Skip to content

Instantly share code, notes, and snippets.

@shpedoikal

shpedoikal/ubuntu-netflow-dns-log.ks

Created June 21, 2015 17:16
Show Gist options
  • Save shpedoikal/7766608a2be1c95031f2 to your computer and use it in GitHub Desktop.
Save shpedoikal/7766608a2be1c95031f2 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu kickstart script for SiLK netflow collection and dns logging
Raw
ubuntu-netflow-dns-log.ks
#
# Kickstart an Ubuntu image
# - 2 network interfaces, and internal and external
# - forward all traffic from internal -> external
# - Log all traffic using the SiLK netflow package to /data
# - Log all DNS traffic as pcaps in /var/log/ulogd
# - Backup all netflow and dns to an external server
#
# Before using this kickstart script, search and replace 'kyoder' with your username
#
# 1. Boot from a netboot ISO such as this:
# http://archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/current/images/netboot/mini.iso
#
# 2. Hit TAB to edit the grub install entry
# After the '--' in the grub entry, add: ks=http://<ipaddress>/edge.ks
#
# 3. Post install, log in and follow the motd instructions
#
# Install OS instead of upgrade
install
# Use Web installation
url --url http://archive.ubuntu.com/ubuntu
# Use sudo as an unpriv'd user
preseed passwd/root-login boolean false
#System language
lang en_US
#System keyboard
keyboard us
#System mouse
mouse
#System timezone
timezone America/Chicago
# Use when root-login is true above
#%include /tmp/rootpw
# Root password
#rootpw toto
# Initial user (doesn't get created until after %post)
user kyoder --fullname "Kent Yoder" --password Passw0rd
# Default to 'halt' since the password is known
halt
#Use text mode install
text
#System bootloader configuration
bootloader --location=mbr
#Clear the Master Boot Record
zerombr yes
#Partition clearing information
clearpart --all --initlabel
# partitioning
part / --fstype ext4 --size=1 --grow --asprimary
part /boot --fstype ext4 --size 256 --asprimary
part swap --size 1024
#System authorization infomation
auth --useshadow --enablemd5
#Network information
# Internal interface
#network --bootproto=static --ip=192.168.19.44 --gateway=192.168.19.2 --netmask=255.255.255.0 --device=eth1 --nodns --onboot=yes
# Workaround is in %post below
# External interface
network --bootproto=dhcp --device=eth0 --noipv6 --onboot=yes
# Firewall configuration
# Disabled because Ubuntu doesn't support this part of kickstart
firewall --disabled
#Do not configure the X Window System
skipx
%packages --resolvedeps
ubuntu-minimal
net-tools
vim
wget
tree
update-motd
# dependencies for ipt_NETFLOW
# linux-headers said there was no install candidate
#linux-headers
module-assistant
git
dkms
iptables-dev
pkg-config
# dependencies for the SiLK build
python-dev
libglib2.0-dev
# dependencies for logging DNS
ulogd2
ulogd2-pcap
# dependencies for firewall
iptables-persistent
%pre
%post
# Configure the second network interface that screws up the Ubuntu installer
(
cat <<'EOP'
auto eth1
iface eth1 inet static
address ${ETH1_IPADDR}
netmask 255.255.255.0
EOP
) >> /etc/network/interfaces
# Download, build and install the ipt_NETFLOW kernel module
#
# Directions at https://github.com/aabc/ipt-netflow
#
mkdir -p /home/kyoder
git clone git://git.code.sf.net/p/ipt-netflow/code /home/kyoder/ipt-netflow.git
cd /home/kyoder/ipt-netflow.git && m-a --non-inter prepare && ./configure --enable-direction && make all install
# auto-load the ipt_NETFLOW module
echo 'ipt_NETFLOW' >> /etc/modules
# Add options when loading ipt_NETFLOW. Send netflow to local SiLK listener and do IPFIX (protocol 10)
echo 'options ipt_NETFLOW destination=127.0.0.1:9996 protocol=10' > /etc/modprobe.d/ipt_NETFLOW.conf
# Download, build and install libfixbuf, needed for netflow v10 (IPFIX) format messages
wget -O /home/kyoder/libfixbuf-1.6.2.tar.gz https://tools.netsa.cert.org/releases/libfixbuf-1.6.2.tar.gz
cd /home/kyoder && tar zxvf libfixbuf-1.6.2.tar.gz && cd libfixbuf-1.6.2 && ./configure && make install
# Download, build and install SiLK
wget -O /home/kyoder/silk-3.10.2.tar.gz https://tools.netsa.cert.org/releases/silk-3.10.2.tar.gz
cd /home/kyoder && tar zxvf silk-3.10.2.tar.gz && cd silk-3.10.2 && ./configure --with-libfixbuf=/usr/local/lib/pkgconfig --with-python --enable-data-rootdir=/data --prefix=/usr/local && make install
mkdir /data
echo '/usr/local/lib' > /etc/ld.so.conf.d/rwflowpack.conf
ldconfig
#
#
# Add silk config files
#
#
# rwflowpack.conf
(
cat <<'EOP'
### Packer configuration file -*- sh -*-
##
## The canonical pathname for this file is
## /usr/local/etc/rwflowpack.conf
##
## RCSIDENT("$SiLK: rwflowpack.conf.in 7f4317c4a2a1 2014-05-22 21:38:41Z mthomas $")
##
## This is a /bin/sh file that gets loaded by the init.d/rwflowpack
## wrapper script, and this file must follow /bin/sh syntax rules.
# Set to non-empty value to enable rwflowpack
ENABLED=yes
# These are convenience variables for setting other values in this
# configuration file; their use is not required.
statedirectory=/usr/local/var/lib/rwflowpack
# If CREATE_DIRECTORIES is set to "yes", the directories named in this
# file will be created automatically if they do not already exist
CREATE_DIRECTORIES=yes
# Full path of the directory containing the "rwflowpack" program
BIN_DIR=/usr/local/sbin
# The full path to the sensor configuration file. Used by
# --sensor-configuration. YOU MUST PROVIDE THIS (the value is ignored
# when INPUT_MODE is "respool").
SENSOR_CONFIG=/data/sensor.conf
# The full path to the root of the tree under which the packed SiLK
# Flow files will be written. Used by --root-directory.
DATA_ROOTDIR=/data
# The full path to the site configuration file. Used by
# --site-config-file. If not set, defaults to silk.conf in the
# ${DATA_ROOTDIR}.
SITE_CONFIG=/data/silk.conf
# Specify the path to the packing-logic plug-in that rwflowpack should
# load and use. The plug-in provides functions that determine into
# which class and type each flow record will be categorized and the
# format of the files that rwflowpack will write. When SiLK has been
# configured with hard-coded packing logic (i.e., when
# --enable-packing-logic was specified to the configure script), this
# value should be empty. A default value for this switch may be
# specified in the ${SITE_CONFIG} site configuration file. This value
# is ignored when INPUT_MODE is "respool".
PACKING_LOGIC=
# Data input mode. Valid values are:
# * "stream" mode to read from the network or from probes that have
# poll-directories
# * "fcfiles" to process flowcap files on the local disk
# * "respool" to process SiLK flow files maintaining the sensor and
# class/type values that already exist on those records.
INPUT_MODE=stream
# Directory in which to look for incoming flowcap files in "fcfiles"
# mode or for incoming SiLK files in "respool" mode
INCOMING_DIR=${statedirectory}/incoming
# Directory to move input files to after successful processing. When
# in "stream" mode, these are the files passed to any probe with a
# poll-directory directive. When in "fcfiles" mode, these are the
# flowcap files. When in "respool" mode, these are the SiLK Flow
# files. If not set, the input files are not archived but are deleted
# instead.
ARCHIVE_DIR=${statedirectory}/archive
# When using the ARCHIVE_DIR, normally files are stored in
# subdirectories of the ARCHIVE_DIR. If this variable's value is 1,
# files are stored in ARCHIVE_DIR itself, not in subdirectories of it.
FLAT_ARCHIVE=0
# Directory to move an input file into if there is a problem opening
# the file. If this value is not set, rwflowpack will exit when it
# encounters a problem file. When in "fcfiles" mode, these are the
# flowcap files. When in "stream" mode, these are the files passed to
# any probe with a poll-directory directive.
ERROR_DIR= #${statedirectory}/error
# Data output mode. As of SiLK-3.6.0, valid values are
# "local-storage", "incremental-files", and "sending".
#
# For compatiblity with previous releases prior to SiLK-3.6.0, "local"
# is an alias for "local-storage" and "remote" and is an alias for
# "sending".
#
# In "local-storage" (aka "local") mode, rwflowpack writes the records
# to hourly files in the repository on the local disk. The root of
# the repository must be specified by the DATA_ROOTDIR variable.
#
# In "incremental-files" mode, rwflowpack creates small files (called
# incremental files) that must be processed by rwflowappend to create
# the hourly files. The incremental-files are created and stored in a
# single directory named by the INCREMENTAL_DIR variable.
#
# In "sending" (aka "remote") mode, rwflowpack also creates
# incremental files. The files are created in directory specified by
# the INCREMENTAL_DIR variable and then moved to directory specified
# by the SENDER_DIR variable.
OUTPUT_MODE=local-storage
