today I found this slightly useful

2017.04.06

Installing Cacti for network monitoring

2016.09.25

Short form install instructions for Debian-based Linuxes:

 apt-get install cacti

You may be prompted to install Apache and MySQL if you don’t have them installed.

You will prompted to select the webserver for which Cacti should be configured; select the appropriate one and then if MySQL is being installed, you’ll be prompted to set the MySQL ‘root’ user password.

The next prompt will be:

 The cacti package must have a database installed and configured before it can be used. 
 This can be optionally handled with dbconfig-common.
 Configure database for cacti with dbconfig-common?

Select yes and then enter the MySQL ‘root’ password when prompted. This will create the MySQL db and db user for cacti. You’ll be prompted for a password to set for that db user:

 Please provide a password for cacti to register with the database server. If left blank, a random password will be generated.
 MySQL application password for cacti:

Put a password in and then open your browser to http://$_the_server_you_installed_cacti_on/cacti ($_the_server_you_installed_cacti_on is either the FQDN or IP address of the server), select New Installation and click next: http://i.imgur.com/yI4sfm1.png

Configure the options and paths, if any paths are not filled in, do a “which” on the command line of the server you’re installing on, and it should give you the full path.

$ which php /usr/bin/php

If it’s not installed, install it with apt-get.

Log in with the username admin and password admin and you will be prompted to change the password.

Short form install for Redhat-based distributions:

Install the required packages: yum install httpd httpd-devel mysql mysql-server php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp net-snmp-utils net-snmp-libs rrdtool

MariaDB can be used instead of MySQL if you’ve already transitioned to it from mysql.

Start the www, db and snmp services:

 systemctl start httpd.service
 systemctl start mariadb.service
 systemctl start snmpd.service

and enable the services to autostart (chkconfig if you’re on older systems):

 systemctl enable httpd.service
 systemctl enable mariadb.service
 systemctl enable snmpd.service

Create a cacti database in your mysql:

 # mysql -u root -p -e 'create database cacti'

Create a cacti user with password ‘12345whatacoincidence’:

 # mysql -u root -p
 mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY '12345whatacoincidence';
 mysql> FLUSH privileges;
 mysql> \q

Installing cacti is made easier if you have the EPEL repo enabled, because then it’s just:

 yum install cacti

More info on EPEL repo: http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/

The other (slightly more finicky) method is the tried and true compile-it-yourself method: http://www.cacti.net/download_cacti.php

In any case, when you have it installed, you’ll want to import the cacti tables from cacti.sql, so first, find ‘cacti.sql’:

 # rpm -ql cacti | grep cacti.sql

and then (assuming it told you the file is in “/opt/cacti/cacti-0.8.7d/cacti.sql”,) import the file:

 # mysql -u cacti -p cacti < /opt/cacti/cacti-0.8.7d/cacti.sql

Then you will need to edit your /etc/cacti/db.php file, using your actual values:

 $database_type = "mysql";
 $database_default = "cacti";
 $database_hostname = "localhost";
 $database_username = "cacti";
 $database_password = "12345whatacoincidence";
 $database_port = "3306";

Update your httpd config (probably /etc/httpd/conf.d/cacti.conf) to allow traffic to your cacti site and then restart httpd (or setup .htpasswd for that directory)

Edit the file /etc/cron.d/cacti to uncomment the cacti line.

Finally you’re able to open your browser to http://$_the_server_you_installed_cacti_on/cacti ($_the_server_you_installed_cacti_on is either the FQDN or IP address of the server), select New Installation and click next:http://i.imgur.com/yI4sfm1.png

 

 

 

 

 

Configure the options and paths, if any paths are not filled in, do a “which” on the command line of the server you’re installing on, and it should give you the full path. If it’s not installed, install it with yum:

$ which php /usr/bin/php

Log in with the username admin and password admin and you will be prompted to change the password.

Installing Cacti in Windows

If you have a WAMP install (because no one will give you a nickel to get a real computer), then you can still install cacti: http://myconfigure.blogspot.com/2013/02/the-easiest-way-to-install-cacti-on.html

Followup

  1. login to cacti and set up your systems/switches/routers/firewalls to be monitored
  2. install and configure Network Weathermap and tell it to use your cacti (or mrtg etc) data so you can get a nice realtime(-ish) graph of your speeds and feeds.
  3. install and configure the thold plugin to alert you if the systems you’re monitoring are dropping below a particular threshold

 

Categories : HowTo  Networking

MACSec Redux

2016.09.15

Good ol’ MACSec.

First, I posted a quick and dirty notes-for-myself, MACSec how-to for Juniper.

Then, I posted a similar MACSec howto for Cisco. So here’s a miscellany of different macsec implementations.

