this post was submitted on 08 Oct 2023
116 points (97.5% liked)

Selfhosted

40198 readers
693 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm curious to see what information I'm blasting out to the various services I depend on for internet (ISP, DNS, probably Cloudflare, etc.).

Are there any easy to setup, entirely self-hosted tools I can run on my home network that would allow me to snoop on my own traffic.

I want more than just DNS, so I'm not just looking for pihole and its ilk. I want to see things like SNI and any non-protected traffic that any of the devices on my network might be sending that I just don't know about.

Ideally, it would be something I could leave on without affecting my speed/latency, but something to turn on occasionally and spot check would be better than nothing.

My router runs VyOS, so I should have quite a bit of flexibility in what I do with my traffic, though I never have figured out if/how to deploy custom software to it...

top 21 comments
sorted by: hot top controversial new old
[–] [email protected] 70 points 1 year ago (1 children)

Oh, this the exact use case for a tool that I'm writing right now! It's a daemon that runs on the gateway and acts as a DNS + DHCP + Firewall to monitor the activity of IoT devices.

https://github.com/mafik/gatekeeper

In the 1.6 (expected next weekend) I'm adding traffic graphs for each device and remote domain that it talks to.

[–] [email protected] 1 points 1 year ago (1 children)

I'm using adguard home, but your UI is a different level

[–] [email protected] 2 points 1 year ago (1 children)

It reminds me of the 90s. And that’s a compliment.

[–] [email protected] 1 points 1 year ago

I know, it's pretty hard to create an old school 80s 90s look, even if you try, everything will try to look like 2023 anyway

But my favorite looks are msdos and Macintosh, I'm usually trying to do those for my projects

[–] [email protected] 34 points 1 year ago* (last edited 1 year ago) (2 children)

Since we're talking specifically about network traffic, let's clarify the scope of the problem for reference.

You want to see what is being sent outside, to the wide internet from your network, and how might you be compromised by this traffic.

The logical method would be to snoop on this information. The question is, how would you do that?

  1. There are network analysis tools, including DPI, that might be able to help you in this journey. Suricata/Snort and Splunk are three such applications, although perhaps you'd also like to consider an application suite like Security Onion.
  2. The second problem is, how do you get the outward facing traffic to analyse it? The easier way to do this is to utilise port-mirroring - mirror the traffic through your WAN-facing port into an analyser to check just what is it that you're sending out. Note that this will likely require extensive effort and time since everyone has different traffic they would like to check, and coming up with robust checks is entering the field of security professionals.

Some considerations:

  • As you know, most x86 computers have a backdoor installed in hardware. This is either the Intel ME or AMD PSP (if you know what this is and are worried about your privacy, I suggest looking at AMD's OpenSIL initiative slated to release in 2027).
  • This is a problem since these backdoors utilise the same hardware NIC of your computer but act as a completely different system (different MAC, encrypted traffic using different keys, and a different style of traffic).
  • The problem manifests like so: one would reasonably expect to find the traffic from said processes in the traffic that one analyses, however, how would one find them (perhaps through logging their MAC address)? It is possible that Intel already uses dynamic MAC addresses, which makes it harder to find them - although, in theory, one should be able to script this.
  • Now that you're enraged about such atrocious behaviour on your network, let me point you towards the fact that people who run mini PCs as routers with x86 processors in them (for OPNSense/PFSense) should also be running into this problem, theoretically. It is a bigger issue for them however, since in their case the network edge itself is reasonably compromised. How are you sure that the ME/PSP processor isn't going to mask its traffic from the port-mirroring setup you have got running? How can one be sure of the capabilities of such proprietary systems and how they can mask their traffic?

I know people will come up with "but they don't spy on you! It needs to be explicitly turned on to spy on you!" and "get a thinkpad bro, modify the HAP bit!", however, both arguments don't hold much weight considering the hardware readily available to the common user (bit of a fallacy, but we'll go with it). The point stands; such behaviour shall not be tolerated in a self-aware user's network, and needs to eradicated the second the user gets a whiff of such mischief playing out. I hope my note has ignited a willingness in you to prevent such rabid deanonymisation attempts to one's self in this age, and will spur you to fortify your network to prevent such malice from breaking anonymity and trust on hardware.

[–] [email protected] 6 points 1 year ago

+1 for snort or securityonion.

[–] [email protected] 5 points 1 year ago (1 children)

I appreciate you. 🙏 I have been considering looking into hardening my home network, but I dreaded the idea of figuring out which tools weren't just sponsored SEO-optimising AI-generated time-wasting network-snooping bullshit. This gives me somewhere to start.

[–] [email protected] 4 points 1 year ago

I am happy to know this helped you. Good luck in securing your network!

[–] [email protected] 19 points 1 year ago

I've used Wireshark when I want to inspect the traffic going through my computer. I've found it particularly handy for debugging my own networking code. I've also used netstat to see active connections and programs listening for traffic when I don't care about the packet contents specifically.

[–] [email protected] 15 points 1 year ago

I'm surprised no one has mentioned NtopNG - that is THE tool to spy on youself

[–] [email protected] 7 points 1 year ago (1 children)

AdGuard home is quite a nice thing to have a look at what phones home in the network.

[–] [email protected] 2 points 1 year ago (1 children)

I have a few devices that don't show up in Adguard Home because they ignore the DNS that they're told to use.

They have hard coded DNS that can't be changed, ensuring they can reach the outside world (unless completely blocked).

Some Google devices and some Amcrest cameras I have are guilty of this.

[–] [email protected] 3 points 1 year ago (1 children)

You can redirect all DNS traffic to your own DNS server to get around this.

[–] [email protected] 4 points 1 year ago

Unless it's DNS encrypted over HTTPS in which case it just looks like HTTPS traffic and the most you can do is block known DNS IPs.

[–] [email protected] 6 points 1 year ago

Often you can mirror ports on routers and switches, this lets you send the same packets to a device as gets sent to your router. This will allow you to use something like wireguard to capture the packets and inspect them. Unfortunately for you, the vast majority of traffic is encrypted these days. So most of the time you can see how much data is being transmitted to Google, but not what data. Tools like Fiddler will help you on a specific machine, where it can decrypt it on the fly.

[–] [email protected] 3 points 1 year ago

What OS are you using?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
IoT Internet of Things for device controllers
SSL Secure Sockets Layer, for transparent encryption

4 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #201 for this sub, first seen 8th Oct 2023, 23:35] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Someone might suggest something more elegant but one solution is a trunk port, maybe on your router, maybe a downstream switch (assuming wireless Ap is downstream of all of those) and connect that to wireguard on your server?

[–] [email protected] 1 points 1 year ago

You could host a wireshark instance, and maybe even host a SIEM like security onion.

[–] [email protected] 1 points 1 year ago

SPAN port on the switch, send it all into a server running Suricata which can analyze, classify, and log all the traffic. Don’t run it in IPS mode online unless you’re willing to suffer a little…

[–] [email protected] -2 points 1 year ago

Look at the mirror. 👨‍🦱