mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-25 10:03:03 +01:00
…
|
||
---|---|---|
.. | ||
doinst.sh | ||
ntopng.info | ||
ntopng.logrotate | ||
ntopng.SlackBuild | ||
rc.ntopng | ||
README | ||
slack-desc |
ntopng is a network probe that shows network usage in a way similar to what top does for processes. It acts as a Web server, creating an HTML dump of the network status. It is a successor to ntop, which is discontinued. Main differences seem to be: a. No terminal interface present. Only web. b. No built-in flow collector, at least not for NetFlow or sFlow. When installing ntopng, pay attention to the following: 1. UID/GID ntopng needs to run under its own user/group. This has been assigned to the following by SlackBuilds.org, but feel free to change it on your system for consistency with local assignments. User: ntopng UID: 212 GID: 212 group: ntopng GID: 212 You can change pass alternate values for the user and group using NTOPUSER and NTOPGROUP variables when running the build script. The build script will suggest creating these groups if they are not present. 2. Log rotation. Logs are placed in /var/log/ntopng/ and will be rotated every week. The log rotation will restart the ntopng server which will reset the ntopng statistics. If you want to keep the statistics you have to edit or delete the /etc/logrotate.d/ntopng file. 3. Flow collection ntopng now uses a custom flow collection format, based on zeromq. To convert a standard NetFlow or sFlow into this format, the developer suggess bying their commercial tool called nProbe. However, there exists a free software flow collection (supporting only) NetFlowV9, called netflow2ng. It is not available on SBo, but there is an unfinished SlackBuild for it, which can be found on https://gitlab.com/Lockywolf/lwfslackbuilds/-/raw/master/\ 10_unfit-for-sbo-require-network/netflow2ng/\ netflow2ng.SlackBuild?ref_type=heads 4. Geoidentification and dynamic data ntopng depends on some dynamic data in order to display relevant information about the flows. a. Geographical distribution of IP addresses. ntopng can use both maxmind, and db-ip information, both free-low-quality, and paid-high-quality. Maxmind data can be updated by running geoipupdate from cron on a weekly basis. These data are usually installed globally, into /var/lib/GeoIP/. For more information, consult doc/README.geolocation.md, and keep in mind that ntopng-data does not exist on Slackware, but geoipupdate does. b. Various lists: 'Abuse.ch URLhaus' [https://urlhaus.abuse.ch/downloads/hostfile/] 'Emerging Threats' [https://rules.emergingthreats.net/fwrules/\ emerging-Block-IPs.txt] 'NoCoin Filter List' [https://raw.githubusercontent.com/hoshsadiq/\ adblock-nocoin-list/master/hosts.txt] 'SSLBL Botnet C2 IP Blacklist' [https://sslbl.abuse.ch/blacklist/\ sslipblacklist.txt] 'Stratosphere Lab' [https://mcfp.felk.cvut.cz/publicDatasets/\ CTU-AIPP-BlackList/Todays-Blacklists/\ AIP_historical_blacklist_prioritized_by_newest_attackers.csv] 'ThreatFox' [https://threatfox.abuse.ch/downloads/hostfile/] 'dshield 7 days' [https://raw.githubusercontent.com/firehol/\ blocklist-ipsets/master/dshield_7d.netset] Those lists are updated automatically by ntopng, periodically. There is a configuration option to disable these updates. 5. nDPI ntopng depends on nDPI, a Deep Packet Inspection library. SBo has a SlackBuild for nDPI, however, in recent versions ntopng prefers to use its own version of nDPI, linked-in statically. If you find that the built-in version deviates in features from the standalone one, you are welcome to report this. 6. redis ntopng requires redis. The version on SBo is enough, but it needs to be running before ntopng can be started. 7. ntopng crashes when started as a daemon. I am not sure why. The initscript at the moment just starts it in the background and disowns. ntopng also does not terminate on sigterm normally, hence the rc script kill-9's it. If you have better ideas, submit a patch to the slackbuild. Due to all this stupidities, rc.ntopng is a .new script, so it will not be overwritten on upgrade. We really need a better version. 8. ntopng goes insane when it sees "virtual ethernets" that are usually created to communicate between network namespaces. Do not be surprised if weird effect appear, and possibly remove those virtual ethernets from the listening list.