Let’s say you want to run your own router, because your Layer 8 & 9 specialists mandate it, here MACSec on linux.

Here’s a guy who did cisco-switch-to-cisco-switch macsec over an mpls link between a cisco and juniper router (because macsec works at layer 1 and thus you need to fake layer 1 via MLPS). So that’s a thing.

Here’s the Extreme Network’s MACSec implementation:

set macsec port mka enable tg.1.1
set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

HP switches macsec config

Brocade MACSec details and also a Brocade sample config of MACSec.

Weaponizing nessus

2016.06.20

from the “when your only tool is a hammer, everything looks like a nail” files, comes this amusing tidbit: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus

 

Categories : Security
Tags :         

Network monitoring

2016.06.09

I’m a big fan of Network Weathermap, so I thought this addition, http://lesser-evil.com/2016/06/rack-diagrams-with-weathermap/, to add rack diagrams to NW, to be pretty great. It makes a great addition/companion to Cacti, about which I’ve written before. It can be kind of finicky to get everything working, but when you do, it’s pretty great.

Categories : Networking

DNS Fuckery

2016.03.21

Cloudflare on how they’re mitigating reflection attacks. The tl;dr: optimized crypto (elliptic curve instead of RSA) for signing DNSSEC, refusing the ANY request and keeping responses with the constraints of a 512-byte UDP packet to mitigate amplification.

Detecting DNS Tunnelling via PacketBeat and Watcher and Elasticsearch

RandomDNS for randomizing use of DNSCrypt

 

hadoop sleuthkit

2016.02.02

This is pretty great: https://github.com/sleuthkit/hadoop_framework/wiki

tl;dr for the impatient: sleuthkit forensic analysis foisted onto a hadoop framework for faster processing of large amounts of data

I haven’t had to use sleuthkit/autopsy in a few years but this is a nice bit of amalgamation.

Cisco MACSec Notes

2015.11.05

A while back I did notes for MACSec on Juniper devices and here’s the Cisco equivalent of the 802.1AE (“MAC Sec”) implementation

  1. Your Cisco device needs to be running either an IP Base or IP Services image. MACSec is not happening otherwise.
  2. switch# cts credentials id trustsec password mypassword
  3. en then, conf t, then int Gig1/1 (or whatever)
  4. switch(config-if)# cts man
    % Enabling macsec on Gi1/1 (may take a few seconds)…
    switch(config-if-cts-manual)#no propagate sgt
    switch(config-if-cts-manual)#sap pmk abc123 mode-list gcm-encrypt
    switch(config-if-cts-manual)#no shut

Where abc123 is your shared secret. I believe this is analogous to Juniper’s cak. You can do this to aggregated links (“port-channel” for you Cisco folks) but you have to do it before you aggregate the trunks together into a single logical interface. E.g., do this on Gig1/1 and Gig1/2 and then create int Port-channel1 (channel-group 1 mode on in the interface config)

Notes:

mode-list options are:

  • gcm-encrypt (authentication and encryption)
  • gmac (auth, no encrypt)
  • null (encapsulation only; no auth, no encryption)

 

Gotchas:

  • to use 802.1x (cts dot1x) as opposed to cts man above, you have to enable 802.1x globally on each device.
  • if you select gcm as the sap mode, you need an additional macsec license from cisco (as well as the ipbase or ipservices image/license). if you select gcm without the license, the interface goes into link-down state.

Debugging:

show cts credentials

show macsec summary

show macsec interface

show authentication sessions interface gigabitethernet1/1

 

Additional reading:

The actual Cisco doc (this is for a cat4500 but translates well most places) http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/swmacsec.html (here’s one for 3750/3560)

http://www.petenetlive.com/KB/Article/0001000.htm

http://www.virtualpackets.com/cisco-trustsec-switch-to-switch-link-security-manual-mode/

 

debian drops sparc

2015.07.27

Man, kind of a bummer: https://lists.debian.org/debian-devel-announce/2015/07/msg00006.html

I spent a few weeks tweaking old sparc boxes to work with FreeBSD and getting to know the hardware and making it work with software that wasn’t originally meant for it was a great lesson.

Categories : News
Tags :       

Xwindows and Windows

2015.06.19

Exceed is the best. Unfortunately, it is pricey: http://connectivity.opentext.com/buy-online.aspx

Your other options are:

MobaXterm: in free and pay versions, pretty simple to install/setup and use.

Xming: free (old version) or pay (current version), also pretty simple to use.

Cygwin/X: complicated, kludgey and you should probably avoid it.

 

http://stackoverflow.com/questions/40453/what-is-a-good-and-free-x-server-for-windows

Tags :