CentOS 7 – NTOPNG web interface with SSL

Today we’re going to add SSL to our NTOP installation. This post is divided in two parts and it assumes that ntop is already installed.

If you don’t want to generate your own certificate and use the test certificate offered by ntopng (/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem) be sure you have openssl and openssl-devel and then jump to the second part:

yum install openssl openssl-devel

If openssl-devel is not installed you may have problems starting the SSL server.

————————————————————-

First part – SSL Certificate

Once again, let’s be sure that you’ve openssl and openssl-devel

yum install openssl openssl-devel

Now we’re going to create our own Certification Authority and generate an SSL certificate for my test server: hobbes.artemit.lab. I’ll set no challenge password for the SSL certificate. The commands are shown in bold letters.

mkdir /root/certs

openssl genrsa -out /root/certs/CA.key 2048

Generating RSA private key, 2048 bit long modulus
 ............+++
 .....+++
 e is 65537 (0x10001)


openssl req -x509 -new -nodes -sha256 -extensions v3_ca -key /root/certs/CA.key -days 3650 -out /root/certs/CA.pem


You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Palencia
Locality Name (eg, city) [Default City]:Palencia
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:n40lab
Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab
Email Address []:mcabrerizo@artemit.com.es


openssl genrsa -out /root/certs/hobbes.key 2048


Generating RSA private key, 2048 bit long modulus
 ................................+++
 ..+++
 e is 65537 (0x10001)


openssl req -new -sha256 -key /root/certs/hobbes.key -days 3650 -out /root/certs/hobbes.csr

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Palencia
Locality Name (eg, city) [Default City]:Palencia
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab
Email Address []:mcabrerizo@artemit.com.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

openssl x509 -req -sha256 -in /root/certs/hobbes.csr -CA /root/certs/CA.pem -CAkey /root/certs/CA.key -CAcreateserial -out /root/certs/hobbes.crt -days 3650

Signature ok
 subject=/C=ES/ST=Palencia/L=Palencia/O=ArtemIT Labs/CN=hobbes.artemit.lab/emailAddress=mcabrerizo@artemit.com.es
 Getting CA Private Key

You should import the CA.pem as a CA Authority in your browser to avoid SSL warnings.

Using https://github.com/ntop/ntopng/blob/dev/doc/README.SSL to help us, we know that we should store the cert in the folder /usr/share/ntopng/httpdocs/ssl and it should be named as ntopng-cert.pem.

You should delete the ntopng-cert.pem test file and the README or move them to a different folder:

rm /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
rm /usr/share/ntopng/httpdocs/ssl/README

Let’s prepare the cert needed by ntopng:

cat /root/certs/hobbes.key /root/certs/hobbes.crt /root/certs/CA.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem

Let’s change permissions and ownership (nobody is the default user used by ntop after it starts):

chmod 640 /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
chown -R nobody:nobody /usr/share/ntopng/httpdocs/ssl

————————————

Second part – NTOP with SSL

Now it’s time to set the port where we want ntop to listen for SSL connections e.g 3001.

Let’s edit the conf file /etc/ntopng/ntopng.conf so the port is set correctly:

-G=/var/tmp/ntopng.pid\
-W=3001\
--community

Now we restart ntopng and check the status:

systemctl restart ntopng
systemctl status ntopng

ntopng.service - Start/stop ntopng program
 Loaded: loaded (/etc/systemd/system/ntopng.service; enabled)
 Active: active (running) since mié 2015-11-25 11:33:24 CET; 4s ago
 Process: 3887 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS)
 Process: 4151 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS)
 Main PID: 4157 (ntopng)
 CGroup: /system.slice/ntopng.service
 └─4157 /usr/bin/ntopng /etc/ntopng/ntopng.conf
nov 25 11:33:21 hobbes.artemit.lab systemd[1]: Starting Start/stop ntopng program...
nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: Starting ntopng: 4157
nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: [ OK ]
nov 25 11:33:24 hobbes.artemit.lab systemd[1]: Started Start/stop ntopng program.

Ok, the server is running

If you like old netstat, you can install the net-tools package  and
run netstat -ntap | grep 3001 to check if ntop is listening:

yum install net-tools
netstat -ntap | grep 3001
 tcp6 0 0 :::3001 :::* LISTEN 4157/ntopng

Perfect, now remember to allow your traffic to port 3001 (or any other port), in my example I allow traffic from any host in my 192.168.1.0/24 network to 3001 port:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="3001" protocol="tcp" accept'

firewall-cmd --reload

And finally we can use the browser to open https://hobbes.artemit.lab:3001 and the web interface for ntopng now runs with SSL:

ntop_ssl

 

 

 

 

That’s all for now, if you need any help or find any error please let me know.

Enjoy!

