Just some data points: in the last 16 hours, the firewall on amprgw has dropped over 43 million attempts to connect to the implicated ports: 623,664,16992,16993,16994,16995. We've also dropped about 2 billion attempts to connect to the other SMB ports: 111,135-139,445, etc.
This is AFTER having already dropped all packets from known 'security' scanners like shodan, which therefore aren't counted in those totals. We've dropped 63 million of those.
But by far, the most popular inbound is attempts to connect to the telnet port (23) on amprnet hosts; we've dropped 6 billion of those.
And we've dropped another 7 billion other packets that were destined for other ports on non-registered amprnet addresses. I don't have details of which ports these are, but I know that port 80 (http) is one of them.
At 25 MB/s inbound traffic, receiving packets and filtering them is taking about 10-12% of the machine, leaving it around 85% idle. The DNS nameserver accounts for about 2% of the load. The encap/decap process resource consumption is negligible. It spends about 95% of its time waiting for packets. - Brian
On Sun, May 14, 2017 at 1:29 PM, Brian Kantor Brian@ucsd.edu wrote:
Just some data points: in the last 16 hours, the firewall on amprgw has dropped over 43 million attempts to connect to the implicated ports: 623,664,16992,16993,16994,16995. We've also dropped about 2 billion attempts to connect to the other SMB ports: 111,135-139,445, etc.
It would be interesting to see this data graphed over time (in something like MRTG, Cacti, Prometheus, Grafana, etc.). It's hard to get a good impression of what is normal vs exceptional without time series comparison.
Tom KD7LXL
Good point. I'll look into it. - Brian
On Sun, May 14, 2017 at 02:27:47PM -0700, Tom Hayward wrote:
It would be interesting to see this data graphed over time (in something like MRTG, Cacti, Prometheus, Grafana, etc.). It's hard to get a good impression of what is normal vs exceptional without time series comparison.
Tom KD7LXL
On Sunday, May 14, 2017 2:44:55 PM PDT Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ Good point. I'll look into it.
- Brian
Cacti and the other usual tools work well but you might also look into http:// www.librenms.org/ I just found out about it and it looks useful.
Also for real time monitoring and alerts check out https://github.com/firehol/ netdata/wiki
It's extremely simple to deploy and automatically gives all kinds of information about the host it's on.
Ken N7IPB
On Sun, May 14, 2017 at 02:27:47PM -0700, Tom Hayward wrote:
It would be interesting to see this data graphed over time (in something like MRTG, Cacti, Prometheus, Grafana, etc.). It's hard to get a good impression of what is normal vs exceptional without time series comparison.
Tom KD7LXL
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Thanks Ken, librenms looks interesting. Unfortunately, netdata says it's for Linux and amprgw is FreeBSD, so I don't think we can use it.
A problem with most of these tools is that they use SNMP to obtain their data, and the router part of amprgw is not instrumented with SNMP so they'd have no data to work with.
So far, RRDTOOL, which seems to underlay Cacti, looks promising, but I still have more evaluation of the other packages to do. - Brian
On Sun, May 14, 2017 at 06:39:09PM -0700, Ken Koster wrote:
Cacti and the other usual tools work well but you might also look into http:// www.librenms.org/ I just found out about it and it looks useful.
Also for real time monitoring and alerts check out https://github.com/firehol/ netdata/wiki
It's extremely simple to deploy and automatically gives all kinds of information about the host it's on.
Ken N7IPB
On Sun, May 14, 2017 at 02:27:47PM -0700, Tom Hayward wrote:
It would be interesting to see this data graphed over time (in something like MRTG, Cacti, Prometheus, Grafana, etc.). It's hard to get a good impression of what is normal vs exceptional without time series comparison. Tom KD7LXL
Because FreeBSD does not have an SNMP interface to the firewall statistics (which is what I was quoting), I have written a very simple interface to them which samples them at 15 minute intervals and stores them, along with the time of day, into an accumulating file.
