’t you care?

  • s7orm@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have my Unifi Switch mirror the trunk port and send that to Splunk Stream, but I haven’t found it that useless to have that level of data.

  • Simon-RedditAccount@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Do you monitor network traffic?

    Generally, no. But I seriously restrict container networking, most of my containers are unable to reach internet, unless absolutely necessary. Also, my firewall is not super-restrictive, but it is different from defaults :)

    Sometimes I do some monitoring though.

  • zwamkat@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    It seems as if you would like to see all traffic identified up to layer 7. That is pretty much enterprise level traffic inspection. I’ve done a lot of it on the edge of our network using a Palo Alto firewall with pretty much all software licenses enabled. I could create full blown reports of single users and/or applications. I sure did point out some co-workers ánd applications who where misbehaving on our network.

  • Normanras@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’ve gone down this rabbit hole and have yet to find a solution I like. The only routes I haven’t gone down yet are the grey log or sec onion, as the learning curve is steep.

    I do use crowdsec and that has been semi-helpful at showing me where a scanner is trying to poke around and on what service.

    I currently use ntopng’s community version and that’s been acceptable for now. Some parts are a bit confusing and the documentation didn’t help me understand, but the tables are really well laid out and I can easily see the server/cliebt relationship with in and outbound traffic. I’ll try and share screenshots of how it looks for me to see if that helps you.

  • AnApexBread@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I do. I monitor it in a lot of ways.

    1. IDS at the router
    2. Anomoli Detection at the router
    3. Host based agents on everything I can
    4. L7 Firewalls on everything I can
    5. DNS based monitoring for everything

    Wireguard and Cloudflare Tunnels make network traffic monitoring difficult because it’s all encrypted traffic.

  • sirrush7@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Depending on what you run for a perimeter device, but elasticsearch is free and can give you incredible visibility into your network.

    That said, it can be a bit of a beast to learn.

    Simpler deployment is how I have it, running as Zenarmor Sensei inside my opnsense router/firewall which IS my edge.

    There’s also Prometheus and grafana. Grey log.

    Lots and lots of options however, just need to feed these log engines your syslogs.

    That’s the magic ticket!

  • InvaderOfTech@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have been using libreNMS for over four years and love it. I started to play with checkmk for its agent but found the network side of checkmk is also lovely/easy to work with. I recommend looking at either of these. Both can run in docker or docker-compose.

  • Storage-Solid@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I would suggest looking at Wazuh and setting up a SIEM stack based on it. It would provide what you need and is highly customisable to needs.

  • Spaceman_Splff@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Securityonion is a great ids system. I used their distributed system, so I have 1 mini pc as a sensor and another as a manager/search. Works wonderful.