Now here's some real great news for system and network admins: we have
created an appliance which brings together the best monitoring and security
auditing tools for a network. Configuring this is similar to any other PCQLinux
Appliance. The only thing to remember is to make sure that you need to configure
your network card in bridged mode so that the appliance can take the IP address
of the physical network, making the tools run on the network properly. Here is a
step-by-step guide on how to fine tune them according to your network.
OpenNMS
This is the most renowned Open Source Network Management and Alerting
System, but installing it has always been a pain. Thus we decided to put in our
appliance, so that you can benefit from it without worrying about installation.
As this application is preinstalled and preconfigured in our appliance all you
have to do is to start a few services, provide some details about your network
to the system, and off it goes monitoring. To begin the configuration, make sure
you have an IP, and then run the 'ifconfig' command. Next, change directory to
'/opt/opennms/etc' by running the following command and open the file called
'discovery-configuration.xml.'
#cd /opt/opennms/etc
#vi discovery-configuration.xml
Here, you will see the following section in the file:
By using ntop you can monitor all nodes on your network and see the download patterns for each node. It's a great tool to analyze your Net usage |
Here, change the IP addresses in start and end tags, with the IP addresses of
your network subnet range. For instance, on a 192.168.3.x network, we put
192.168.3.1 in the start tag and 192.168.3.254 in the end tag. Once this is
done, save your settings, and close the editor. Now, run the following commands
in the sequence given to start Tomcat and OpenNMS server:
#/etc/init.d/tomcat5 start
#service postgresql start
#/opt/opennms/bin/opennms strat
With this your NMS is up and running.
Using OpenNMS
Once you get the IPs, go to any machine on the same network and open your
favorite browser. Type the address 'http://
and you will get the login screen of OpenNMS. Login to this screen as admin with
the password 'admin,' and the OpenNMS dashboard pops up. As you have defined the
default range of your network, OpenNMS will automatically discover all nodes on
the network and will also check for services available on those nodes.
Configuring notification
The final thing, which you can do, is to configure notifications in case of
failure of any node or any service specific to any node. OpenNMS is capable of
configuring alerts in an escalated fashion. For instance, if there is an error
in any of the crucial systems, an alert is immediately sent to the concerned
person and if for any reason he does not resolve the problem in a given time,
the system automatically escalates the matter and sends an alert to the next
level of support. To configure this, go to the 'Admin' menu at the top of the
Window, select the 'Configure Notification Path' option, and click on the 'New
Path' button. Now, a new Window will open up. Give a name for the notification
path. Next, click on the 'Edit' button at the right of the Window. In the next
Window click on the 'add address' button. A dialog box opens. Enter your mail
address where you want to receive the notifications, click on 'Next' twice, then
on 'Finish,' and you are done.
Nagios
Unlike OpenNMS, Nagios is another network monitoring application which can
do both agent-less and agent-based monitoring of nodes. But this application
doesn't search all machines and services on your network rather one has to
configure the machines and servers manually through scripting half-a-dozen
configuration files. The configuration of this app is slightly difficult if
configured against other tools. But once configured, it can check a lot of
things in your servers, such as SMTP, POP3, HTTP, NNTP, PING services;
additionally it can even monitor the resources of the machines which you want to
monitor. It can check for processor load, disk usage, RAM usage, etc, but for
this resource monitoring it requires agents to be installed on the host
machines. The basic configuration of Nagios is already done and to run, all you
have to do is to run Nagios as: #nagios /etc/nagios/nagios.cfg.
Once Nagios has started you can access its Web-based mgmt interface from
'http:/ip-addr-of-applicance/nagios.' The default username and password for
logging in is nagiosadmin and pass@word respectively. But to fine tune Nagios
you have to modify a lot of .cfg files. A complete how to 'on' configuring
Nagios can be found on http:/ip-addr-of-applicance/nagios/ docs. And for your
comfort we have created samples of the most important config files. You can find
them at /etc/nagios/nagios.cfg.
NTop
This network monitoring tool needs no introduction; without any doubts it
has made its place in this appliance. The complete package is installed, so you
don't have to do anything except run it on your network. Running it is also very
simple. You have two options here, either run in daemon mode or as a standard
app. The option for running it in a standard mode: #ntop —i ethx.
Here with the '-i' switch you have to provide the name of your network card on
which you want to run NTop. So, for instance, your appliance is using the eth0
network adapter to connect to your physical network, then the command will look
like 'ntop —I eth0.' To run it as a daemon, the command will be #ntop —d —I ethx.
Once NTop has started, you can access it from any machine on the same network by
opening a Web browser and giving the address 'http:ip-addr-of-
the-appliacne:3000' where ip-addr-of-the-appliacne is the physical IP of the
PCQLinux Security and Monitoring Appliance. The port 3000 is the default port of
NTop and when no other port is explicitly provided it uses this port. You can
also explicitly provide some other ports to NTop by using —W switch with the
port number while running NTop #ntop —d —I eth0.
Ettercap
Ettercap is one of the best sniffing and man in the middle tool with lots of
plug-ins. You can do good penetrating testing of your network by using this
tool. It can simulate all those attacks which a hacker will run in a LAN
environment to capture data. Running it is pretty simple. Just type the command
'ettercap —C' and it will start. To start the sniffing process, click on the
Sniffing menu and then on the Unified Sniffing. It will ask you to select the
network card on which you want to set the watch. Next hit enter to start the
sniffing process. If you want to do some targeted sniffing then go to the target
option and click on the 'Select target' option. A pop-up will open, here select
the targets (source and destination) on which you want to set the sniffing and
hit enter to start the sniffing process. You can even scan for all the live
hosts from then, Hosts Ü Scan for hosts option. From here you can even directly
select and add targets for sniffing. Once the sniffing on targets has started,
you can see the data flowing between both machines from ViewÃœconnections option.
All authentication-related data, such as the passwords and usernames will be
separately identified and listed at the bottom of the page.
With EtherApe one can monitor real-time data flow happening between any two clients on your network |
You can even run a suite of different plugins from the plugin menu. To start
plugins, go to the Plugins menu and select on the manage plugins option. There
are more than 20 different plugins available with Ettercap with which you can
run simple DoS attacks, ARP poisoning attacks, File Theft attack, isolate nodes,
etc.
Dsniff Suite
Yet another sniffing and spoofing tool for penetration testing. Unlike
Ettercap, it doesn't run from a single Windows system, but has a set of tools
which you can run manually to simulate a LAN attack in many ways. The suite
contains the tools mentioned in the table. Explaining how to run each of these
is not possible in a single article so we will talk about them one by one in our
coming issues. But if you can't wait so long then a 'man' can solve your
problem. Just run the 'man' command with the name of the tools and you will get
a detailed description and how to 'on' running the tools. Just make sure you
type the name in small caps.
EtherApe
This is a small tool which can work as a great network traffic monitoring
utility in NOCs. The core job of EtherApe is to graphically represent the data
flow between all machines on your network in real-time. Different protocols are
represented in different colors and the amount of data is represented by the
thickness of the line joining the source and the destination machine. Running
the application is very simple. All you have to do is to run the command #etherape
from an X terminal and a Window will pop up. In this Window click on the capture
menu and then go to the interface option to select the network card you want to
run the monitoring. Once you have selected the network card, go to the Mode
option in the same menu to select the type of protocol and network you want to
monitor. For instance you can select between options like TCP and IP, or
Ethernet, Token Ring, and FDDI networks. Once you are done with the selection,
the monitoring process will start and you will be presented with the real-time
data traffic flow of your network.
Arpwatch
A very useful tool to monitor arpspoofing or any sort of suspicious arp
activity. All you have to do is to run the command #arpwatch —I eth0 —s yourmail@id.com
—e yourmail@id.com. Here replace yourmail@id.com with the mail id where you
would like to receive alerts from arpwatch. This tool will keep running and will
notify you in case it finds any arp flip-flop or some other kind of arp
poisoning happening on the network.