# When the OUTPUT_MODE is "sending", this is the destination directory
# in which the incremental files are finally stored to await
# processing by rwflowappend, rwsender, or another process.
SENDER_DIR=${statedirectory}/sender-incoming
# When OUTPUT_MODE is "incremental-files" or "sending", this is the
# directory where the incremental files are initially built. In
# "incremental-files" mode, the files remain in this directory. In
# "sending" mode, the incremental files are moved to the SENDER_DIR
# directory.
INCREMENTAL_DIR=${statedirectory}/sender-incoming
# The type of compression to use for packed files. Left empty, the
# value chosen at compilation time will be used. Valid values are
# "best" and "none". Other values are system-specific (the available
# values are listed in the description of the --compression-method
# switch in the output of rwflowpack --help).
COMPRESSION_TYPE=
# Interval between attempts to check the INCOMING_DIR or
# poll-directory probe entries for new files, in seconds. This may be
# left blank, and will default to 15.
POLLING_INTERVAL=
# Interval between periodic flushes of open SiLK Flow files to disk,
# in seconds. This may be left blank, and will default to 120.
FLUSH_TIMEOUT=
# Maximum number of SiLK Flow files to have open for writing
# simultaneously. This may be left blank, and will default to 64
FILE_CACHE_SIZE=
# Whether rwflowpack should use advisory write locks. 1=yes, 0=no.
# Set to zero if messages like "Cannot get a write lock on file"
# appear in rwflowpack's log file.
FILE_LOCKING=1
# Whether rwflowpack should include the input and output SNMP
# interfaces and the next-hop-ip in the output files. 1=yes, 0=no.
# The default is no, and these values are not stored to save disk
# space. (The input and output fields contain VLAN tags when the
# sensor.conf file contains the attribute "interface-values vlan".)
PACK_INTERFACES=0
###
# The type of logging to use. Valid values are "legacy" and "syslog".
LOG_TYPE=syslog
# The lowest level of logging to actually log. Valid values are:
# emerg, alert, crit, err, warning, notice, info, debug
LOG_LEVEL=info
# The full path of the directory where the log files will be written
# when LOG_TYPE is "legacy".
LOG_DIR=${statedirectory}/log
# The full path of the directory where the PID file will be written
PID_DIR=${LOG_DIR}
# The user this program runs as; root permission is required only when
# rwflowpack listens on a privileged port.
#USER=root
USER=`whoami` # run as user invoking the script
# Extra options to pass to rwflowpack
EXTRA_OPTIONS=
EOP
) > /data/rwflowpack.conf
# /data/sensor.conf
(
cat <<'EOP'
probe edge-ipfix ipfix
listen-on-port 9996
protocol udp
accept-from-host 127.0.0.1
end probe
group internal
ipblocks 192.168.0.0/16
ipblocks 10.0.0.0/8
end group
sensor edge
ipfix-probes edge-ipfix
internal-ipblock @internal
external-ipblock remainder
end sensor
EOP
) > /data/sensor.conf
# /data/silk.conf
(
cat <<'EOP'
# silk.conf for the "twoway" site
# RCSIDENT("$SiLK: silk.conf 52d8f4f62ffd 2012-05-25 21:16:30Z mthomas $")
# For a description of the syntax of this file, see silk.conf(5).
# The syntactic format of this file
# version 2 supports sensor descriptions, but otherwise identical to 1
version 2
# NOTE: Once data has been collected for a sensor or a flowtype, the
# sensor or flowtype should never be removed or renumbered. SiLK Flow
# files store the sensor ID and flowtype ID as integers; removing or
# renumbering a sensor or flowtype breaks this mapping.
sensor 0 edge "edge IPFIX sensor"
#sensor 0 S0 "Description for sensor S0"
#sensor 1 S1
#sensor 2 S2 "Optional description for sensor S2"
#sensor 3 S3
#sensor 4 S4
#sensor 5 S5
#sensor 6 S6
#sensor 7 S7
#sensor 8 S8
#sensor 9 S9
#sensor 10 S10
#sensor 11 S11
#sensor 12 S12
#sensor 13 S13
#sensor 14 S14
class all
sensors edge
#sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
end class
# Editing above this line is sufficient for sensor definition.
# Be sure you understand the workings of the packing system before
# editing the class and type definitions below. In particular, if you
# change or add-to the following, the C code in packlogic-twoway.c
# will need to change as well.
class all
type 0 in in
type 1 out out
type 2 inweb iw
type 3 outweb ow
type 4 innull innull
type 5 outnull outnull
type 6 int2int int2int
type 7 ext2ext ext2ext
type 8 inicmp inicmp
type 9 outicmp outicmp
type 10 other other
default-types in inweb inicmp
end class
default-class all
# The layout of the tree below SILK_DATA_ROOTDIR.
# Use the default, which assumes a single class.
# path-format "%T/%Y/%m/%d/%x"
# The plug-in to load to get the packing logic to use in rwflowpack.
# The --packing-logic switch to rwflowpack will override this value.
# If SiLK was configured with hard-coded packing logic, this value is
# ignored.
packing-logic "packlogic-twoway.so"
EOP
) > /data/silk.conf
#
# /etc/init.d/rwflowpack
#
(
cat <<'EOP'
#!/bin/sh
### BEGIN INIT INFO
# Provides: rwflowpack
# Required-Start:
# Required-Stop:
# Should-Start: $network
# Should-Stop: $network
# X-Start-Before:
# X-Stop-After:
# Default-Start: 2 3 4 5
# Default-Stop: 1
# Short-Description: rwflowpack listener
# Description: Pack netflow data
### END INIT INFO
#######################################################################
# RCSIDENT("$SiLK: rwflowpack.init.d.in 7f4317c4a2a1 2014-05-22 21:38:41Z mthomas $")
#######################################################################
# rwflowpack start/control script
#
# /etc/init.d/rwflowpack
# chkconfig: - 20 95
# description: Start rwflowpack program
MYNAME=rwflowpack
# Determine whether our name has an addendum
BASENAME='s:\(.*/\)*\([^/]*\)$:\2:'
SEDEXT1='s/\(.*\)\.init\.d$/\1/'
SEDEXT2='s/\(.*\)\.sh$/\1/'
SCRIPTNAME=`echo $0 | sed ${BASENAME} | sed ${SEDEXT1} | sed ${SEDEXT2}`
PRETEST="\\(${MYNAME}\\)\\(-.*\\)*\$"
SUFTEST="${MYNAME}\\(-.*\\)\$"
PREFIX=`expr "x${SCRIPTNAME}" : "x${PRETEST}"`
SUFFIX=`expr "x${SCRIPTNAME}" : "x${SUFTEST}"`
if [ "x$PREFIX" != "x$MYNAME" ] ; then
SUFFIX=
fi
# SCRIPT_CONFIG_LOCATION is the directory where the ${MYNAME}.conf
# file is located. It can be set via an environment variable. If the
# envar is not set, then DEFAULT_SCRIPT_CONFIG_LOCATION is used. If
# that is not set as well, the --sysconfdir value passed to configure
# is used, which defaults to ${prefix}/etc.
DEFAULT_SCRIPT_CONFIG_LOCATION="/data"
if [ "x$SCRIPT_CONFIG_LOCATION" = "x" ] ; then
if [ "x$DEFAULT_SCRIPT_CONFIG_LOCATION" = "x" ] ; then
SCRIPT_CONFIG_LOCATION="/usr/local/etc"
else
SCRIPT_CONFIG_LOCATION="$DEFAULT_SCRIPT_CONFIG_LOCATION"
fi
fi
SCRIPT_CONFIG=${SCRIPT_CONFIG_LOCATION}/${MYNAME}${SUFFIX}.conf
#######################################################################
if [ ! -f "${SCRIPT_CONFIG}" ] ; then
echo "$0: ${SCRIPT_CONFIG} does not exist."
exit 0
fi
. "${SCRIPT_CONFIG}"
if [ "x$ENABLED" = "x" ] ; then
exit 0
fi
#######################################################################
# SHELL FUNCTIONS
# check_empty VARNAME VALUE
#
# Verifies that VALUE has a value. If it doesn't, a message is
# printed that the VARNAME variable is unset and script exits.
check_empty()
{
if [ "x$2" = "x" ] ; then
echo "$0: the \${$1} variable has not been set."
exit 1
fi
}
# check_dir VARNAME DIR
#
# Verifies that VARNAME is set. Next, verifies that the directory
# DIR exists. If not and if $CREATE_DIRECTORIES is set, the
# directory is created. Otherwise, an error is printed and the
# script exits.
check_dir()
{
check_empty "$1" "$2"
if [ ! -d "$2" ] ; then
if [ "${CREATE_DIRECTORIES}" = "yes" ] ; then
mkdir -p "$2" || { echo "$0: Could not create $2" ; exit 1 ; }
chown -h "${USER}" "$2" || { echo "$0: Could not chown $2 to ${USER}"; exit 1 ; }
else
echo "$0: the $2 directory does not exist."
exit 1
fi
else
chown -h "${USER}" "$2" || { echo "$0: Could not chown $2 to ${USER}"; exit 1 ; }
fi
}
#######################################################################
# for backwards compatibility
if [ "x${BIN_DIR}" = "x" ] ; then
#echo "Warning: PACKER_BIN deprecated in ${SCRIPT_CONFIG}. Use BIN_DIR instead" 1>&2
BIN_DIR="${PACKER_BIN}"
fi
RETVAL=0
PROG=rwflowpack
PROG_PATH="${BIN_DIR}/${PROG}"
PIDFILE="${PID_DIR}/${PROG}${SUFFIX}.pid"
LOG_BASENAME="${PROG}${SUFFIX}"
PROG_OPTIONS=""
if [ ! -x "${PROG_PATH}" ] ; then
echo "$0: could not find an executable ${PROG_PATH}."
