Port scanning/network traffic software

[CCM]

Anyone know of any good network traffic monitoring software?  I work at a small company and by default I became the network guy, which is scary because I'm a programmer and anything I know about the network side is what I've picked up on my own.  I guess working at a small company you gotta wear different hats.

Anyway,  we got an email form our ISP saying that there were over 7000 connections coming from our office, all on port 22 (SSH).  Considering there are only 6 people in our office, this seems a little high to say the least.

I have everyone updating virus defs and running scans, but I was wondering if there is any free software out there that I can run that will tell me what is using port 22?

Thanks!

[lokki]

Try

http://www.ethereal.com/

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Ports_0_to_1023
http://www.auditmypc.com/port/tcp-port-22.asp
http://www.auditmypc.com/port/udp-port-22.asp

[ChadTower]

Anyone know of any good network traffic monitoring software?  I work at a small company and by default I became the network guy, which is scary because I'm a programmer and anything I know about the network side is what I've picked up on my own.  I guess working at a small company you gotta wear different hats.

Anyway,  we got an email form our ISP saying that there were over 7000 connections coming from our office, all on port 22 (SSH).  Considering there are only 6 people in our office, this seems a little high to say the least.

I have everyone updating virus defs and running scans, but I was wondering if there is any free software out there that I can run that will tell me what is using port 22?

Thanks!

Don't be surprised if you discover someone running 95% of them via p2p sharing.

Do you have wireless running?  What is within range of your wireless signal?  A lot of people, when they discover a wireless network they can get into, will use it to snake bandwidth.

[CCM]

We're not running wireless.  We do have one employee that uses a VPN tunnel to connect to an office out of state, other than that, nothing too fancy going on.

[ChadTower]

I'd say first thing to do is focus on that VPN tunnel and the client using it, given that the ISP says it's all coming through port 22.  Standard deep adware/spyware/virus sweeps and do a registry check to see if any of the usual p2p softwares have been installed.  Many employees will deny stuff like that when the traffic reports hit the fan and think they can just uninstall an app and not get caught.

Another approach, since you only have 6 people and presumably that means less than 20 machines, would be to stay in real time contact with someone at your ISP that can see your stats.  Disconnect each client from the network one at a time.  Eventually you'll hit the one that is making all of that chatter.  Admittedly that is assuming it's all coming from one or two specific clients and it's not a distributed problem.

[knave]

Off the top of my head port 22 is an FTP port or secure FTP. 

Are you using enterprise Network equipment (routers and swiches?) or consumer grade (Linksys, D-link etc.) either way your router should show some info on what is going down...check the logs.

You could block traffic on that port and see what stops working...LOL (maybe nothing.)

My gut says it's one of only a few things.  P2P like mentioned above, the VPN, or some malware.

Depending on who your ISP is you could try calling their support.  This is hit-or-miss as the tech might know less than you.  Some ISP's in my area are good like that with the support and have good techs others are well...not so good.

[ahofle]

You could block traffic on that port and see what stops working...LOL (maybe nothing.)

LOL that sounds like the approach our telecom group would take.   

[ChadTower]

Port 22, if not redefined, is SSH - secure logins like SFTP, SCP, VPN, etc.

I've seen people tunnel through 22 to circumvent a web proxy or encrypt their traffic so their employer can't tell what they are browsing.  That's a possibility if you have a monitor proxy or are using something like Websense to filter content.

[knave]

I've seen people tunnel through 22 to circumvent a web proxy or encrypt their traffic so their employer can't tell what they are browsing.  That's a possibility if you have a monitor proxy or are using something like Websense to filter content.

What a great Idea...

[ChadTower]

I've seen people tunnel through 22 to circumvent a web proxy or encrypt their traffic so their employer can't tell what they are browsing.  That's a possibility if you have a monitor proxy or are using something like Websense to filter content.

What a great Idea...

Get a router with a firmware that supports SSH tunneling... tunnel out through 22 to your own router... forward that on your router to something like RDC on your XP box at home... boom, browsing on your home PC and sitting in your office.

[NinjaEpisode]

The fastest and cheapest way to fix this is just to block port 22 on the router and see who complains.  If no one complains, you know somebody was able to get past your router and set something up, or somebody was doing something they now realize they shouldn't be.

