NetFlow Collection with Nfdump and Nfsen
Published: 08/15/2014
I'm in a rush to get this onto my online scrapbook, so hopefully I'll have time to clean the article formatting later. This is the quick how-to to get an open source NetFlow collector up and running on CentOS 6.x (x64).
Basic setup
Install the packages:
yum -y install httpd php perl-CPAN rrdtool rrdtool-devel rrdutils perl-rrdtool |
Set SELinux to permissive mode:
vi /etc/selinux/config SELINUX=permissive |
Reboot host (required for SELinux change).
Then install temporary dependencies:
yum -y install gcc flex make byacc |
Install Perl packages:
perl -MCPAN -e shell install Mail::Header install Mail::Internet install Socket6 exit |
Get Nfdump and Nfsen, install/config
Download Nfdump and Nfsen packages from Sourceforge (note: check for later versions if required) and install:
wget -4 http://hivelocity.dl.sourceforge.net/project/nfdump/stable/nfdump-1.6.6/nfdump-1.6.6.tar.gz wget -4 http://superb-sea2.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz |
Compile and install Nfdump and Nfsen:
cd nfdump-1.6.6/ ./configure --prefix=/ --enable-nfprofile --with-rrdpath=/usr/bin make make install cd .. cd nfsen-1.3.6p1 cp etc/nfsen-dist.conf etc/nfsen.conf |
Add NetFlow exporting devices into Nfsen configuration which will be graphed:
vi etc/nfsen.conf $PREFIX = '/bin'; $USER = "nfsen"; $WWWUSER="nfsen"; $WWWGROUP="nfsenadmin"; %sources = ( 'switch1' => { 'port' => '2055', 'IP' => '3.3.3.3', 'col' => '#000099', 'type' => 'netflow' }, 'switch2' => { 'port' => '2055', 'IP' => '4.4.4.4', 'col' => '#990000', 'type' => 'netflow' }, ); |
Set up accounts and permissions for use by Nfsen processes, install the config, then start Nfsen:
mkdir -p /data/nfsen mkdir -p /var/www/nfsen useradd -m nfsen usermod -G nfsen nfsen groupadd nfsenadmin usermod -a -G nfsenadmin nfsen usermod -a -G nfsenadmin apache chown -R nfsen:nfsenadmin /data/nfsen ./install.pl etc/nfsen.conf /data/nfsen/bin/nfsen start |
Update web server configuration and restart service:
vi /etc/httpd/conf/httpd.conf DocumentRoot "/var/www/nfsen" <Directory "/var/www/nfsen"> Alias /icons/ "/var/www/nfsen/icons/" <Directory "/var/www/nfsen/icons"> service httpd restart |
Set flow collection to start at system boot:
vi /etc/rc.local /data/nfsen/bin/nfsen start |
Hardening your install
Enable SSL for web services:
yum -y install mod_ssl openssl genrsa -aes128 -out server.key 2048 openssl req -new -key server.key -out server.csr |
Send CSR to your internal signing authority (or public signing authority, if you don't have one), and once issued, save as file server.crt. You could self-sign a certificate, but no one respects a ghetto install.
Copy server.crt and the private key (server.key) to the appropriate directories, then update Apache to use this new certificate. Restart httpd afterwards:
cp server.crt /etc/pki/tls/certs/ cp server.key /etc/pki/tls/private/ cp server.csr /etc/pki/tls/private/ vi /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key service httpd restart |
Note: httpd is not set to start automatically at boot time for this guide since it is assumed that the SSL private key is passphrase-protected.
Add rule in iptables for web UI access:
iptables -I INPUT 2 -s 192.168.1.0/24 -d 192.168.1.22 -p tcp --sport 1024:65535 --dport 443 -j ACCEPT service iptables save |
Browse to https://192.168.1.22/nfsen.php to start your function test. Update your internal DNS so it reflects the Common Name as listed in the issued SSL certificate and begin using the FQDN of the host when browsing to its management interface.
Remove temporary dependencies:.
rpm -e gcc cloog-ppl cpp glibc-devel glibc-headers kernel-headers libgomp mpfr ppl flex make byacc |
Finishing up
Add cron job to remove flow data older than 180 days (your time interval may be different depending on disk space resources):
crontab -e 0 0 * * 5 find /data/nfsen/profiles-data/live/ -type f -mtime +180 -delete |
Here's an example of an IOS configuration for flow export (may slightly differ depending on router or switch model; not all IOS devices are NetFlow-capable):
interface g0/0 ip route-cache flow exit ip flow-export source g0/0 ip flow-export version 9 ip flow-export destination 192.168.1.22 2055 |
This will send NetFlow v9 data towards your flow collector host over UDP port 2055. Here are some miscellaneous commands for Nfsen when updating the /data/nfsen/etc/nfsen.conf file to add, modify, or remove device references:
/data/nfsen/bin/nfsen stop /data/nfsen/bin/nfsen reload /data/nfsen/bin/nfsen reconfig /data/nfsen/bin/nfsen status |
Go back to the main articles list.