Vyacheslav Gapon – personal blog, manuals, articles, notes, development
First of all, let’s look at the current IPTables rules:
iptables -nvL
In order for nprobe to accept NetFlow data, open the port for it:
sudo iptables -A INPUT -p udp --dport 2055 -j ACCEPT
In order for nprobe to accept NetFlow data only from a particular network or IP:
sudo iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 2055 -j ACCEPT
See also my articles:
Configuring IPTables
Install and configure nprobe
Suppose we installed ntopng as I described in this article – Install and configure ntopng
That is, they selected the necessary package at http://packages.ntop.org/apt-stable/ and downloaded it:
wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb sudo dpkg -i apt-ntop-stable.deb
Install nprobe if it is not installed:
sudo apt-get clean all sudo apt-get update sudo apt-get install nprobe
To receive NetFlow data and transfer it to ntopng, create a file (in the nano editor, press CTRL+X to exit, y/x to save or discard changes):
sudo nano /etc/nprobe/nprobe-anyname.conf
Add to it:
--zmq="tcp://*:5556" -3 2055 --flow-version 9 -n=none -i=none
2055 is the port on which you want to receive NetFlow data, and port 5556 is used to transmit it to ntopng.
See my articles on configuring NetFlow on switches:
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik
Now it remains to open the ntopng configuration in a text editor:
sudo nano /etc/ntopng/ntopng.conf
And add a line at the end (thereby adding the nprobe interface to collect statistics):
--interface="tcp://127.0.0.1:5556"
It remains to restart ntopng to apply the changes:
sudo service ntopng restart
Check whether everything works:
sudo netstat -tulpen | grep 2055 sudo netstat -tulpen | grep 5556 sudo /etc/init.d/nprobe status
I noticed that nprobe does not always shut down after the command:
sudo /etc/init.d/nprobe stop
Therefore, if necessary, you can stop it like this:
sudo killall nprobe sudo kill -9 PID
In the free version of nprobe, I had a message:
NOTE: This is a DEMO version limited to 25000 flows export.
The full version can be purchased at the official site of shop.ntop.org.
See also:
IPTables rules for nprobe
sFlow – Traffic analysis protocol, similar to NetFlow.
Enable/disable sFlow on the switch:
enable/disable sflow
Viewing parameters:
show sflow show sflow flow_sampler show sflow counter_poller show sflow analyzer_server
Adding/modifying the sFlow analyzer server:
create/config sflow analyzer_server 1-4 owner NAME timeout 1-2000000(sec)/infinite collectoraddress ADDRESS collectorport udp_PORT maxdatagramsize 300-1400
Example of removing the sFlow analyzer server:
delete sflow analyzer_server 1-4
Creating, modifying, deleting the sFlow polling counters:
create/config sflow counter_poller ports NUMBER/all analyzer_server_id 1-4 interval disable/20-120(sec) delete sflow counter_poller ports NUMBER/all
Create, modify, delete sFlow sample ports:
create/config sflow flow_sampler ports NUMBER/all analyzer_server_id (1-4) rate value 0-65535 tx_rate value 0-65535 maxheadersize value 18-256 delete sflow flow_sampler ports NUMBER/all
I will give an example of setting:
enable sflow create sflow analyzer_server 1 owner Linux collectoraddress 192.168.1.5 collectorport 6343 create sflow counter_poller ports 1 analyzer_server_id 1 interval 20 create sflow flow_sampler ports 1:1 analyzer_server_id 1 rate 1000 maxheadersize 128
I tried to run ntopng once:
sudo /etc/init.d/ntopng start
And got the following start error:
* Missing /etc/ntopng/ntopng.start. Quitting
…fail!
ntopng was started only like this:
sudo /etc/init.d/ntopng force-start
To solve an error, just create an empty file:
sudo touch /etc/ntopng/ntopng.start sudo /etc/init.d/ntopng restart
See also:
Install and configure ntopng
Suppose the server has one network card and in network connections it can be seen as “Ethernet”, but after adding the Hyper-V role, a virtual switch vEthernet (…) is created.
Virtual machines can be seen from other computers but can not be seen from the local.
Therefore, for virtual machines to be accessible from the local machine, you must disable the DHCP client to Ethernet, or assign an IP address manually, then the virtual switch vEthernet (…) will receive IP instead of Ethernet because they have the same The MAC address.
To delete a VK page, you need to login using your login and password, click the upper right of the icon and select “Settings”.
Below, click on the link “You can delete your page”.
Next, you need to select the reason for the deletion, you can uncheck the “Tell your friends” box if you do not want all friends to see the message and the reason for the deletion.
And click “Delete page”.
In my case, a message was displayed that the page was deleted and it can be restored to the specified date (within 7 months).
I will give examples of using netwox and describe them.
I described the netwox installation in this article – Установка netwox
Example of a standard startup:
sudo netwox
netwox has quite a lot of functions, you can see them by pressing after starting the number 3 and Enter.
Network configuration display:
sudo netwox 1
Display debugging information:
sudo netwox 2
Display information about the IP address or host name:
sudo netwox 3 example.com
Displaying information about the MAC address:
sudo netwox 4 -e 00:15:5D:38:01:08
Obtaining MAC addresses from the IP list:
sudo netwox 5 -i 192.168.1.0/24
Display information that will be used to reach the specified IP address:
sudo netwox 6 192.168.24.254
Sniffer, displaying the transmitted packets on the screen:
sudo netwox 7
Sniffer, displaying only the list of open ports that were used in the captured packets:
sudo netwox 8
Sniffer, mapping of MAC and IP addresses:
sudo netwox 9
An example of capturing packets and displaying brief statistics (the number of packets counted, the size of packages, the percentage of the number of packets (c%), the percentage of the size (s%)):
netwox 10 -d eth0
Convert a digit to an encrypted one:
sudo netwox 21 -n number
Converting a string to an encrypted string (sha256, md5, etc.):
sudo netwox 22 -d text
Show ASCII table:
sudo netwox 23
Check the security of the directory:
sudo netwox 25 /tmp/
Example of ICMP PING:
sudo netwox 49 -i 192.168.24.253
Example of ARP PING:
sudo netwox 55 -i 192.168.24.253
Example ICMP route tracing:
sudo netwox 57 -i examle.com
Example of TCP route tracing:
sudo netwox 59 -i examle.com
Example UDP route tracing:
sudo netwox 61 -i examle.com
Example of port scanning:
sudo netwox 67 -i 192.168.24.254 -p 1-1000
ICMP scanning for availability:
sudo netwox 65 -i 192.168.1.0/24
TCP port access scan:
sudo netwox 67 -i 192.168.1.0/24 -p 80
UDP port access scan:
sudo netwox 69 -i 192.168.1.0/24 -p 80
ARP scanning:
sudo netwox 71 -i 192.168.1.0/24
Flood random fragments:
sudo netwox 74 -i 192.168.24.254
Filling the table of MAC-addresses of the switch by sending a flood:
sudo netwox 75
Synflood:
sudo netwox 76 -i 192.168.24.254 -p 80
etc.
netwox – a tool for finding and solving problems on the network.
Installation command for Ubuntu / Debian:
sudo apt-get install netwox
You can remove netwox like this:
sudo apt-get autoremove netwox
See also:
Using netwox
OpenFire – A cross-platform XMPP server written in Java.
For the test, I will install OpenFire in Ubuntu Server 16.04 and describe the process.
Since OpenFire requires Java, let’s see the installed version on the system:
java -version
If necessary, install Java:
sudo apt-get install default-jre
Then go to the download page www.igniterealtime.org/downloads/, click download and copy the link.
Download, adding at the end the copied link instead of LINK:
wget -O openfire.deb LINK
For example:
wget -O openfire.deb http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.2.1_all.deb
Install:
sudo dpkg --install openfire.deb
Now it remains to open in the browser http://YourServer:9090/ and follow the prompts.
After that, the installation of OpenFire will be completed.
If necessary, you can stop, start, or restart OpenFire like this:
/etc/init.d/openfire {start|stop|restart|force-reload}
SSMTP – an alternative to sendmail for sending mail, allows you to configure sending via third-party mail servers.
To install in Ubuntu, use the command:
sudo apt-get install ssmtp mailutils
Next, open the /etc/ssmtp/ssmtp.conf file in any text editor (in the nano, press Ctrl+X to exit, y/n to save or discard changes):
sudo nano /etc/ssmtp/ssmtp.conf
Comment out all and set up as shown below for an example:
root=test@gmail.com mailhub=smtp.gmail.com:587 hostname=smtp.gmail.com:587 UseSTARTTLS=YES AuthUser=test@gmail.com AuthPass=password FromLineOverride=YES
If you use Google mail, you will probably need to allow “Untrusted applications” in the settings at https://myaccount.google.com/security.
Also open the /etc/ssmtp/revaliases file in the text editor:
sudo nano /etc/ssmtp/revaliases
And add:
root:test@gmail.com:smtp.gmail.com:587
Let’s try to send the letter to the specified address (after the command we will type the desired text and put a point for completion):
sendmail -v admin@example.com
Letters must be sent from the address specified in the file /etc/ssmtp/ssmtp.conf.