This isn't directly suitable for input to MRTG nor to Prometheus etc, but possibly could be adapted to feed Cacti, as that package apparently uses rrdtool as its basis. It would also be possible to feed these directly to Gnuplot to generate simple time series graphs.
I can make the raw file available on the web server, or I can generate some graphs (.png format) and make them available instead. Gnuplot also says it can create a "mouseable" web format graph, whatever that is.
Which do people think they might find more interesting? - Brian
for me every graphical that web can show is ok better then text
Ronen - 4Z4ZQ
________________________________
I can make the raw file available on the web server, or I can generate some graphs (.png format) and make them available instead. Gnuplot also says it can create a "mouseable" web format graph, whatever that is.
Which do people think they might find more interesting? - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
I see from the web server logs that some people are attempting to retrieve the graphs but don't have login credentials.
My apologies for the hassle; email to me and I'll send some to you. - Brian
Brian,
I just didn't know if I was supposed to be using my Portal account or something else....
Neill
________________________________ From: 44Net 44net-bounces+neillt=neillt.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Monday, May 15, 2017 4:26:53 PM To: AMPRNet working group Subject: Re: [44net] some amprgw filtering statistics
(Please trim inclusions from previous messages) _______________________________________________ I see from the web server logs that some people are attempting to retrieve the graphs but don't have login credentials.
My apologies for the hassle; email to me and I'll send some to you. - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Hi,
Given that you seem to be putting some useful stats together on the server, and that password is no longer just for fetching the encap file via FTP... would it make sense to either export the portal user database to that server, or push the stats to the portal web server and put them behind the normal logins?
Thanks, Mike, M6XCV
On 16 May 2017 at 00:26, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ I see from the web server logs that some people are attempting to retrieve the graphs but don't have login credentials.
My apologies for the hassle; email to me and I'll send some to you. - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu https://u4477715.ct.sendgrid.net/wf/click?upn=vS4GjSiF-2F5vYmfX5tr6ez81-2Fej...
On Tue, May 16, 2017 at 08:17:35PM +0100, M6XCV (Mike) wrote:
Given that you seem to be putting some useful stats together on the server, and that password is no longer just for fetching the encap file via FTP... would it make sense to either export the portal user database to that server, or push the stats to the portal web server and put them behind the normal logins? Thanks, Mike, M6XCV
The reason there's restricted access to the encap file is that it contains a list of gateways and subnets, which could aid possible miscreants. The stats and errors files on the router reveal the same information, so it seemed logical (and easy) to protect them the same way.
I don't know that the graphs reveal any such information, so maybe I should move them out from behind the privacy shield. What do people think? - Brian
There are now some elementary graphs of the router data available at https://gw.ampr.org/private/plots/
They are sampled every 15 minutes and the graphs plotted on the hour from the accumulated data. Currently they span less than a day but will probably accumulate from now on.
Graph: Inbound bytes rejected Graph: Inbound packets rejected Graph: Inbound bytes accepted Graph: Inbound packets accepted Graph: Outbound bytes sent Graph: Outbound packets sent
The various reasons for inbound packet drops are not yet available in graphic form.
(NB: These are .svg files; very old browsers won't be able to display them properly.) - Brian
On Sun, May 14, 2017 at 02:27:47PM -0700, Tom Hayward wrote:
It would be interesting to see this data graphed over time (in something like MRTG, Cacti, Prometheus, Grafana, etc.). It's hard to get a good impression of what is normal vs exceptional without time series comparison. Tom KD7LXL
Looks good, indeed!
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
On my MikroTik router the most popular port that beying probed are 23 80 and the SIP ones
________________________________ F But by far, the most popular inbound is attempts to connect to the telnet port (23) on amprnet hosts; we've dropped 6 billion of those.
A
-
Brian Kantor -
Ken Koster -
M6XCV (Mike) -
Neill Thornton -
R P -
SP2L Tom -
Tom Hayward