Install and configure nprobe

Suppose we installed ntopng as I described in this article – Install and configure ntopng
That is, they selected the necessary package at http://packages.ntop.org/apt-stable/ and downloaded it:

wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb

Install nprobe if it is not installed:

sudo apt-get clean all
sudo apt-get update
sudo apt-get install nprobe

To receive NetFlow data and transfer it to ntopng, create a file (in the nano editor, press CTRL+X to exit, y/x to save or discard changes):

sudo nano /etc/nprobe/nprobe-anyname.conf

Add to it:

--zmq="tcp://*:5556"
-3 2055
--flow-version 9
-n=none
-i=none

2055 is the port on which you want to receive NetFlow data, and port 5556 is used to transmit it to ntopng.
See my articles on configuring NetFlow on switches:
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik

Now it remains to open the ntopng configuration in a text editor:

sudo nano /etc/ntopng/ntopng.conf

And add a line at the end (thereby adding the nprobe interface to collect statistics):

--interface="tcp://127.0.0.1:5556"

It remains to restart ntopng to apply the changes:

sudo service ntopng restart

Check whether everything works:

sudo netstat -tulpen | grep 2055
sudo netstat -tulpen | grep 5556
sudo /etc/init.d/nprobe status

I noticed that nprobe does not always shut down after the command:

sudo /etc/init.d/nprobe stop

Therefore, if necessary, you can stop it like this:

sudo killall nprobe
sudo kill -9 PID

In the free version of nprobe, I had a message:

NOTE: This is a DEMO version limited to 25000 flows export.

The full version can be purchased at the official site of shop.ntop.org.

See also:
IPTables rules for nprobe

Using netwox

I will give examples of using netwox and describe them.
I described the netwox installation in this article – Установка netwox

Example of a standard startup:

sudo netwox

netwox has quite a lot of functions, you can see them by pressing after starting the number 3 and Enter.

Network configuration display:

sudo netwox 1

Display debugging information:

sudo netwox 2

Display information about the IP address or host name:

sudo netwox 3 example.com

Displaying information about the MAC address:

sudo netwox 4 -e 00:15:5D:38:01:08

Obtaining MAC addresses from the IP list:

sudo netwox 5 -i 192.168.1.0/24

Display information that will be used to reach the specified IP address:

sudo netwox 6 192.168.24.254

Sniffer, displaying the transmitted packets on the screen:

sudo netwox 7

Sniffer, displaying only the list of open ports that were used in the captured packets:

sudo netwox 8

Sniffer, mapping of MAC and IP addresses:

sudo netwox 9

An example of capturing packets and displaying brief statistics (the number of packets counted, the size of packages, the percentage of the number of packets (c%), the percentage of the size (s%)):

netwox 10 -d eth0

Convert a digit to an encrypted one:

sudo netwox 21 -n number

Converting a string to an encrypted string (sha256, md5, etc.):

sudo netwox 22 -d text

Show ASCII table:

sudo netwox 23

Check the security of the directory:

sudo netwox 25 /tmp/

Example of ICMP PING:

sudo netwox 49 -i 192.168.24.253

Example of ARP PING:

sudo netwox 55 -i 192.168.24.253

Example ICMP route tracing:

sudo netwox 57 -i examle.com

Example of TCP route tracing:

sudo netwox 59 -i examle.com

Example UDP route tracing:

sudo netwox 61 -i examle.com

Example of port scanning:

sudo netwox 67 -i 192.168.24.254 -p 1-1000

ICMP scanning for availability:

sudo netwox 65 -i 192.168.1.0/24

TCP port access scan:

sudo netwox 67 -i 192.168.1.0/24 -p 80

UDP port access scan:

sudo netwox 69 -i 192.168.1.0/24 -p 80

ARP scanning:

sudo netwox 71 -i 192.168.1.0/24

Flood random fragments:

sudo netwox 74 -i 192.168.24.254

Filling the table of MAC-addresses of the switch by sending a flood:

sudo netwox 75

Synflood:

sudo netwox 76 -i 192.168.24.254 -p 80

etc.

Installing and Configuring OpenFire

OpenFire – A cross-platform XMPP server written in Java.

For the test, I will install OpenFire in Ubuntu Server 16.04 and describe the process.

Since OpenFire requires Java, let’s see the installed version on the system:

java -version

If necessary, install Java:

sudo apt-get install default-jre

Then go to the download page www.igniterealtime.org/downloads/, click download and copy the link.

Download, adding at the end the copied link instead of LINK:

wget -O openfire.deb LINK

For example:

wget -O openfire.deb http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.2.1_all.deb

Install:

sudo dpkg --install openfire.deb

Now it remains to open in the browser http://YourServer:9090/ and follow the prompts.

After that, the installation of OpenFire will be completed.

If necessary, you can stop, start, or restart OpenFire like this:

/etc/init.d/openfire {start|stop|restart|force-reload}

Installing and Configuring SSMTP

SSMTP – an alternative to sendmail for sending mail, allows you to configure sending via third-party mail servers.

To install in Ubuntu, use the command:

sudo apt-get install ssmtp mailutils

Next, open the /etc/ssmtp/ssmtp.conf file in any text editor (in the nano, press Ctrl+X to exit, y/n to save or discard changes):

sudo nano /etc/ssmtp/ssmtp.conf

Comment out all and set up as shown below for an example:

root=test@gmail.com
mailhub=smtp.gmail.com:587
hostname=smtp.gmail.com:587
UseSTARTTLS=YES
AuthUser=test@gmail.com
AuthPass=password
FromLineOverride=YES

If you use Google mail, you will probably need to allow “Untrusted applications” in the settings at https://myaccount.google.com/security.

Also open the /etc/ssmtp/revaliases file in the text editor:

sudo nano /etc/ssmtp/revaliases

And add:

root:test@gmail.com:smtp.gmail.com:587

Let’s try to send the letter to the specified address (after the command we will type the desired text and put a point for completion):

sendmail -v admin@example.com

Letters must be sent from the address specified in the file /etc/ssmtp/ssmtp.conf.

Using Linux ISG

View all sessions:

/opt/ISG/bin/ISG.pl
/opt/ISG/bin/ISG.pl | less

View information about a specific session:

/opt/ISG/bin/ISG.pl | grep 192.168.4.168

Viewing the number of sessions:

/opt/ISG/bin/ISG.pl show_count

Deleting a specific session:

/opt/ISG/bin/ISG.pl clear 192.168.4.168
/opt/ISG/bin/ISG.pl clear <IP-address | Virtual# | Session-ID>

Change the speed for a specific session (incoming/outgoing, for example 100 MB/s):

/opt/ISG/bin/ISG.pl change_rate 192.168.4.168 102400 102400

I note that the speed is specified in kilobytes, and when viewed in the table of sessions is displayed in bytes.

I’ll describe the possible keys to the flags:
A (Session approved)
X (Session not approved)
S (This is a service (or sub-session))
O (Service administrative status is enabled)
U (Online service (RADIUS account is active, traffic flow))
T (Type of service – “tagger”)
Z (Disconnected)

Changing the processor core frequency in Linux

To see the minimum, current and maximum frequency of the processor cores, execute the command:

grep '' /sys/devices/system/cpu/cpu0/cpufreq/scaling_{min,cur,max}_freq

For example, in my case, the following is displayed:

/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq:800000
/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq:907482
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq:4000000

On idle servers, there is probably no point in raising the minimum frequency of the processor cores, but on heavily loaded ones, such as the access server for example, I usually increase, because the processor is constantly loaded, jumping frequencies only hinder and judging by the graphs after the changes, the load on the processor decreases noticeably.

To set the minimum frequency for all processor cores to the same as the maximum, create a script with the code below and execute it:

#!/bin/bash
cpucount=$(grep -c 'model name' /proc/cpuinfo)
sysdir=/sys/devices/system/cpu
for cpu in $(eval echo cpu{0..$((cpucount-1))}); do
        cat $sysdir/$cpu/cpufreq/scaling_max_freq > $sysdir/$cpu/cpufreq/scaling_min_freq
done

See also my article:
Changing CPU Scaling Governor on Linux

Logging activity using IPTables

Using iptables, you can write network activity to the log file, that is, which data is sent to and from where it comes from.
Example command:

sudo iptables -t filter -A FORWARD -s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j LOG --log-prefix "iptables: "

That the information was written not in rsyslog a file, and separately, we will create a file:

sudo nano /etc/rsyslog.d/10-iptables.conf

And add the following to it:

:msg, contains, "iptables: " -/var/log/iptables.log
& ~

To apply the changes, restart rsyslog:

sudo /etc/init.d/rsyslog reload

Done, the network activity specified in the first rule will be written to the file /var/log/iptables.log.

It is also desirable to configure logrotate to remove old logs, to save disk space.

See also:
Configuring logrotate for log rotation
Configuring IPTables

Monitoring of Apache2 parameters in Zabbix

Install the necessary components:

sudo apt-get install curl

Activate the module information about apache2 (usually it is activated initially):

sudo a2enmod info

Open the configuration file of the module and specify the IP address of the zabbix server to allow it to view information about apache2 (if apache2 is on the local machine, then access is usually allowed by specifying local or 127.0.0.1):

sudo nano /etc/apache2/mods-enabled/status.conf

In the nano editor, CTRL+X is used to exit and y/n to save or discard changes. Example of specifying IP:

<Location /server-status>
    SetHandler server-status
    Require local
    Require ip 192.168.1.5
</Location>

Restart the web server to apply the changes:

sudo service apache2 restart

Now the information about apache2 is available through the browser by the link http://HOST/server-status

Let’s move on to Zabbix. Create a folder for scripts if it does not exist:

mkdir /etc/zabbix/scripts/
chown root:zabbix -R /etc/zabbix/scripts/
chmod 750 /etc/zabbix/scripts/

In the zabbix server configuration file, we specify the path to this folder:

sudo nano /etc/zabbix/zabbix_server.conf
ExternalScripts=PATH

Now I will give the content of the script:

#!/bin/bash
if [[ -z "$1" || -z "$2" || -z "$3" ]]; then
  exit 1
fi
##### PARAMETERS #####
RESERVED="$1"
METRIC="$2"
URL="$3"
STATSURL="${URL}?auto"
#
CACHE_TTL="55"
CACHE_FILE="/tmp/zabbix.apache2.`echo ${URL} | md5sum | cut -d" " -f1`.cache"
EXEC_TIMEOUT="2"
NOW_TIME=`date '+%s'`
##### RUN #####
if [ -s "${CACHE_FILE}" ]; then
  CACHE_TIME=`stat -c"%Y" "${CACHE_FILE}"`
else
  CACHE_TIME=0
fi
DELTA_TIME=$((${NOW_TIME} - ${CACHE_TIME}))
#
if [ ${DELTA_TIME} -lt ${EXEC_TIMEOUT} ]; then
  sleep $((${EXEC_TIMEOUT} - ${DELTA_TIME}))
elif [ ${DELTA_TIME} -gt ${CACHE_TTL} ]; then
  echo "" >> "${CACHE_FILE}" # !!!
  DATACACHE=`curl -sS --insecure --max-time ${EXEC_TIMEOUT} "${STATSURL}" 2>&1`
  echo "${DATACACHE}" > "${CACHE_FILE}" # !!!
  echo "URL=${URL}"  >> "${CACHE_FILE}" # !!!
  chmod 640 "${CACHE_FILE}"
fi
#
if [ "${METRIC}" = "accesses" ]; then
  cat "${CACHE_FILE}" | grep -i "accesses" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "kbytes" ]; then
  cat "${CACHE_FILE}" | grep -i "kbytes" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "cpuload" ]; then
  cat "${CACHE_FILE}" | grep -i "cpuload" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "uptime" ]; then
  cat "${CACHE_FILE}" | grep -i "uptime" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "avgreq" ]; then
  cat "${CACHE_FILE}" | grep -i "ReqPerSec" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "avgreqbytes" ]; then
  cat "${CACHE_FILE}" | grep -i "BytesPerReq" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "avgbytes" ]; then
  cat "${CACHE_FILE}" | grep -i "BytesPerSec" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "busyworkers" ]; then
  cat "${CACHE_FILE}" | grep -i "BusyWorkers" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "idleworkers" ]; then
  cat "${CACHE_FILE}" | grep -i "idleworkers" | cut -d':' -f2 | head -n1
fi
if [ "${METRIC}" = "totalslots" ]; then
  cat "${CACHE_FILE}" | grep -i "Scoreboard" | cut -d':' -f2 | sed -e 's/ //g' | wc -c | awk '{print $1-1}'
fi
#
exit 0

Let’s make the script file executable:

chown root:zabbix /etc/zabbix/scripts/apache2-status.sh
chmod 550 /etc/zabbix/scripts/apache2-status.sh

Script validation example:

sudo -u zabbix /etc/zabbix/scripts/apache2-status.sh none accesses http://HOST/server-status

Open the zabbix agent configuration file in the editor:

sudo nano /etc/zabbix/zabbix_agentd.conf

And we will specify the following parameters:

UserParameter=apache2[*],/etc/zabbix/scripts/apache2-status.sh "none" "$1" "$2"

Some commands allow you to see the number of apache2 processes and connections to port 80, for this you do not need a script, for example, you can specify:

UserParameter=apache2.count_processes,ps aux | grep apache | wc -l
UserParameter=connections_on_80_port,netstat -na | grep :80 | wc -l

Restart the zabbix agent to apply the changes:

sudo /etc/init.d/zabbix-agent restart

Let’s check:

zabbix_get -s 127.0.0.1 -k "apache2[accesses,http://HOST/server-status]"

Now we will create a template and add data elements, an example of created data items:

apache2[KEY,http://HOST/server-status]

Exported ready template – apache2-status

We also need to add a macro to the monitored host:

Macro: {$APACHE_STATS_URL}
Value: http://HOST/server-status

Done.

The number of apache2 processes can be obtained from the Zabbix agent by creating on the Zabbix server a data element with a key:

proc.num[apache2]