[ubuntu-users] Security and Intrusions

Mark Haney mhaney at ercbroadband.org
Wed Jan 14 18:53:37 UTC 2009

Ted Hilts - Thunderbird Acct. wrote:
> This email not about Thunderbird but I use Thunderbird as an example.  I 
> noticed that when using Thunderbird mailer some of the "cc" alternatives 
> in the prompt field were not mine nor anyone I contacted.

What?  You need to explain that a little more.  It's possible that
T'bird is adding all emails you've received and their contact info to
the address book.  That would potentially explain that.

 I currently
> operate with no firewall active for the machines in my LAN because I am 
> trying to address some issues that the firewall complicates.  So I am 
> ***not*** asking about how to set up a firewall.  I am asking the 
> following: "How do I establish if I have an intruder using my LAN 
> resources"???.   Recently I have seen the operation of one of my LAN 
> machines get slower and slower while there is little or no change in the 
> performance of other LAN machines.

This gets messy.  However, the best options are to look for processes
that take up a lot of CPU time and determine if they are legitimate
processes (that may be acting up) or processes that are not legitimate.
 That might be hard to do, but baselining a systems running processes
should be a pretty standard thing to do.

In this case on linux systems 'top' is your friend.  (Or insert your DE
system monitor here).  That will show you the processes that are taking
up the mst CPU time.

> Also, a related issue: How do I establish if a slow down of processing 
> on my LAN computers is due to:
> 1. A problem within the LAN itself.

The best way to test to see if it's the LAN is to shut down the internet
connection and try to copy files between the systems on the LAN.  You
can also look at the network monitor (I use a sysmon on Plasma in KDE4)
that will tell you network usage.) for high bandwidth usage.

You can also determine, if the LAN is the problem, which system it is by
shutting down systems one at a time and seeing if the problem goes away.
(That's the quick and easy way)

> 2. or a problem on the Internet:
>  due to congestion of the route available

Speed testing is a good thing for your internet connection, but beware
of the ones you normally see. I recommend trying an FTP connection if
you can, or use a tool like iperf or something similar to test the link.

> 3. or the slowness of a certain server passing data to my LAN(down for 
> maintenance or simply overloaded and dropping clients)

You can test that by doing flood pings to the server, but that doesn't
always mean the system is slow, it might also be a slow link between you
and the internet.  This is the hardest to troubleshoot since there are
dozens of possible ways connection speed could be affected between you
and a server on the intarwebs.

> 4. or one of the ISPs throttling (restricting) bandwidth (I know that 
> Bell Canada sells bandwidth to my ISP (I am in Canada) and Bell has been 
> identified in the news as doing this and has been before the CRTC to 
> justify it's behavior.  Also, a British ISP has engaged in this behavior 
> according to the news.  My ISP says that Bell's behavior does not affect 
> them and therefore does not affect me.  However, in a recent news 
> article one of Bell's associated ISPs (who buys bandwidth from Bell) was 
> restricted by Bell in the use of that bandwidth during certain times.

What other ISPs do doesn't always mean your ISP is doing it.  You can
look at their fine print on their service contracts to see if they are
doing it.  Or calling and asking, but I rather doubt you'll get a
straight answer on that.

> I ask these above questions because I encounter numerous slowdowns and 
> drop offs affecting my LAN (some requiring reboot) as well as certain 
> LAN machines going almost dead at one time and then booming along at 
> some other time or one machine in particular doing very little while 
> another machine is doing a lot. Based on the list's discussion on SSH I 
> know there are people on the list that can answer these questions. My 
> LAN has both Windows and Linux machines. I really need to get some kind 
> of handle on all of this.  Is there an application somewhere that can 
> track all of this so that it is obvious to ***me*** (retired -- old and 
> getting older -- forgetful and getting more forgetful -- dumb and 
> getting dumber -- with one foot already in the grave).

These are good questions, but not ones easily answered.  What OS are
these systems running?  Personally if you aren't behind a firewall, I'd
be very very worried.  Especially if there are any windows systems on
that LAN.  The things I"ve offered are only the tip of the iceberg to at
least get you started on troublehsooting the issues.  I suggest starting
with one system and going from there rather than trying to debug
connection issues on the internet.

Internet connection speeds won't typically slow a system down,
processing wise.  I typically transfer 6-7Mbps from my system to to the
network without causing KDE or GNOME to be sluggish.  I would look at a
system being unresponsive as a SYSTEM only issue and start from there.

> Thanks -- Ted

Frustra laborant quotquot se calculationibus fatigant pro inventione
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

More information about the ubuntu-users mailing list