Ozzik’s blog » Blog Archive » The server every admin needs, part 2

July 2009
M	T	W	T	F	S	S
« Apr		Oct »
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Wednesday, July 15th, 2009 | Author: Ozzik

So, what’s next?
Let’s spend some time with the easier things.

Ntop. This one’s installed right from the standard repository (we already did so in the previous post).
The big question is why do you need it, right? Well, it’s a great tool that you can use for all kinds of purposes, but personally, I use it to monitor the Internet activity, or traffic loads to be exact.
The idea is very simple. If you have a setup like this: modem–>router–>firewall–>switch–>LANs, and you feel that the Internet is very slow, you just know that someone’s downloading something from the rapidshare.com or maybe even a new MS small DVD image of 3GB, how do you know who’s the asshole?

If you have an open source firewall, like pfSense or maybe ClarkConnect, then you can just add the right package to it and know it within a click. But what if you have the Checkpoint’s Sbox or something similar? I mean, you have to plug your sniffer somewhere in between the switch and the firewall, right? So you have 2 choices: to actually put a sniffer(a server or a PC) in there and waste a piece of hardware plus add a SPOF(single point of failure - another thing that can just break), or you can just mirror your switch port. What’s that?:)

It’s actually pretty trivial. I think all the Cisco switches and some Dells, and probably some others have this feature. You just tell it to take one port (in our case, it’s the one that has the firewall connected to it) and mirror all the traffic to another port - this is where you hook up.

In my case, I have a very old Cisco switch with CatOS, so I don’t think the exact command will be of any interest to you, but it’s pretty easy to find, it’s called “Span” in the Cisco world. After that all you have to do is to give your second network interface of the server an address from a different network. Say you have a 10.0.0.0/24 LAN, so you just give a 192.168.8.0/24 or 10.0.9.0/24 - it doesn’t really matter. Just don’t give it any gateway. And this will be the interface to be monitored by Ntop.

As for the Ntop itsef: first run as non-daemon:

sudo ntop -M

and give the admin password, then kill and run as daemon:

sudo ntop -M -d

If, like me, you have a second network card just for this kind of monitoring, you should start it like this:

sudo ntop -M -d -i eth1

that is, of course, if your second card is eth1. I will also try to modify the init.d script for that later.

Now you can enter it: http://yourserverip:3000 and play with it.
I actually use a direct link to see who’s the devil: maybe it’ll work for you too, otherwise just do your own setup.

Now, the Plone.

Rating: 0.0/10 (0 votes cast)

Rating: 0 (from 0 votes)

Pages: 1 2

Category: Admin's scene | Tags: add-on, analyzing, configuration, linux, logging, monitoring, Ntop, Plone, server, ubuntu

News

Categories

Blogroll

Archives

Calendar

Meta