This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Detect which user is making requests

0

Hello,

I have an Ubuntu virtual machine where my developers are logging in to connect. I am using WireShark to be able to monitor if they are trying to upload/send the code somewhere else, as it is forbidden.

Having more than one users on the same servers, how could i detect which one is trying to upload the file? I am looking in the traffic log and i cannot see anything about the system user.

Is that possible?

Thanks

asked 02 Sep '16, 03:52

alexsmith's gravatar image

alexsmith
6224
accept rate: 0%

how could i detect which one is trying to upload the file?

It's not obvious that you can without adding things to the system. If I understand correctly, you want to link a user to some information in some network traffic. If the user just executes a command to move data, not sure that link exists. Maybe you could detect that a specific command was invoked in the Linux system logs by a user, but not sure that would catch everything. If they used a different command that you are not aware of yet, you might miss it.

What I could imagine adding to your network is an authenticated outbound proxy. This way, if that VM wants to access the Internet, the only way to do so is through a proxy which authenticates the user. This would force a link between a user - assuming all your users have unique usernames/passwords and good security practice says they do - and network traffic outbound.

(02 Sep '16, 06:12) Bob Jones

I already have that. All users connect through a VNC and they have a different port.

(02 Sep '16, 06:42) alexsmith

I already have that. All users connect through a VNC and they have a different port.

But this inbound. You can identify a user coming in, then, I guess. What if they try to use someone else's port? Do you link entered credentials, per user, to a specific port? Or are you depending on the user obeying your precise instructions to use only a certain port? As you probably know, expecting malicious users to obey your instructions all the time is not a good assumption. Sounds like some companies I know and their approach to Cybersecurity - we told people not to hack us in our user guide, so we must be secure!

Anyway I am not sure that is your issue. You need to track outbound traffic if you are worried about someone pushing data out of the system. How about just blocking all outbound traffic not related to VNC? I don't know what access they need otherwise, so this may not be a valid solution.

Does VNC allow copy/paste from remote to local (I think so, but don't really use it)? If it does, then is there really anything you can do about this? I would just copy the content out of the remote system you want protected and paste locally, then upload wherever I want. No amount of access control at your secure end will prevent that.

(02 Sep '16, 09:17) Bob Jones

Yes, user credentials are linked to a specific port. They cannot use their credentials to connect to a different user's port, only if the other users shares their credentials with them, which is forbidden. Now we are only depending on them to not share their credentials, or they will be fired if they do that.

Yes, exactly, i need to track outbound traffic. It's not a good choice to block all outbound traffic because they are web developers and they need to be able to access a browser on their virtual machine for development purposes. Also they need to be able to commit their code to our Git server.

Yes, some VNC clients allow copy/paste, but only text, not files. Which is fine because we have thousands and thousands of files, so they won't go and copy/paste the contents of each file one by one.. They'd have to be insane lol.

(02 Sep '16, 09:23) alexsmith