BTC 1M7RBtkUEk1Rcq79ubk5ktZar5NMVDXKqj
ETH 0xf0D65F6edF89D9B1B5F45A84bDCe628705A0175A
LTC LcCsNL6nnEobDwaqcsxZu48YhoN5QjPDAF
So a friend wanted something to monitor their home network, and I remembered ntop from back in the day before I got into things like Security Onion. My friend just wanted to know who was talking to who on their network and didnt really need all the bells and whistles. So they, like many of you loveable lot, came to me for advice. Security Onion, is way to over the top for their use case and threat model. I assume it is for you too, if you are reading this.
So i figured - why not use softflowd to export from their OpenWRT router to ntop? Well, ntop has been ntopng for quite some time and (unless you want to play about with ethernet port mirroring) the most common use for it is having NetFlow exporters on router(s), which feed NetFlow v5/v9/v10 packets into a collector (nProbe), which in turn pushes those NetFlows into a message queue (ZMQ) system. ntopng then connects as a MQ client, pulls the flows out of the MQ and presents them in a pretty way in a web interface and lets you do things like alerting etc.
router(exporter) --> Netflow Packet --> nProbe(collector) --> ZMQ <-- ntopng
While that tried and tested recipie is great, nProbe costs (at time of writing) 299.95 EUR to license. If you try various docker images with ntopng and nProbe, they will work for a few minutes, than stop working after a certain number of Netflow packets as there is no license for the component between the router and ntopng. It is likely that that those playing with this kinda thing at home/SOHO end up getting frustrated thinking that they did something wrong. This leads to people giving up on having an extra layer of security on their home/SOHO .
Now, for a SME or big enterprise, 300EUR is nothing - but for a security concious kiddo on a budget, that is a whole bunch of finger fabric (and in many cases, four or five times the cost of the router which is to be monitored). If you are a Small, Meduim or Large enterprse, go buy the 300 EUR nProbe software from ntop, it is worth it. It does a whole heap more and its going to make your life easier in the long run.
But, if you are just wanting to monitor your Home / SOHO LAN, dont need to high hundred megabit (or above) speeds and can sacrifice some things then; read on....
- A router which exports NetFlow v9 (such as OpenWRT, pfSense, DDWRT via the FOSS 'softflowd' daemon)
- This docker image, which runs
- ntopng compiled with nDPI
- netflow2ng
- Redis
Why yes! This solution supports DPI. It compiles nDPI, the Open and Extensible LGPLv3 Deep Packet Inspection Library, into ntopng at build time. So if something on the network is talking on an uncommon port, you should catch it.
Ive cobbled together a solution which relies upon Aaron Turner/synfinatic, who it seems not only writes great utilities with quirkly names (such as the awesomely catchphrased 'udp-proxy'2000' - a crappy UDP router for the year 2020 and beyond, but who takes time out of their busy day to replce the nProbe component with a FOSS utlity to do the same thing - introducing netflow2ng
- Collect NetFlow v9 stats from one or more exporters (only v9, it doesnt do sFlow/v5/IPFIX)
- Run a ZMQ Publisher for ntopng to collect metrics from
- Prometheus metrics
- NetFlow Templates
- Absolutely no commerical support whatsoever
- Hardly any testing
- May not support the latest versions/features of ntopng
- Written in GoLang instead of C/C++
- Netflow2ng utilizes goflow for NetFlow decoding (For more information on what NetFlow fields are supported in netflow2ng, please read the goflow docs)
Disclaimers from synfinatic aside, Ive seen this solution working just fine at several hunderd meg without hardly making CPU sweat. I also love that Aaron lists "not tested" and "no commercial support" as features.
I like Aaron even more already. Its free, it seems pretty stable and hey, if you want guarantees then go buy nProbe.
You need docker to expose TCP port 3000 (for ntopng) and UDP port 2055 (NetFlow collector).
-p 3000:3000/tcp -p 2055:2055/udp
OK, GeoIP you need a license for, go to maxmind.com Sign up. Maxmind is free for you so just go do it. You can leave them out but you wont get the geoIP lookup in ntopng and its like 5 mintues out of your day. You want it to generate a 'GeoIP.conf' for 'geoipupdate' (select for 'the newer versions') and then copy/paste your AccountId and license key as docker variables. You can check in the downloaded GeoIP.conf and then pass the UserID and license Key from in there as docker variables.
-e ACCOUNTID="123456" -e LICENSEKEY="xxxxxxxxxxxxxxxx"
ntopng likes to know whats local. It makes it easier for you to too. You can tell it this by using the -e LOCALNET option and provider a CIDR format notation. So if yournetwork is 192.168.1.0 then its like this;
-e LOCALNET="192.168.1.0/24"
If you have multiple exporters and a few nets, then you can use CSV format
-e LOCALNET="192.168.1.0/24,10.0.0.0/24"
If you dont set this, it defaults to assume 192.168.1.0/24 is your local network.
Unless you want to start alerts etc from scratch every time you trash the container, you might want to persist
-v /path/to/save/files/on/host:/var/lib/ntopng
If you dont set this, destroying the docker containter destroys all of your config.
The build supports the use of -e PUID and -e PGID format to set the userid and groupid on the host system. ntopng, netflow2ng and redis will appear to run under this UID and GID on the host system. So if you set up a user with ID 1001 and Group ID 1001 (on the host) that ntopng, netflow2nd and redis will run as, you would use this;
-e PUID=1001 -e PGID=1001
ntopng expires flows after some time. You can put expired flows into ElasticSearch, Syslog or a MySQL database. the -e FLOWDUMP switch allows you to pass the ntopng executable the '-F' command line switch. You can read up about the options here. Note that nIndex is only available on a licensed, enterprise edition of ntopng
for MySQL it would be
-e FLOWDUMP="mysql;<host|socket>;<dbname>;<table name>;<user>;<pw>"
If you dont set this flows disappear as soon as they expire. Tip: it should be pretty easy to set up a Dockmer mariadb instance, database, user & password then point -e FLOWDUMP string at that.
You can use -e ADVANCED to pass additional command line options to ntopng. In the example, we pass the --http-prefix option that you may use if you were to run ntopng behind a proxy such as nginx
-e ADVANCED="--http-prefix=/ntopng"
git clone https://github.com/homesecsi/ntopng ntopng-docker
cd ntopng-docker
docker build -t ntopng .
docker pull homesecsi/ntopng
docker run -it \
--name ntopng \
-p 3000:3000/tcp \
-p 2055:2055/udp \
-e PUID=1000 \
-e PGID=1000 \
-e ACCOUNTID="123456" \
-e LICENSEKEY="xxxxxxxxxxxxxxx" \
-e LOCALNET="192.168.1.0/24" \
-v /path/to/save/files/on/host:/var/lib/ntopng \
--restart unless-stopped \
homesecsi/ntopng
docker run -it \
--name ntopng \
-p 3000:3000/tcp \
-p 2055:2055/udp \
-e ACCOUNTID="123456" \
-e PUID=1000 \
-e PGID=1000 \
-e LICENSEKEY="xxxxxxxxxxxxxxx" \
-e LOCALNET="192.168.1.0/24" \
-v /path/to/save/files/on/host:/var/lib/ntopng \
--restart unless-stopped \
ntopng
Make sure the machine running docker allows port 3000 TCP and port 2055 UDP inbound from your router IP. Dont forget to restart your firewall to pick up the change. If you can connect your web browser to ntopng but dont see anything arriving, this is probably the first thing to check.
There are loads of NetFlow exporters out there in the commercial market. You would just configure yours to send Netflow v9 template and flows to the IP of your docker host, using UDP on port 2055. Pretty much anything that exports v9 NetFlows should work fine (pfSense, softflowd etc)
You want to install softflowd. You can do that in Luci (OpenWRT web), or do it in SSH. As there is not a Luci web interface to configure softflowd, you may as well SSH into your router to isntall it, as you need to do that to configure it anyway.
ssh root@your.router.ip
opkg update
opkg install softflowd
vi /etc/config/softflowd
You want /etc/config/softflowd to look something like this. 'Samplerate' of 100 is going to sample 1 in 100 packets. 'Samplerate' of 1 is going to sample every packet but may make your CPU hurt under load. Depending on your router model and capacity, I recommend setting it low (like 1 or 2) and then stress test the network while monitoring the routers CPU use. Tune it to a point you are not using more than 75% CPU under full load - on a Asus RT-AC86U I found it would run 300+mbps on br-lan with 'samplerate 1' and not even hit 40% use.
Obviously, change 'docker.host.ip.address.goes.here' to the IP of the machine the docker image is running on.
config softflowd
option enabled '1'
option interface 'br-lan'
option pcap_file ''
option timeout 'maxlife=60'
option max_flows '8192'
option host_port 'docker.host.ip.address.goes.here:2055'
option pid_file '/var/run/softflowd.pid'
option control_socket '/var/run/softflowd.ctl'
option export_version '9'
option hoplimit ''
option tracking_level 'full'
option track_ipv6 '1'
option sampling_rate '1'
When you are happy, exit vi ( press : then type wq and press enter ) then you can start softflowd
/etc/init.d/softflowd restart
NOTE: softflowd will not report any network flows that have used "Hardware flow offload" (aka hardware NAT), which is set in OpenWRT Firewall settings (mt762x chipsets only currently).
Now just point your browser here:
http://docker.host.ip.address.goes.here:3000
You now are monitoring your SOHO/Home network using pure FOSS components