One of my public facing squid server needed network monitoring, this is when I came across this amazing realtime monitoring tool - ntopng
In this post I am going to talk about instllation of ntopng on Ubuntu 14.04 as I have my production squid server running Ubuntu 14.04. I will also cover some of the challenges encountered during the installation process. Here are the steps to follow:
- Setup the repository for ntopng
wget http://apt-stable.ntop.org/14.04/all/apt-ntop-stable.deb dpkg -i apt-ntop-stable.deb
- Update the ubuntu repo list and install ntopng
apt-get update apt-get install ntopng
- This gave an error as it had a dependency on libmaxminddb0
root@squid:~# apt-get install ntopng Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: ntopng : Depends: libmaxminddb0 but it is not installable Recommends: ntopng-data but it is not going to be installed E: Unable to correct problems, you have held broken packages.
- Add the following repository and install the dependency
root@squid:~# add-apt-repository ppa:maxmind/ppa More info: https://launchpad.net/~maxmind/+archive/ubuntu/ppa Press [ENTER] to continue or ctrl-c to cancel adding it gpg: keyring `/tmp/tmpdz2i3kct/secring.gpg' created gpg: keyring `/tmp/tmpdz2i3kct/pubring.gpg' created gpg: requesting key DE742AFA from hkp server keyserver.ubuntu.com gpg: /tmp/tmpdz2i3kct/trustdb.gpg: trustdb created gpg: key DE742AFA: public key "Launchpad PPA for MaxMind" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK apt-get update apt-get install libmaxminddb0 libmaxminddb-dev mmdb-bin apt-get install ntopng
- Setup /etc/ntopng/ntopng.conf adding the following line to the configuration file
--user=ntopng --interface=eth0 -w=<add server IP here>:3005 --community --daemon #--dump-flows=logstash # optional #--disable-autologout # optional #--disable-login=1 # optional
PLEASE NOTE - the IP used in configuration file. To get the web interface on public IP, you need to mentioned the same public IP in the configuration file as ntopng will bind the public IP and port mentioned to expose the web interface.
- While starting ntopng, you might come across error
(Re)Starting ntopng... * Stopping ntopng * Missing /etc/ntopng/ntopng.start. Quitting
Fix is to touch the file /etc/ntopng/ntopng.start and then start ntopng
As I am runing ntopng on a proxy server, it allows me to view the realtime traffice flowing through the server. This traffic is displayed as flow talkers on the dashboard.
It further allows to drill down the flows to specifc port, in my case the squid proxy port 3128
Another feature I think is useful is setting up the “Alert Endpoint” by integrating a webhook URL. It’s mentioned spcifically for Slack, but I tried it out with Flock webhook, which worked prefectly.
ntopng started sending me alerts on the flock channel for - Flows Flood, Blacklisted Flow, Suspicious Activity on the host.
- Reference Links