As far as bypassing the firewall, be careful.  If your company is sizeable enough to have something like websense or webwasher or netcache, chances are they also have a policy that doesn't tolerate circumventing their security systems.  It's a terminable offense where I work.

[ChadTower]

The fastest and cheapest way to fix this is just to block port 22 on the router and see who complains. 

He can't.  He has a VPN connection to a remote office that presuambly needs to exist.

As far as bypassing the firewall, be careful.  If your company is sizeable enough to have something like websense or webwasher or netcache, chances are they also have a policy that doesn't tolerate circumventing their security systems.  It's a terminable offense where I work.

That is true.  Most companies won't bother with it, but among those who will, they can fire you for it.

[NinjaEpisode]

The fastest and cheapest way to fix this is just to block port 22 on the router and see who complains. 

He can't.  He has a VPN connection to a remote office that presuambly needs to exist.

Yes, he can. 

He can start by asking the guy that uses the VPN to kill it long enough to work with the ISP to determine if the problem subsided.

If it persists after he kills the VPN connection, he knows he has a problem some place else.  If it doesn't, it's possible the VPN itself is the problem.  Depending on what type of VPN etc, it's possible that persistent connections are being left open for no other reason than a bad VPN product, or incompatibility or misconfiguration.

As far as bypassing the firewall, be careful.  If your company is sizeable enough to have something like websense or webwasher or netcache, chances are they also have a policy that doesn't tolerate circumventing their security systems.  It's a terminable offense where I work.

That is true.  Most companies won't bother with it, but among those who will, they can fire you for it.

Any company with a security guy worth his salt would probably have this policy.

[ChadTower]

Yes, he can. 

I'm working under the assmption that the VPN is there to keep a production app open and can't be closed during business hours.  If you can take the VPN down, sure you can do that, but often a VPN is used for small offices to keep things like Access apps open that aren't developed through a web server.

Any company with a security guy worth his salt would probably have this policy.

I've worked for quite a few companies with fantastic security guys.  Being good or not good doesn't really mean much when you're understaffed enough that there just isn't enough manpower to get on stuff like this.  That is usually a bigger factor than the actual written policy.

[NinjaEpisode]

That's right, I forgot, you're the Cliff Claven of Arcade Controls.  I bow to your superior knowledge of everything. 

[ChadTower]

That's right, I forgot, you're the Cliff Claven of Arcade Controls.  I bow to your superior knowledge of everything. 

Hey, just trying to help the guy out.  No good deed goes unpunished around here, lemme tell ya.

[CCM]

Another approach, since you only have 6 people and presumably that means less than 20 machines, would be to stay in real time contact with someone at your ISP that can see your stats.  Disconnect each client from the network one at a time.  Eventually you'll hit the one that is making all of that chatter.  Admittedly that is assuming it's all coming from one or two specific clients and it's not a distributed problem.

This is actually what I've been trying to do.  I've been playing phone tag with our ISP all day.   I have a feeling that the issue may be on our mail server, so I'm going to shut that one down first when I get a hold of them.

I had everyone run virus scans and everything is coming back pretty clean.

[ahofle]

Get a router with a firmware that supports SSH tunneling...

Just curious, why do you need a router that 'supports SSH tunneling'?  Can't you just forward incoming port 22 (or some other port so it's not so obvious) to your proxy machine?

[CCM]

Well, I just got off the phone with tech support and it turned out to be our DNS server, which I don't even know what it does.  I think it was originally set up for the VPN.  Of course the DNS server was the second to last machine to be shut off!!

The guy in our office who uses VPN is gone for the day and the guy in our remote office that set up the DNS server in the first place is at a Christmas party, sooo the DNS server is off until I can get a hold of one of them.

Thanks everyone for the help and suggestions.  I'll update you when we actually figure out what the problem is.

[knave]

Just for the record (and so I don't get fired) I have no intention of circumventing anything.  While I enjoy discussing cool ways to use technology and appreciate others who contribute I don't have any need to do so. 

It still is cool though.

[patrickl]

I used tcpdump a lot, but that was on a linux based router