exit 1
fi
check_empty "INPUT_MODE" "${INPUT_MODE}"
case "${INPUT_MODE}" in
stream)
check_empty "SENSOR_CONFIG" "${SENSOR_CONFIG}"
PROG_OPTIONS="${PROG_OPTIONS} --sensor-configuration='${SENSOR_CONFIG}'"
;;
fcfiles)
check_empty "SENSOR_CONFIG" "${SENSOR_CONFIG}"
PROG_OPTIONS="${PROG_OPTIONS} --input-mode=fcfiles"
PROG_OPTIONS="${PROG_OPTIONS} --sensor-configuration='${SENSOR_CONFIG}'"
;;
respool)
PROG_OPTIONS="${PROG_OPTIONS} --input-mode=respool"
;;
*)
echo "$0: Unexpected INPUT_MODE ${INPUT_MODE}."
echo "Set to \"stream\", \"fcfiles\", or \"respool\"."
exit 1
;;
esac
if [ "x${COMPRESSION_TYPE}" != "x" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --compression-method=${COMPRESSION_TYPE}"
fi
if [ "x${FILE_LOCKING}" = "x0" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --no-file-locking"
fi
if [ "x${PACK_INTERFACES}" = "x1" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --pack-interfaces"
fi
if [ "x${FLUSH_TIMEOUT}" != "x" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --flush-timeout=${FLUSH_TIMEOUT}"
fi
if [ "x${FILE_CACHE_SIZE}" != "x" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --file-cache-size=${FILE_CACHE_SIZE}"
fi
if [ "x${POLLING_INTERVAL}" != "x" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --polling-interval=${POLLING_INTERVAL}"
fi
if [ "x${SITE_CONFIG}" != "x" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --site-config-file='${SITE_CONFIG}'"
fi
if [ "x${PACKING_LOGIC}" != "x" ] ; then
case "${INPUT_MODE}" in
respool)
;;
*)
PROG_OPTIONS="${PROG_OPTIONS} --packing-logic='${PACKING_LOGIC}'"
;;
esac
fi
if [ "x${ARCHIVE_DIR}" != "x" ] ; then
check_dir "ARCHIVE_DIR" "${ARCHIVE_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --archive-directory='${ARCHIVE_DIR}'"
if [ "x${FLAT_ARCHIVE}" = "x1" ] ; then
PROG_OPTIONS="${PROG_OPTIONS} --flat-archive"
fi
fi
if [ "x${ERROR_DIR}" != "x" ] ; then
check_dir "ERROR_DIR" "${ERROR_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --error-directory='${ERROR_DIR}'"
fi
case "${INPUT_MODE}" in
fcfiles|respool)
check_dir "INCOMING_DIR" "${INCOMING_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --incoming-directory='${INCOMING_DIR}'"
;;
*)
;;
esac
check_empty "OUTPUT_MODE" "${OUTPUT_MODE}"
case "${OUTPUT_MODE}" in
local-storage|local)
check_dir "DATA_ROOTDIR" "${DATA_ROOTDIR}"
PROG_OPTIONS="${PROG_OPTIONS} --output-mode=local-storage --root-directory='${DATA_ROOTDIR}'"
;;
incremental-files)
check_dir "INCREMENTAL_DIR" "${INCREMENTAL_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --output-mode=incremental-files --incremental-directory='${INCREMENTAL_DIR}'"
;;
remote|sending)
check_dir "SENDER_DIR" "${SENDER_DIR}"
check_dir "INCREMENTAL_DIR" "${INCREMENTAL_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --output-mode=sending --sender-directory='${SENDER_DIR}' --incremental-directory='${INCREMENTAL_DIR}'"
;;
*)
echo "$0: Unexpected OUTPUT_MODE ${OUTPUT_MODE}."
echo "Set to \"local-storage\" or \"incremental-files\"."
exit 1
;;
esac
#######################################################################
check_dir "PID_DIR" "${PID_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --pidfile='${PIDFILE}' --log-level=${LOG_LEVEL}"
case "${LOG_TYPE}" in
syslog)
PROG_OPTIONS="${PROG_OPTIONS} --log-destination=syslog"
;;
legacy)
check_dir "LOG_DIR" "${LOG_DIR}"
PROG_OPTIONS="${PROG_OPTIONS} --log-directory='${LOG_DIR}' --log-basename='${LOG_BASENAME}'"
;;
*)
echo "$0: Unexpected LOG_TYPE ${LOG_TYPE}."
echo "Set to \"legacy\" or \"syslog\"."
exit 1
;;
esac
#######################################################################
# Check if $pid is running
checkpid() {
kill -0 $1 >/dev/null 2>&1 && return 0
return 1
}
# Get the process id from the PIDFILE
getPid() {
RETVAL=1
if [ -f $PIDFILE ] ; then
RETVAL=2
read pid < ${PIDFILE}
if [ "X$pid" != "X" ] ; then
RETVAL=3
# Found a pid
if checkpid $pid ; then
echo $pid
RETVAL=0
fi
fi
fi
echo ""
return $RETVAL
}
status() {
if [ $# -gt 0 ] ; then
doEcho=0
else
doEcho=1
fi
# first check if the process is running
pid=`getPid`
RETVAL=$?
