slackbuilds/system/ntopng
Lockywolf 9936592c0c
system/ntopng: Added (system monitoring).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
2023-11-25 21:43:04 +07:00
..
README
doinst.sh
ntopng.SlackBuild
ntopng.info
ntopng.logrotate
rc.ntopng
slack-desc

README

ntopng is a network probe that shows network usage in a way similar to
what top does for processes. It acts as a Web
server, creating an HTML dump of the network status.

It is a successor to ntop, which is discontinued. Main differences seem
to be:

a. No terminal interface present. Only web.
b. No built-in flow collector, at least not for NetFlow or sFlow.

When installing ntopng, pay attention to the following:

1. UID/GID
ntopng needs to run under its own user/group. This has been assigned to
the following by SlackBuilds.org, but feel free to change it on your
system for consistency with local assignments.
  User:   ntopng            UID: 212        GID: 212
  group:  ntopng                            GID: 212
You can change pass alternate values for the user and group using
NTOPUSER and NTOPGROUP variables when running the build script.

The build script will suggest creating these groups if they are not
present.

2. Log rotation.

Logs are placed in /var/log/ntopng/ and will be rotated every week. The
log rotation will restart the ntopng server which will reset the ntopng
statistics. If you want to keep the statistics you have to edit or
delete the /etc/logrotate.d/ntopng file.

3. Flow collection

ntopng now uses a custom flow collection format, based on zeromq. To
convert a standard NetFlow or sFlow into this format, the developer
suggess bying their commercial tool called nProbe.

However, there exists a free software flow collection (supporting only)
NetFlowV9, called netflow2ng. It is not available on SBo, but there is
an unfinished SlackBuild for it, which can be found on

https://gitlab.com/Lockywolf/lwfslackbuilds/-/raw/master/\
10_unfit-for-sbo-require-network/netflow2ng/\
netflow2ng.SlackBuild?ref_type=heads

4. Geoidentification and dynamic data

ntopng depends on some dynamic data in order to display relevant
information about the flows.

a. Geographical distribution of IP addresses. ntopng can use both
   maxmind, and db-ip information, both free-low-quality, and
   paid-high-quality. Maxmind data can be updated by running
   geoipupdate from cron on a weekly basis. These data are usually
   installed globally, into /var/lib/GeoIP/. For more information,
   consult doc/README.geolocation.md, and keep in mind that ntopng-data
   does not exist on Slackware, but geoipupdate does.
b. Various lists:
'Abuse.ch URLhaus' [https://urlhaus.abuse.ch/downloads/hostfile/]
'Emerging Threats' [https://rules.emergingthreats.net/fwrules/\
emerging-Block-IPs.txt]
'NoCoin Filter List' [https://raw.githubusercontent.com/hoshsadiq/\
adblock-nocoin-list/master/hosts.txt]
'SSLBL Botnet C2 IP Blacklist' [https://sslbl.abuse.ch/blacklist/\
sslipblacklist.txt]
'Stratosphere Lab' [https://mcfp.felk.cvut.cz/publicDatasets/\
CTU-AIPP-BlackList/Todays-Blacklists/\
AIP_historical_blacklist_prioritized_by_newest_attackers.csv]
'ThreatFox' [https://threatfox.abuse.ch/downloads/hostfile/]
'dshield 7 days' [https://raw.githubusercontent.com/firehol/\
blocklist-ipsets/master/dshield_7d.netset]
        Those lists are updated automatically by ntopng, periodically.
        There is a configuration option to disable these updates.


5. nDPI

ntopng depends on nDPI, a Deep Packet Inspection library. SBo has a
SlackBuild for nDPI, however, in recent versions ntopng prefers to use
its own version of nDPI, linked-in statically. If you find that the
built-in version deviates in features from the standalone one, you are
welcome to report this.

6. redis

ntopng requires redis. The version on SBo is enough, but it needs to
be running before ntopng can be started.

7. ntopng crashes when started as a daemon. I am not sure why. The
initscript at the moment just starts it in the background and disowns.
ntopng also does not terminate on sigterm normally, hence the rc script
kill-9's it. If you have better ideas, submit a patch to the slackbuild.
Due to all this stupidities, rc.ntopng is a .new script, so it will not
be overwritten on upgrade. We really need a better version.

8. ntopng goes insane when it sees "virtual ethernets" that are usually
created to communicate between network namespaces. Do not be surprised
if weird effect appear, and possibly remove those virtual ethernets
from the listening list.