Netdata Community

How to see ip's connected during an attack

Monitoring & Troubleshooting with Netdata
#1

I’m new to this, so I’m not sure how deep NetData can dig… so my questions…

1-If i see high usage on my system at a specific time, is there a way of seeing what ip addresses were connected at that time, and the number of connections from that ip, so that i can firewall it out? (like i would see by being on the console, running netstat, for example).

2-If so, how?

Thanks!

#2

Hello @johnstonf ,

Welcome to our community.

Netdata has access.log that registers all access to its dashboard.

About the Network connections, Netdata is working to improve our eBPF plugin and database to bring a network viewer that will give you all conditions to monitor each IP and traffic on the host it is installed. The current stable version shows only bandwidth traffic.

We also have charts related to network that will show traffic, but not so specific. We expect to bring this kind of granularity ASAP.

Best regards!

1 Like
#3

Thanks for the info Thiago!
That (update) will be VERY VERY helpful!

It’s one thing to ‘see’ a problem, but if one is unable to get enough info to fix it, that still leaves the problem unsolved!

Fred

1 Like
#4

@Manos_Saratsis , I think @johnstonf is happy for the eBPF functionality that we are preparing :v:

#5

Yes, it sounds great. How do I know when this is ready to test or use? Is there a place to register, so I can get notified? What is the ETA?
THANKS

1 Like
#6

Just curiosity, connected to what service? Asking because it is possible to rate limit number of connections (TCP SYN) per IP using iptables.

#7

So, say, going back 4 hours, I see the connections are high, how do i know what ip addresses to limit or block?
(sounds like the same issue to me… i need to know what ip was the offender, no?)

#8

I mean what kind of connections are you referring too? SSH connections? Connections to some web server?

#9

Let me give you an example.

(imagine) I have a DNS server running on my server.
I don’t want to ban/block users after an attack (e.g DoS), i want to minimize the consequences of it - simple rate-limiting will do.

Let’s say i allow 120 DNS queries per minutes for every IP address. If it is above the limit - block the query. To have this kind of rate-limitting all you need is iptables. It works pretty great from my experience.

That is why i was asking about the service you want to protect.

#10

Between Docker containers, Websites, etc, about 30 various on a Digital Ocean VPS.
Some ssh, some non

#11

Yeah, thanks, great advice…
Just won’t work for all instances…

(P.S. can it give a log of what it blocks, when?)

Fred

#12

It can, there is LOG target (-j LOG). iptables is very powerful, but be careful with it, make sure you understand/tested any config before applying it in the production environment :smiley:

#13

Ya, I’m using and happy with ufw, so I don’t really want to mess that up… (Trying to keep it relatively simple and manageable)