Things I'd do if I ever have time

• Scratch
• Catch-up on Star Trek
• Figure out what's on my network
• Go flying
• Learn to draw correctly

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

• Cisco PIX 515e
• Nomadix AG 5500
• AirPCap Ex

NetFlow Collection with Nfdump and Nfsen

Published: 08/15/2014

I'm in a rush to get this onto my online scrapbook, so hopefully I'll have time to clean the article formatting later. This is the quick how-to to get an open source NetFlow collector up and running on CentOS 6.x (x64).

Basic setup

Install the packages:

yum -y install httpd php perl-CPAN rrdtool rrdtool-devel rrdutils perl-rrdtool

Set SELinux to permissive mode:

vi /etc/selinux/config
 SELINUX=permissive

Reboot host (required for SELinux change).

Then install temporary dependencies:

yum -y install gcc flex make byacc

Install Perl packages:

perl -MCPAN -e shell
install Mail::Header
install Mail::Internet
install Socket6
exit

Get Nfdump and Nfsen, install/config

Download Nfdump and Nfsen packages from Sourceforge (note: check for later versions if required) and install:

wget -4 http://hivelocity.dl.sourceforge.net/project/nfdump/stable/nfdump-1.6.6/nfdump-1.6.6.tar.gz
wget -4 http://superb-sea2.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz

Compile and install Nfdump and Nfsen:

cd nfdump-1.6.6/
./configure --prefix=/ --enable-nfprofile --with-rrdpath=/usr/bin
make
make install
cd ..

cd nfsen-1.3.6p1
cp etc/nfsen-dist.conf etc/nfsen.conf

Add NetFlow exporting devices into Nfsen configuration which will be graphed:

vi etc/nfsen.conf

$PREFIX  = '/bin';

$USER    = "nfsen";

$WWWUSER="nfsen";
$WWWGROUP="nfsenadmin";

%sources = (
    'switch1'  => { 'port' => '2055', 'IP' => '3.3.3.3', 'col' => '#000099', 'type' => 'netflow' },
    'switch2'  => { 'port' => '2055', 'IP' => '4.4.4.4', 'col' => '#990000', 'type' => 'netflow' },
);

Set up accounts and permissions for use by Nfsen processes, install the config, then start Nfsen:

mkdir -p /data/nfsen
mkdir -p /var/www/nfsen
useradd -m nfsen
usermod -G nfsen nfsen
groupadd nfsenadmin
usermod -a -G nfsenadmin nfsen
usermod -a -G nfsenadmin apache
chown -R nfsen:nfsenadmin /data/nfsen

./install.pl etc/nfsen.conf

/data/nfsen/bin/nfsen start

Update web server configuration and restart service:

vi /etc/httpd/conf/httpd.conf
 DocumentRoot "/var/www/nfsen"
 <Directory "/var/www/nfsen">
  Alias /icons/ "/var/www/nfsen/icons/"
 <Directory "/var/www/nfsen/icons">

service httpd restart

Set flow collection to start at system boot:

vi /etc/rc.local
/data/nfsen/bin/nfsen start

Hardening your install

Enable SSL for web services:

yum -y install mod_ssl
openssl genrsa -aes128 -out server.key 2048
openssl req -new -key server.key -out server.csr

Send CSR to your internal signing authority (or public signing authority, if you don't have one), and once issued, save as file server.crt. You could self-sign a certificate, but no one respects a ghetto install.

Copy server.crt and the private key (server.key) to the appropriate directories, then update Apache to use this new certificate. Restart httpd afterwards:

cp server.crt /etc/pki/tls/certs/
cp server.key /etc/pki/tls/private/
cp server.csr /etc/pki/tls/private/

vi /etc/httpd/conf.d/ssl.conf
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key

service httpd restart

Note: httpd is not set to start automatically at boot time for this guide since it is assumed that the SSL private key is passphrase-protected.

Add rule in iptables for web UI access:

iptables -I INPUT 2 -s 192.168.1.0/24 -d 192.168.1.22 -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
service iptables save

Browse to https://192.168.1.22/nfsen.php to start your function test. Update your internal DNS so it reflects the Common Name as listed in the issued SSL certificate and begin using the FQDN of the host when browsing to its management interface.

Remove temporary dependencies:.

rpm -e gcc cloog-ppl cpp glibc-devel glibc-headers kernel-headers libgomp mpfr ppl flex make byacc

Finishing up

Add cron job to remove flow data older than 180 days (your time interval may be different depending on disk space resources):

crontab -e
 0 0 * * 5 find /data/nfsen/profiles-data/live/ -type f -mtime +180 -delete

Here's an example of an IOS configuration for flow export (may slightly differ depending on router or switch model; not all IOS devices are NetFlow-capable):

interface g0/0
 ip route-cache flow
 exit
ip flow-export source g0/0
ip flow-export version 9
ip flow-export destination 192.168.1.22 2055

This will send NetFlow v9 data towards your flow collector host over UDP port 2055. Here are some miscellaneous commands for Nfsen when updating the /data/nfsen/etc/nfsen.conf file to add, modify, or remove device references:

/data/nfsen/bin/nfsen stop
/data/nfsen/bin/nfsen reload
/data/nfsen/bin/nfsen reconfig
/data/nfsen/bin/nfsen status

Go back to the main articles list.