if [ $doEcho -eq 1 ] ; then
case "$RETVAL" in
0)
echo "${PROG} is running with pid $pid"
;;
1)
echo "${PROG} is stopped"
;;
*)
echo "${PROG} is dead but pid file exists"
;;
esac
fi
return $RETVAL
}
start() {
(status 'silent')
pStat=$?
if [ $pStat -eq 0 ] ; then
status
return 0
fi
/bin/echo -n "Starting ${PROG}: "
/bin/rm -f ${PIDFILE} 2> /dev/null
if [ X`whoami` = "X${USER}" ] ; then
eval "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
else
su - ${USER} -c "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
fi
RETVAL=$?
if [ "$RETVAL" -ne "0" ] ; then
echo "[Failed]"
else
sleep 1
PID=`getPid`
if [ "x$PID" = "x" ] ; then
echo "[Failed]"
RETVAL=1
else
echo '[OK]'
fi
fi
return $RETVAL
}
stop() {
Pid=`getPid`
if [ "X${Pid}" = "X" ] ; then
echo "${PROG} not running"
return 1
fi
/bin/echo -n "Stopping ${PROG}: "
/bin/kill -s INT $Pid
for s in 2 3 4 6 7; do
sleep $s
if checkpid $Pid ; then
:
else
break;
fi
done
if checkpid $Pid ; then
/bin/kill -s KILL $Pid
sleep 1
fi
(checkpid $Pid)
RETVAL=$?
[ "$RETVAL" -eq "1" ] && echo '[OK]' || echo '[FAILED]'
/bin/rm -f ${PIDFILE} 2> /dev/null
return $RETVAL
}
restart(){
(stop)
(start)
}
case "$1" in
start)
(start)
RETVAL=$?
;;
stop)
(stop)
RETVAL=$?
;;
restart)
(restart)
RETVAL=$?
;;
status)
(status)
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
RETVAL=1
;;
esac
exit $RETVAL
#######################################################################
# @OPENSOURCE_HEADER_START@
#
# Use of the SILK system and related source code is subject to the terms
# of the following licenses:
#
# GNU Public License (GPL) Rights pursuant to Version 2, June 1991
# Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
#
# NO WARRANTY
#
# ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
# PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
# PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
# "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
# KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
# LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
# MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
# OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
# SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
# TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
# WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
# LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
# CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
# CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
# DELIVERABLES UNDER THIS LICENSE.
#
# Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
# Mellon University, its trustees, officers, employees, and agents from
# all claims or demands made against them (and any related losses,
# expenses, or attorney's fees) arising out of, or relating to Licensee's
# and/or its sub licensees' negligent use or willful misuse of or
# negligent conduct or willful misconduct regarding the Software,
# facilities, or other rights or assistance granted by Carnegie Mellon
# University under this License, including, but not limited to, any
# claims of product liability, personal injury, death, damage to
# property, or violation of any laws or regulations.
#
# Carnegie Mellon University Software Engineering Institute authored
# documents are sponsored by the U.S. Department of Defense under
# Contract FA8721-05-C-0003. Carnegie Mellon University retains
# copyrights in all material produced under this contract. The U.S.
# Government retains a non-exclusive, royalty-free license to publish or
# reproduce these documents, or allow others to do so, for U.S.
# Government purposes only pursuant to the copyright license under the
# contract clause at 252.227.7013.
#
# @OPENSOURCE_HEADER_END@
#######################################################################
EOP
) > /etc/init.d/rwflowpack
chmod +x /etc/init.d/rwflowpack
#
# /etc/init/rwflowpack.conf
#
(
cat <<'EOP'
description "rwflowpack"
start on runlevel [2345]
stop on runlevel [016]
respawn
respawn limit 3 12
exec /etc/init.d/rwflowpack start
EOP
) > /etc/init/rwflowpack.conf
#
# /etc/ulogd.conf with pcap logging enabled
#
(
cat <<'EOP'
# Example configuration for ulogd
# Adapted to Debian by Achilleas Kotsis <[email protected]>
[global]
######################################################################
# GLOBAL OPTIONS
######################################################################
# logfile for status messages
logfile="syslog"
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
loglevel=3
######################################################################
# PLUGIN OPTIONS
######################################################################
# We have to configure and load all the plugins we want to use
# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
# this is a stack for logging packet send by system via LOGEMU
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# this is a stack for packet-based logging via LOGEMU
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# this is a stack for ULOG packet-based logging via LOGEMU
#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# this is a stack for packet-based logging via LOGEMU with filtering on MARK
#stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# this is a stack for packet-based logging via GPRINT
#stack=log1:NFLOG,gp1:GPRINT
# this is a stack for flow-based logging via LOGEMU
#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
# this is a stack for flow-based logging via GPRINT
#stack=ct1:NFCT,gp1:GPRINT
