network-monitor: a tool to monitor suspicious internet connections on Linux

In today's increasingly complex threat landscape, Linux systems face sophisticated attacks ranging from supply chain compromises to advanced persistent threats. Network monitoring has become a critical component of a comprehensive security strategy, enabling administrators to detect suspicious activities and respond to threats in real-time. This article explores network-monitor, a powerful open-source tool built with Rust and GTK4, and examines best practices for protecting Linux systems through effective network connection monitoring.

The Growing Need for Network Monitoring on Linux

Linux has evolved from a niche operating system to a mainstream platform powering everything from development workstations to enterprise servers. This popularity has made it an attractive target for malicious actors. Recent supply chain attacks, such as the devastating Shai-Hulud npm worm that compromised hundreds of packages and exposed thousands of repositories, demonstrate how quickly threats can propagate through modern software ecosystems [1].

The challenge is particularly acute for Linux desktop users and developers who install numerous packages and tools.

network-monitor Overview

network-monitor is a real-time network connection monitoring tool specifically designed for Linux desktop environments. Built with Rust, GTK4, and Libadwaita, it provides an intuitive graphical interface for monitoring active network connections with live I/O statistics.

Key Features

• Real-time Monitoring: Continuously tracks active network connections with automatic updates every second
• Process Identification: Displays the program name and Process ID (PID) associated with each connection
• Live I/O Statistics: Shows real-time upload/download rates for each connection
• Modern GTK4 Interface: Clean, responsive UI with GNOME-style Libadwaita components
• Address Resolution: Simplifies complex addresses into readable formats (localhost, any, mDNS)
• Connection Filtering: Filters out localhost connections for cleaner output

Technical Architecture

network-monitor leverages several key Linux system components:

• System calls: Direct interaction with /proc filesystem for connection data
• /proc/[pid]/io filesystem: Reads real-time I/O statistics for each process
• GTK4 + Libadwaita: Provides a modern, cross-platform graphical interface
• Tokio async runtime: Ensures responsive performance during concurrent operations

The tool's architecture demonstrates excellent security practices by using Rust's memory safety guarantees and implementing efficient async operations to prevent UI blocking.

Using network-monitor for Security Monitoring

When launched, network-monitor displays a comprehensive table with the following columns:

• Protocol: TCP/UDP protocol type
• State: Connection state (ESTABLISHED, LISTEN, TIME_WAIT, etc.)
• Local Address: Local endpoint with address resolution
• Remote Address: Remote endpoint with address resolution
• Program(PID): Process name and Process ID
• RX Rate: Real-time download rate
• TX Rate: Real-time upload rate

Address Resolution Features

The tool simplifies common network addresses for better readability:

• 0.0.0.0:* or *:* → ANY
• 127.0.0.1:* or [::1]:* → LOCALHOST
• 224.0.0.251:* → MDNS

Security Best Practices for Linux Network Monitoring

1. Establish Baseline Network Behavior

Before implementing security monitoring, establish a baseline of normal network activity using network-monitor to observe typical connection patterns in your environment.

2. Implement Continuous Monitoring

network-monitor should run continuously in the background to detect anomalous connections:

# Launch network-monitor for continuous monitoring
network-monitor &

3. Focus on Process Identification

One of network-monitor's strengths is its ability to identify the specific process responsible for each connection. This is crucial for:

• Detecting compromised applications: Unknown processes making network connections
• Identifying malware: Suspicious programs communicating with external servers
• Monitoring legitimate software: Ensuring authorized applications behave as expected

4. Monitor I/O Patterns

Unusual data transfer patterns can indicate security issues:

• High-volume uploads: Potential data exfiltration
• Periodic connections: Command and control communications
• Unexpected protocols: Malware using non-standard ports

5. Integration with Security Workflows

network-monitor should be part of a comprehensive security strategy, working alongside other security tools and monitoring systems.

Mitigating Supply Chain Attacks with Network Monitoring

The recent Shai-Hulud 2.0 attack demonstrated how supply chain compromises can lead to widespread security breaches. network-monitor can help detect and mitigate such attacks through:

Early Detection

• Monitor new package installations: Watch for unexpected network connections from newly installed packages
• Track process behavior: Identify when legitimate applications begin making unusual connections
• Detect data exfiltration: Spot unusual upload patterns that might indicate stolen data being transmitted

Response Procedures

When suspicious activity is detected:

1. Identify the process: Use network-monitor to pinpoint the responsible application
2. Investigate the source: Check if the process is from a recently installed package
3. Isolate the system: Disconnect from the network if malicious activity is confirmed
4. Scan for compromises: Use additional security tools to assess the full scope of the breach

Advanced Network Security Techniques

1. Network Segmentation

Implement network segmentation to limit the impact of compromised systems using firewall rules and network policies.

2. Application Whitelisting

Create whitelists of allowed network connections and monitor for deviations from established patterns.

3. Real-time Alerting

Set up automated alerts for suspicious activities by integrating network-monitor observations with security monitoring systems.

Complementary Security Tools

While network-monitor provides excellent visibility into network connections, it should be used alongside other security tools:

Security Frameworks

• Fail2ban: Automatically block suspicious IP addresses
• UFW/iptables: Network filtering and firewall rules
• SELinux/AppArmor: Mandatory access control for applications

Case Studies: network-monitor in Action

Case 1: Detecting Compromised Development Environment

A developer installed what appeared to be a legitimate npm package, but network-monitor revealed unexpected connections to unknown servers:

• Detection: network-monitor showed a Node.js process making periodic connections to suspicious IP addresses
• Investigation: The process was traced to a recently installed package with hidden telemetry
• Resolution: The package was removed, credentials were rotated, and the system was scanned for additional compromises

Case 2: Identifying Data Exfiltration

An organization detected unusual upload patterns from a workstation:

• Detection: network-monitor showed consistent 1MB/s uploads from an otherwise idle system
• Investigation: The uploads were traced to a compromised application sending sensitive data to external servers
• Resolution: The system was isolated, the breach was contained, and security policies were updated

Conclusion

network-monitor represents a significant advancement in Linux network security monitoring, providing an intuitive yet powerful tool for detecting and mitigating security threats. Its combination of real-time monitoring, process identification, and modern interface design makes it an essential component of any Linux security strategy.

As supply chain attacks and sophisticated malware continue to evolve, tools like network-monitor become increasingly critical for maintaining system security. By implementing comprehensive network monitoring practices and leveraging tools like network-monitor, Linux users can significantly enhance their security posture and detect threats before they cause significant damage.

Resources

• network-monitor GitHub: https://github.com/grigio/network-monitor
• Linux Security Best Practices: https://www.suse.com/c/linux-hardeningthe-complete-guide-to-securing-your-systems/
• Supply Chain Attack Prevention: https://www.chainguard.dev/supply-chain-security-101/how-to-prevent-software-supply-chain-attacks
• Network Monitoring Tools Guide: https://www.interserver.net/tips/kb/linux-network-monitoring-tools-guide/