One of my public facing squid server needed network monitoring, this is when I came across this amazing realtime monitoring tool - ntopng
In this post I am going to talk about instllation of ntopng on Ubuntu 14.04 as I have my production squid server running Ubuntu 14.04. I will also cover some of the challenges encountered during the installation process. Here are the steps to follow:
- Setup the repository for ntopng
wget http://apt-stable.ntop.org/14.04/all/apt-ntop-stable.deb
dpkg -i apt-ntop-stable.deb
- Update the ubuntu repo list and install ntopng
apt-get update
apt-get install ntopng
- This gave an error as it had a dependency on libmaxminddb0
root@squid:~# apt-get install ntopng
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
ntopng : Depends: libmaxminddb0 but it is not installable
Recommends: ntopng-data but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
- Add the following repository and install the dependency
root@squid:~# add-apt-repository ppa:maxmind/ppa
More info: https://launchpad.net/~maxmind/+archive/ubuntu/ppa
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmpdz2i3kct/secring.gpg' created
gpg: keyring `/tmp/tmpdz2i3kct/pubring.gpg' created
gpg: requesting key DE742AFA from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpdz2i3kct/trustdb.gpg: trustdb created
gpg: key DE742AFA: public key "Launchpad PPA for MaxMind" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
apt-get update
apt-get install libmaxminddb0 libmaxminddb-dev mmdb-bin
apt-get install ntopng
- Setup /etc/ntopng/ntopng.conf adding the following line to the configuration file
--user=ntopng
--interface=eth0
-w=<add server IP here>:3005
--community
--daemon
#--dump-flows=logstash # optional
#--disable-autologout # optional
#--disable-login=1 # optional
PLEASE NOTE - the IP used in configuration file. To get the web interface on public IP, you need to mentioned the same public IP in the configuration file as ntopng will bind the public IP and port mentioned to expose the web interface.
- While starting ntopng, you might come across error
(Re)Starting ntopng...
* Stopping ntopng
* Missing /etc/ntopng/ntopng.start. Quitting
Fix is to touch the file /etc/ntopng/ntopng.start and then start ntopng
As I am runing ntopng on a proxy server, it allows me to view the realtime traffice flowing through the server. This traffic is displayed as flow talkers on the dashboard.
It further allows to drill down the flows to specifc port, in my case the squid proxy port 3128
Another feature I think is useful is setting up the “Alert Endpoint” by integrating a webhook URL. It’s mentioned spcifically for Slack, but I tried it out with Flock webhook, which worked prefectly.
ntopng started sending me alerts on the flock channel for - Flows Flood, Blacklisted Flow, Suspicious Activity on the host.
- Reference Links