# this is a stack for flow-based logging via XML
#stack=ct1:NFCT,xml1:XML
# this is a stack for logging in XML
#stack=log1:NFLOG,xml1:XML
# this is a stack for accounting-based logging via XML
#stack=acct1:NFACCT,xml1:XML
# this is a stack for accounting-based logging to a Graphite server
#stack=acct1:NFACCT,graphite1:GRAPHITE
# this is a stack for NFLOG packet-based logging to PCAP
stack=log2:NFLOG,base1:BASE,pcap1:PCAP
# this is a stack for logging packet to MySQL
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL
# this is a stack for logging packet to PGsql after a collect via NFLOG
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL
# this is a stack for logging packets to syslog after a collect via NFLOG
#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
# this is a stack for logging packets to syslog after a collect via NuFW
#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
# this is a stack for flow-based logging to MySQL
#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
# this is a stack for flow-based logging to PGSQL
#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL
# this is a stack for flow-based logging to PGSQL without local hash
#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL
# this is a stack for flow-based logging to SQLITE3
#stack=ct1:NFCT,sqlite3_ct:SQLITE3
# this is a stack for logging packet to SQLITE3
#stack=log1:NFLOG,sqlite3_pkt:SQLITE3
# this is a stack for flow-based logging in NACCT compatible format
#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
# this is a stack for accounting-based logging via GPRINT
#stack=acct1:NFACCT,gp1:GPRINT
[ct1]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#netlink_resync_timeout=60 # seconds to wait to perform resynchronization
#pollinterval=10 # use poll-based logging instead of event-driven
# If pollinterval is not set, NFCT plugin will work in event mode
# In this case, you can use the following filters on events:
#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
#accept_proto_filter=tcp,sctp # layer 4 proto of connections
[ct2]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#reliable=1 # enable reliable flow-based logging (may drop packets)
hash_enable=0
# Logging of system packet through NFLOG
[log1]
# netlink multicast group (the same as the iptables --nflog-group param)
# Group O is used by the kernel to log connection tracking invalid message
group=0
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# set number of packet to queue inside kernel
#netlink_qthreshold=1
# set the delay before flushing packet in the queue inside kernel (in 10ms)
#netlink_qtimeout=100
# packet logging through NFLOG for group 1
[log2]
# netlink multicast group (the same as the iptables --nflog-group param)
group=1 # Group has to be different from the one use in log1
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
# group 0 is not used by any stack, you need to have at least one NFLOG
# input plugin with bind set to 1. If you don't do that you may not
# receive any message from the kernel.
#bind=1
# packet logging through NFLOG for group 2, numeric_label is
# set to 1
[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#bind=1
[ulog1]
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
nlgroup=1
#numeric_label=0 # optional argument
[nuauth1]
socket_path="/tmp/nuauth_ulogd2.sock"
[emu1]
file="/var/log/ulog/syslogemu.log"
sync=1
[op1]
file="/var/log/ulog/oprint.log"
sync=1
[gp1]
file="/var/log/ulog/gprint.log"
sync=1
timestamp=1
[xml1]
directory="/var/log/ulog/"
sync=1
[pcap1]
file="/var/log/ulog/ulogd.pcap"
sync=0
[mysql1]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
pass="changeme"
procedure="INSERT_PACKET_FULL"
# backlog configuration:
# set backlog_memcap to the size of memory that will be
# allocated to store events in memory if data is temporary down
# and insert them when the database came back.
#backlog_memcap=1000000
# number of events to insert at once when backlog is not empty
#backlog_oneshot_requests=10
[mysql2]
db="nulog"
host="localhost"
user="nupik"
table="conntrack"
pass="changeme"
procedure="INSERT_CT"
[pgsql1]
db="nulog"
host="localhost"
user="nupik"
table="ulog"
#schema="public"
pass="changeme"
procedure="INSERT_PACKET_FULL"
# connstring can be used to define PostgreSQL connection string which
# contains all parameters of the connection. If set, this value has
# precedence on other variables used to build the connection string.
# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for a complete description of options.
#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme"
#backlog_memcap=1000000
#backlog_oneshot_requests=10
# If superior to 1 a thread dedicated to SQL request execution
# is created. The value stores the number of SQL request to keep
# in the ring buffer
#ring_buffer_size=1000
[pgsql2]
db="nulog"
host="localhost"
user="nupik"
table="ulog2_ct"
#schema="public"
pass="changeme"
procedure="INSERT_CT"
[pgsql3]
db="nulog"
host="localhost"
user="nupik"
table="ulog2_ct"
#schema="public"
pass="changeme"
procedure="INSERT_OR_REPLACE_CT"
[pgsql4]
db="nulog"
host="localhost"
user="nupik"
table="nfacct"
#schema="public"
pass="changeme"
procedure="INSERT_NFACCT"
[dbi1]
db="ulog2"
dbtype="pgsql"
host="localhost"
user="ulog2"
table="ulog"
pass="ulog2"
procedure="INSERT_PACKET_FULL"
[sqlite3_ct]
table="ulog_ct"
db="/var/log/ulogd.sqlite3db"
buffer=200
[sqlite3_pkt]
table="ulog_pkt"
db="/var/log/ulogd.sqlite3db"
buffer=200
[sys2]
facility=LOG_LOCAL2
[nacct1]
sync = 1
file = /var/log/ulog/nacct.log
[mark1]
mark = 1
[acct1]
