Hello,
Am looking for a network traffic monitoring tool that I can use to capture the following data from my cpanel server:
- capture outgoing traffic (traffic from my server to others)
- capture source IP(I have more than 1 IP on my server)
- capture source port
- capture destination IP
- destination port can be 80, 443, 25
- capture user in the cPanel server from whom the packet originated
To share some context, I sometimes receive an abuse messages indicating my server was used to attack a diffrent server eg trying to login to wp-admin page. The characteristics of the attack are that its a tcp packet to port 80 or 443 from my server to another server. The challenge is the packet could be from an infected website on the server or from an infected work station connecting to my server for mails. Its not easy to know whats the cause some times.
To better handle these cases, I need to have the data ready somewhere and when reported, it will just be a matter of checking.
I have tried checking tcpdump for this purpose but its not sufficient since I have not been able to log the user from whom the packet originated. I intended to capture traffic data using tcpdump command, dump it to a file daily and when reported, use wireshark(installed on a separate comp due to GUI) to analyze the data and get the infringing account. But this is not helpful if I can't get the user that originates the packets.
Am looking for a solution that can help me log the above data so that if I receive such an abuse claim, I can quickly refer using the stated time frames or destination IP and get the cpanel user who sent the packet. At that, I can either fix the issue or suspend the account to prevent recurrence.
Currently, I can only try to check compromised sites and email accounts by analyzing mail queues and imunify360 or cpMalscan logs. Or checking long running processes. This is not an efficient method to do trace the user.
Am looking for a network traffic monitoring tool that I can use to capture the following data from my cpanel server:
- capture outgoing traffic (traffic from my server to others)
- capture source IP(I have more than 1 IP on my server)
- capture source port
- capture destination IP
- destination port can be 80, 443, 25
- capture user in the cPanel server from whom the packet originated
To share some context, I sometimes receive an abuse messages indicating my server was used to attack a diffrent server eg trying to login to wp-admin page. The characteristics of the attack are that its a tcp packet to port 80 or 443 from my server to another server. The challenge is the packet could be from an infected website on the server or from an infected work station connecting to my server for mails. Its not easy to know whats the cause some times.
To better handle these cases, I need to have the data ready somewhere and when reported, it will just be a matter of checking.
I have tried checking tcpdump for this purpose but its not sufficient since I have not been able to log the user from whom the packet originated. I intended to capture traffic data using tcpdump command, dump it to a file daily and when reported, use wireshark(installed on a separate comp due to GUI) to analyze the data and get the infringing account. But this is not helpful if I can't get the user that originates the packets.
Am looking for a solution that can help me log the above data so that if I receive such an abuse claim, I can quickly refer using the stated time frames or destination IP and get the cpanel user who sent the packet. At that, I can either fix the issue or suspend the account to prevent recurrence.
Currently, I can only try to check compromised sites and email accounts by analyzing mail queues and imunify360 or cpMalscan logs. Or checking long running processes. This is not an efficient method to do trace the user.
Last edited by a moderator:
