Re: user traffic accounting

To: debian-isp@lists.debian.org
Subject: Re: user traffic accounting
From: Christian Kurz <shorty@debian.org>
Date: Tue, 8 Jan 2002 10:48:40 +0100
Message-id: <[🔎] 20020108094840.GG13307@salem.getuid.de>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 20020107132646.GA14118@fishbowl.madduck.net>
References: <[🔎] 20020107132646.GA14118@fishbowl.madduck.net>

On 07/01/02, martin f krafft wrote:
> please direct me to some documentation on ways to account for user
> traffic on a single machine, acting as BIND9, apache, postfix, and sshd
> server for a number of users. i need to get as close as possible to

Sounds like those users need to have lots of money or be very careful
how they use that machine as otherwise they go bankcruptcy. :-)

>   - Shell: every user has ssh access. i need to be able to keep track
>     of every byte coming in and out of sshd, but also any data sent to
>     or received from the internet while using the shell account.

That could be the most difficult one as all traffic is encrypted and you
have no chance to identify the user and figure out who is responsible
for which traffic. Even when using a sniffer you'll only be able to
figure out which traffic originates or was send to which ip. And using a
sniffer could cause legal problems. 

>   - HTTP: a user has zero or more domains hosted on the system, all
>     request and response volume should be added to that users accounting
>     data.

Hm, that could be a bit easier, since at least for the incoming request
it should be possible to get the http server to log not only the request
and the origin of it, but also the size. The problem would be to
identify exactly all outgoing traffic that is created as a response.

>   - Mail: any mail that the user receives should be byte-counted. the
>     same applies to mail sent from the user account via sendmail, mail
>     sent via port 25, and mail relayed (TLS client authentication).

That again will be a bit difficult since most MTA don't log the size of
the mail. I would suppose that accounting the outgoing traffic will be
the biggest problem here, since mostly no logfile for a MTA will include
information which user submitted a mail and how big it was. For incoming
traffic, also called mails ;-), partly this could be solved by changing
the setup to have the MTA first send the mail to some kind of content
filter, which would then not only check for viruses, but also figure out
to which user the mail was addressed by looking at some headers like
Delievered-To and then calculate the exact size of the mail and write
this information to some log before handing the mail to the MDA.

>   - BIND: c.f. with HTTP, basically the same applies.

Again a big problem, since bind never logs the size of the request or
answers. 

> if you ask me, this sounds like a horrible task. any tips from the ISP
> experts?

Yes, that's horrible and sounds like some sales people thought about
ways to bill their customers more money without thinking about the
technical problems or talking with an it staff about it. 

Christian
-- 
           Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgp_Pi_mHODUP.pgp
Description: PGP signature

Reply to:

References:
- user traffic accounting
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: LinkWalker
Next by Date: Re: LinkWalker
Previous by thread: Re: user traffic accounting
Next by thread: Re: user traffic accounting
Index(es):
- Date
- Thread