pollinterval = 2
# If set to 0, we don't reset the counters for each polling (default is 1).
#zerocounter = 0
# Set timestamp (default is 0, which means not set). This timestamp can be
# interpreted by the output plugin.
#timestamp = 1
[graphite1]
host="127.0.0.1"
port="2003"
# Prefix of data name sent to graphite server
prefix="netfilter.nfacct"
EOP
) > /etc/ulogd.conf
#
# firewall rules
#
mkdir -p /etc/iptables
(
cat <<'EOP'
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -j NETFLOW
[0:0] -A INPUT -p udp -m udp --dport 53 -j NFLOG --nflog-group 1 --nflog-threshold 20
[0:0] -A INPUT -p udp -m udp --sport 53 -j NFLOG --nflog-group 1 --nflog-threshold 20
[0:0] -A INPUT -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i lo0 -j ACCEPT
[0:0] -A INPUT -s 127.0.0.0/16 -d 127.0.0.0/16 -j ACCEPT
[0:0] -A INPUT -s ${ETH0_IPADDR}/32 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -d ${ETH0_IPADDR}/32 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -j NETFLOW
[0:0] -A FORWARD -p udp -m udp --dport 53 -j NFLOG --nflog-group 1 --nflog-threshold 20
[0:0] -A FORWARD -p udp -m udp --sport 53 -j NFLOG --nflog-group 1 --nflog-threshold 20
[0:0] -A FORWARD -i eth1 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -j NETFLOW
[0:0] -A OUTPUT -p udp -m udp --dport 53 -j NFLOG --nflog-group 1 --nflog-threshold 20
[0:0] -A OUTPUT -p udp -m udp --sport 53 -j NFLOG --nflog-group 1 --nflog-threshold 20
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
EOP
) > /etc/iptables/rules.v4
# auto-load iptables rules
(
cat <<'EOP'
#!/bin/sh
iptables-restore < /etc/iptables/rules.v4
EOP
) > /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
#
# Enable traffic forwarding and disable ipv6
#
(
cat <<'EOP'
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6=1
EOP
) >> /etc/sysctl.conf
#
# Configure a backup server
#
# Substitute ${backup-server}:${backup-path}
(
cat <<'EOP'
#!/bin/bash
rsync -avz /data ${backup-server}:${backup-path}
rsync -avz /etc/iptables/rules.v4 ${backup-server}:${backup-path}
rsync -avz /var/log/ulog ${backup-server}:${backup-path}
EOP
) > /home/kyoder/backup-cron.sh
chmod +x /home/kyoder/backup-cron.sh
# Add backup script to a cron job
#sudo echo '0 3 * * * /home/kyoder/backup-cron.sh' | crontab -
#
# Add a script used to check status on the whole mess
#
(
cat <<'EOP'
#!/bin/bash
#
#
echo "ipt_NETFLOW module:"
lsmod | grep NETFLOW
echo -e '.\n'
echo "route status:"
route -n
echo -e '.\n'
echo "netstat status:"
netstat -ptaun
echo -e '.\n'
echo iptables:
iptables -L -nvx
echo -e '.\n'
EOP
) > /home/kyoder/status
chmod +x /home/kyoder/status
# Update bashrc
(
cat <<'EOP'
alias ls='/bin/ls --color'
alias ll='ls -lF'
alias tree='tree -A'
export EDITOR=vim
EOP
) >> /etc/skel/.bashrc
# Create a login banner with instructions on what to do next
(
cat <<'EOP'
#!/bin/bash
echo "You're almost done setting up..."
echo
echo "Stuff you still need to do:"
echo "- Change password on \${USER} account"
echo "- sudo chown -R \${USER}:\${USER} /home/\${USER}/* /home/\${USER}/.*"
echo "- rebuild ipt_NETFLOW kernel module"
echo " - cd ipt-netflow.git && m-a prepare && ./configure --enable-direction && make all install"
echo " - modprobe ipt_NETFLOW"
echo "- Fill in \${ETH0_IPADDR} in /etc/iptables/rules.v4"
echo "- Fill in \${ETH1_IPADDR} in /etc/network/interfaces"
echo "- ifup eth1"
echo "- Fill in \${backup-server} and \${backup-path} in /home/\${USER}/backup-cron.h"
echo "- add a cron job to run backup-cron.sh periodically"
echo "- delete /etc/update-motd.d/99-edge-tasks (this message)"
EOP
) > /etc/update-motd.d/99-edge-tasks
chmod +x /etc/update-motd.d/99-edge-tasks
update-motd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment