Advertisment

Network Security and Monitoring

author-image
PCQ Bureau
New Update

Now here's some real great news for system and network admins: we have

created an appliance which brings together the best monitoring and security

auditing tools for a network. Configuring this is similar to any other PCQLinux

Appliance. The only thing to remember is to make sure that you need to configure

your network card in bridged mode so that the appliance can take the IP address

of the physical network, making the tools run on the network properly. Here is a

step-by-step guide on how to fine tune them according to your network.

Advertisment

OpenNMS



This is the most renowned Open Source Network Management and Alerting

System, but installing it has always been a pain. Thus we decided to put in our

appliance, so that you can benefit from it without worrying about installation.

As this application is preinstalled and preconfigured in our appliance all you

have to do is to start a few services, provide some details about your network

to the system, and off it goes monitoring. To begin the configuration, make sure

you have an IP, and then run the 'ifconfig' command. Next, change directory to

'/opt/opennms/etc' by running the following command and open the file called

'discovery-configuration.xml.'

#cd /opt/opennms/etc



#vi discovery-configuration.xml

Here, you will see the following section in the file:

Advertisment
By using ntop you can monitor

all nodes on your network and see the download patterns for each node. It's

a great tool to analyze your Net usage








192.168.0.1


192.168.0.254





Here, change the IP addresses in start and end tags, with the IP addresses of

your network subnet range. For instance, on a 192.168.3.x network, we put

192.168.3.1 in the start tag and 192.168.3.254 in the end tag. Once this is

done, save your settings, and close the editor. Now, run the following commands

in the sequence given to start Tomcat and OpenNMS server:



#/etc/init.d/tomcat5 start


#service postgresql start


#/opt/opennms/bin/opennms strat

Advertisment

With this your NMS is up and running.

Using OpenNMS



Once you get the IPs, go to any machine on the same network and open your

favorite browser. Type the address 'http://:8980/opennms,'

and you will get the login screen of OpenNMS. Login to this screen as admin with

the password 'admin,' and the OpenNMS dashboard pops up. As you have defined the

default range of your network, OpenNMS will automatically discover all nodes on

the network and will also check for services available on those nodes.

Configuring notification



The final thing, which you can do, is to configure notifications in case of

failure of any node or any service specific to any node. OpenNMS is capable of

configuring alerts in an escalated fashion. For instance, if there is an error

in any of the crucial systems, an alert is immediately sent to the concerned

person and if for any reason he does not resolve the problem in a given time,

the system automatically escalates the matter and sends an alert to the next

level of support. To configure this, go to the 'Admin' menu at the top of the

Window, select the 'Configure Notification Path' option, and click on the 'New

Path' button. Now, a new Window will open up. Give a name for the notification

path. Next, click on the 'Edit' button at the right of the Window. In the next

Window click on the 'add address' button. A dialog box opens. Enter your mail

address where you want to receive the notifications, click on 'Next' twice, then

on 'Finish,' and you are done.

Advertisment

Nagios



Unlike OpenNMS, Nagios is another network monitoring application which can

do both agent-less and agent-based monitoring of nodes. But this application

doesn't search all machines and services on your network rather one has to

configure the machines and servers manually through scripting half-a-dozen

configuration files. The configuration of this app is slightly difficult if

configured against other tools. But once configured, it can check a lot of

things in your servers, such as SMTP, POP3, HTTP, NNTP, PING services;

additionally it can even monitor the resources of the machines which you want to

monitor. It can check for processor load, disk usage, RAM usage, etc, but for

this resource monitoring it requires agents to be installed on the host

machines. The basic configuration of Nagios is already done and to run, all you

have to do is to run Nagios as: #nagios /etc/nagios/nagios.cfg.

Once Nagios has started you can access its Web-based mgmt interface from

'http:/ip-addr-of-applicance/nagios.' The default username and password for

logging in is nagiosadmin and pass@word respectively. But to fine tune Nagios

you have to modify a lot of .cfg files. A complete how to 'on' configuring

Nagios can be found on http:/ip-addr-of-applicance/nagios/ docs. And for your

comfort we have created samples of the most important config files. You can find

them at /etc/nagios/nagios.cfg.

Advertisment

NTop



This network monitoring tool needs no introduction; without any doubts it

has made its place in this appliance. The complete package is installed, so you

don't have to do anything except run it on your network. Running it is also very

simple. You have two options here, either run in daemon mode or as a standard

app. The option for running it in a standard mode: #ntop —i ethx.



Here with the '-i' switch you have to provide the name of your network card on
which you want to run NTop. So, for instance, your appliance is using the eth0

network adapter to connect to your physical network, then the command will look

like 'ntop —I eth0.' To run it as a daemon, the command will be #ntop —d —I ethx.

Once NTop has started, you can access it from any machine on the same network by

opening a Web browser and giving the address 'http:ip-addr-of-

the-appliacne:3000' where ip-addr-of-the-appliacne is the physical IP of the

PCQLinux Security and Monitoring Appliance. The port 3000 is the default port of

NTop and when no other port is explicitly provided it uses this port. You can

also explicitly provide some other ports to NTop by using —W switch with the

port number while running NTop #ntop —d —I eth0.

Ettercap



Ettercap is one of the best sniffing and man in the middle tool with lots of
plug-ins. You can do good penetrating testing of your network by using this

tool. It can simulate all those attacks which a hacker will run in a LAN

environment to capture data. Running it is pretty simple. Just type the command

'ettercap —C' and it will start. To start the sniffing process, click on the

Sniffing menu and then on the Unified Sniffing. It will ask you to select the

network card on which you want to set the watch. Next hit enter to start the

sniffing process. If you want to do some targeted sniffing then go to the target

option and click on the 'Select target' option. A pop-up will open, here select

the targets (source and destination) on which you want to set the sniffing and

hit enter to start the sniffing process. You can even scan for all the live

hosts from then, Hosts Ü Scan for hosts option. From here you can even directly

select and add targets for sniffing. Once the sniffing on targets has started,

you can see the data flowing between both machines from ViewÃœconnections option.

All authentication-related data, such as the passwords and usernames will be

separately identified and listed at the bottom of the page.

With EtherApe one can monitor

real-time data flow happening between any two clients on your network
Advertisment

You can even run a suite of different plugins from the plugin menu. To start

plugins, go to the Plugins menu and select on the manage plugins option. There

are more than 20 different plugins available with Ettercap with which you can

run simple DoS attacks, ARP poisoning attacks, File Theft attack, isolate nodes,

etc.

Dsniff Suite



Yet another sniffing and spoofing tool for penetration testing. Unlike

Ettercap, it doesn't run from a single Windows system, but has a set of tools

which you can run manually to simulate a LAN attack in many ways. The suite

contains the tools mentioned in the table. Explaining how to run each of these

is not possible in a single article so we will talk about them one by one in our

coming issues. But if you can't wait so long then a 'man' can solve your

problem. Just run the 'man' command with the name of the tools and you will get

a detailed description and how to 'on' running the tools. Just make sure you

type the name in small caps.

EtherApe



This is a small tool which can work as a great network traffic monitoring

utility in NOCs. The core job of EtherApe is to graphically represent the data

flow between all machines on your network in real-time. Different protocols are

represented in different colors and the amount of data is represented by the

thickness of the line joining the source and the destination machine. Running

the application is very simple. All you have to do is to run the command #etherape

from an X terminal and a Window will pop up. In this Window click on the capture

menu and then go to the interface option to select the network card you want to

run the monitoring. Once you have selected the network card, go to the Mode

option in the same menu to select the type of protocol and network you want to

monitor. For instance you can select between options like TCP and IP, or

Ethernet, Token Ring, and FDDI networks. Once you are done with the selection,

the monitoring process will start and you will be presented with the real-time

data traffic flow of your network.

Arpwatch



A very useful tool to monitor arpspoofing or any sort of suspicious arp

activity. All you have to do is to run the command #arpwatch —I eth0 —s yourmail@id.com

—e yourmail@id.com. Here replace yourmail@id.com with the mail id where you

would like to receive alerts from arpwatch. This tool will keep running and will

notify you in case it finds any arp flip-flop or some other kind of arp

poisoning happening on the network.

Advertisment