 

Advertisements

CentOS 7 – Installing ntop (ntopng in fact) using RPM packages

Updated 9/11/2015: New instructions on how to start and configure ntopng, after Ntop has changed the behaviour. New CentOS repository added. Hiredis is now needed. Thanks so much to Shashi and Steven for your comments.

Ntop NG is an extraordinary tool that helps you to know more about your network traffic. It has a lot of great features and I use it mainly to know quickly what kind of traffic is being generated in my network lab thanks to its web interface with summaries and rrd charts. It supports sFlow so it will be great to use it with openvswitch and get some statistics.

Ntop offers RPM packages for both CentOS/RHEL 6 and CentOS/RHEL 7 so it’s very easy to install.

First of all we’re going to add the EPEL repository:

yum install epel-release wget

We’ll need to install the latest RPM packages: ntopng-data and ntopng.

Let’s create the ntop repository for the nightly builds:

cat <<EOT > /etc/yum.repos.d/ntop.repo
[ntop]
name=ntop packages
baseurl=http://packages.ntop.org/centos/\$releasever/\$basearch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
[ntop-noarch]
name=ntop packages
baseurl=http://packages.ntop.org/centos/\$releasever/noarch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
EOT

Let’s install the packages. We’ll have to accept Luca Deri’s GPG key:

yum install ntopng ntopng-data

Updated (thanks to Davide Lorenzetti for his comment): Let’s install the hiredis-devel package and start the redis server before starting ntopng. You can also enable the service to start at boot time using: systemctl enable redis.service

yum install hiredis-devel
systemctl start redis.service

Let’s start ntopng using systemctl.

systemctl start ntopng.service

Ntop will create a default configuration file at /etc/ntopng/ntopng.conf, however if you check the status, you’ll see that NTOP warns you about no Pro licence is found and so it will run in community mode after 10 minutes.

systemctl status ntopng
oct 16 19:29:38 tornasol.artemit.lab ntopng[3001]: [pro/NtopPro.cpp:145] WARNING: [LICENSE] ntopng will now run in pro mode for 10 minutes oct 16 19:29:38 tornasol.artemit.lab ntopng[3001]: [pro/NtopPro.cpp:147] WARNING: [LICENSE] before returning to community mode oct 16 19:29:38 tornasol.artemit.lab ntopng[3001]: [pro/NtopPro.cpp:148] WARNING: [LICENSE] You can buy a permanent license at http://shop.ntop.org oct 16 19:29:38 tornasol.artemit.lab ntopng[3001]: [pro/NtopPro.cpp:149] WARNING: [LICENSE] or run ntopng in community mode starting oct 16 19:29:38 tornasol.artemit.lab ntopng[3001]: [pro/NtopPro.cpp:150] WARNING: [LICENSE] ntopng --community oct 16 19:29:39 tornasol.artemit.lab ntopng[3001]: [src/HTTPserver.cpp:486] ERROR: Unable to start HTTP server (IPv4) on ports 3000,3001s Success

As we have no Pro licence (unless you get one of course) we can edit /etc/ntopng/ntopng.conf file to remove the warnings (I’ve added a \ after the pid file):

-G=/var/tmp/ntopng.pid\
--community

We’ll restart ntopng and check the status again:

systemctl restart ntopng
systemctl status ntopng
ntopng.service - Start/stop ntopng program Loaded: loaded (/etc/systemd/system/ntopng.service; enabled) Active: active (running) since vie 2015-10-16 21:19:52 CEST; 21s ago Process: 1711 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS) Process: 1756 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS) Main PID: 1762 (ntopng) CGroup: /system.slice/ntopng.service └─1762 /usr/bin/ntopng /etc/ntopng/ntopng.conf oct 16 21:19:52 tornasol.artemit.lab ntopng[1756]: Starting ntopng: [ OK ] oct 16 21:19:52 tornasol.artemit.lab systemd[1]: Started Start/stop ntopng program.

Sweet. You can also enable the service to start at boot time using:

systemctl enable redis.service
systemctl enable ntopng.service

Ntopng listens by default at the 3000 TCP port so you’ll need a firewall rule if trying
to get access from a remote machine. If using the dynamic firewall daemon you can use
firewall-cmd to configure the firewall to allow traffic to 3000 port coming from a specific IP address (-s X.X.X.X, e.g my IP is 192.168.5.100). Note that this rule is not permanent.

firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 3000 -s 192.168.5.100 -j ACCEPT

Using a web browser, introduce the IP address of the host running ntop specifying port 3000(e.g http://192.168.1.185:3000). If a login/password shows, enter user admin and password admin and enjoy your ntopng network monitor!

ntop_screenshot

If you want to set any configuration options to /etc/ntopng/ntopng.conf file, I found it a little tricky so read the man page (man ntopng). I’ll update this post offering some examples.

A big thank you to Luca Deri and Ntop’s team!

Cheers!

P.S: If you want to use SSL with the web interface please read my post