With my zoo of docker containers and multiple servers hosted locally or on some cloud providers, I feel the need more and more to understand what kind of network traffic is happening. Seeing my outbound traffic on some cloud providers I’m sometimes wondering “huh-where did that traffic come from?”.

And honestly I have to say: I don’t know. Monitoring traffic is a real hurdle since I’m doing a lot via tunnels / wireguard in between servers or to my clients. When I spin up a network analysis tool such as ntopng, I do see a lot of traffic happening that is “Wireguard”. Cool. That doesn’t help me one bit.

I would have to do some deep package inspection I suppose and SSL interception to actually understand WHAT is doing stuff / where network traffic comes from. Honestly I wouldn’t be sure what stuff would be happening if there were some malicious thing running on the server and I really don’t like that. I want to see all traffic and be able to assign it to “known traffic” or in other words - “this traffic belongs to Jellyfin”, “That traffic is my gitea instance”, “the other traffic is syncthing” or something along those lines.

Is there a solution you beautiful people in this subreddit recommend or use? Don’t you care?

  • NeverNudeNo13@lemmings.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You probably want something like netgenius one. That’s enterprise grade but might be a good starting point to research. Alternatively you could look at ips/ids systems that can apply a set of definitions or rules to the analysis, ubiquiti or fortinet has some solutions for this sort of thing but I’m sure there are alternatives out there which would be better depending on your needs.

    You are kind of asking several questions here though and may need to clarify a bit what goal you have in mind for the solution you are looking for.

  • tpwn3r@alien.top
    cake
    B
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I own a WISP with about 100 clients and admin another wisp/fisp with around 500 clients.

    I love “the dude” by mikrotik. It pulls data via SNMP and gives me a great heads up overview of everything. it also graphs the data over time.

    I use LibreMNS also to pull network data via SNMP and it graphs historical data.

  • AnApexBread@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I do. I monitor it in a lot of ways.

    1. IDS at the router
    2. Anomoli Detection at the router
    3. Host based agents on everything I can
    4. L7 Firewalls on everything I can
    5. DNS based monitoring for everything

    Wireguard and Cloudflare Tunnels make network traffic monitoring difficult because it’s all encrypted traffic.

  • InvaderOfTech@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have been using libreNMS for over four years and love it. I started to play with checkmk for its agent but found the network side of checkmk is also lovely/easy to work with. I recommend looking at either of these. Both can run in docker or docker-compose.

  • nik282000@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I wrote a couple scripts that ingest my Apache and SSHD logs to tell me how many hits I had, how many unique hosts they came from and where they are in the world. It even spits out a nice map at the end of the day: https://imgur.com/aJ6aVZp

  • Storage-Solid@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I would suggest looking at Wazuh and setting up a SIEM stack based on it. It would provide what you need and is highly customisable to needs.

  • wallacebrf@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I use my fortigate router as it logs everything natively. Logs DNS request, outbound traffic, internal lan local traffic, and so much more