– Đặt hostname:
| hostnamectl set-hostname fnm-vnpt.cloudzone.vn |
– Cấu hình firewall để limit access:
| firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”117.2.164.107/32″ accept’
firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”103.95.197.149/32″ accept’ firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”49.236.208.55/32″ accept’ firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”10.10.200.147/32″ accept’ firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”103.161.118.224/32″ port port=”443″ protocol=”tcp” accept’ firewall-cmd –permanent –remove-service=ssh firewall-cmd –reload |
– Cài các gói cần thiết:
| dnf update -y
dnf install wget vim python3-pip git -y pip3 install requests |
– Cài đặt Fastnetmon Community:
| wget https://install.fastnetmon.com/installer -Oinstaller
chmod +x ./installer ./installer -install_community_edition |
– Cài đặt Fastnetmon Advanced:
| wget https://install.fastnetmon.com/installer -Oinstaller
sudo chmod +x installer sudo ./installer -activation_coupon <add License được gửi từ mail vào> |
– Thêm các subnet cần check vào /etc/networks_list, đối với Fastnetmon Community
– Các subnet cần loại trừ vào /etc/networks_whitelist, đối với Fastnetmon Community
– Đối với Fastnetmon Advanced không dùng /etc/networks_list, thay vào đó ta dùng:
| fcli set main networks_list <Add từng subnet>
fcli set main networks_whitelist <Add từng subnet> fcli commit |
– cấu hình sflow trên core switch để đẩy lưu lượng về (Anh Vũ cấu hình)
| feature sflow
sflow max-sampled-size 256 sflow max-datagram-size 2000 sflow collector-ip 10.10.30.255 vrf default sflow agent-ip 10.10.30.1 sflow data-source interface port-channel41 |
– Tạo symlink cho gobgp như sau:
| ln -s /opt/fastnetmon/libraries/gobgp_3_12_0/gobgp /usr/local/bin/gobgp |
– Tạo scripts chặn/notify khi IP ban:
|
cat <<EOF >>/usr/local/bin/notify_about_attack.py
#!/usr/bin/python3
import logging
import subprocess
import sys
import requests
import json
def ip_exists_in_file(ip_to_check):
file_path = “block_all.txt”
try:
with open(file_path, ‘r’) as file:
lines = file.readlines()
cleaned_ips = [line.strip() for line in lines]
return ip_to_check in cleaned_ips
except FileNotFoundError:
print(“Không tìm thay file:”, file_path)
return False
LOG_FILE = “/var/log/fastnetmon-notify.log”
logger = logging.getLogger(“DaemonLog”)
logger.setLevel(logging.INFO)
formatter = logging.Formatter(“%(asctime)s – %(name)s – %(levelname)s – %(message)s”)
handler = logging.FileHandler(LOG_FILE)
handler.setFormatter(formatter)
logger.addHandler(handler)
client_ip_as_string=sys.argv[1]
data_direction=sys.argv[2]
pps_as_string=int(sys.argv[3])
action=sys.argv[4]
logger.info(” – ” . join(sys.argv))
if action in [‘ban’, ‘unban’]:
command_act = ‘add’ if action == ‘ban’ else ‘del’
rtbh_tag = 666 if ip_exists_in_file(client_ip_as_string) else 667
if rtbh_tag == 667 or command_act == ‘add’:
command = [‘/usr/local/bin/gobgp’, ‘global’, ‘rib’, command_act, ‘-a’, ‘ipv4′, f'{client_ip_as_string}/32’, ‘origin’, ‘igp’, ‘nexthop’, ‘10.10.200.168’, ‘community’, f’18403:{rtbh_tag}’]
subprocess.run(command)
api_token = ‘2134da915025e8ba3ef9eb6fde4c2627f11d98c2’
api_url_base = ‘https://dashboard.cloudzone.vn/api/fnmonnoti’
headers = {‘Content-Type’: ‘application/json’,
‘Authorization’: ‘Token {0}’.format(api_token)}
body = {‘ip’: client_ip_as_string,
‘action’: action,
‘pps’: pps_as_string,
‘direct’: data_direction,
‘vnpt’: 1}
requests.post(api_url_base, json=body, headers=headers)
sys.exit(0)
EOF
|
| chmod +x /usr/local/bin/notify_about_attack.py |
– Đối với Fastnetmon Community:
| sed -i -e ‘s/notify_about_attack.sh/notify_about_attack.py/g’ /etc/fastnetmon.conf |
– Cài đặt influxdb, đối với Fastnetmon Community:
| cat <<EOF>>/etc/yum.repos.d/influxdb.repo [influxdata] name = InfluxData Repository – Stable baseurl = https://repos.influxdata.com/rhel/9/x86_64/stable/ enabled = 1 gpgcheck = 1 gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key EOF |
| dnf install influxdb -y systemctl start influxdb systemctl enable influxdb influx CREATE DATABASE fastnetmon WITH DURATION 30d REPLICATION 1 NAME fastnetmon_default_rp |
– Cài đặt DB Clickhouse, dùng cho Fastnetmon Advanced:
link tham khảo: https://fastnetmon.com/docs-fnm-advanced/advanced-visual-traffic/
| ./installer -install_graphic_stack |
=> Mật khẩu login web Grafana sẽ hiện sau khi cài đặt xong.
| firewall-cmd –permanent –remove-service=fastnetmon-web
firewall-cmd –reload systemctl status clickhouse-server ls -al /etc/grafana/provisioning/datasources/fastnetmon-clickhouse.yaml systemctl restart clickhouse-server systemctl restart grafana-server |
– Cài đặt DB cho Clickhouse:
| fcli set main clickhouse_metrics true fcli set main clickhouse_metrics_host 127.0.0.1 fcli set hostgroup global networks <Add từng subnet> fcli set main clickhouse_metrics_port 9000 fcli set main clickhouse_metrics_database fastnetmon fcli set main clickhouse_metrics_push_period 1 fcli commit |
– Cấu hình trong fcli set main:
| fcli set main enable_ban true fcli set main notify_script_hostgroup_enabled true fcli set main notify_script_hostgroup_path /usr/local/bin/notify_about_attack.py fcli set main notify_script_enabled true fcli set main notify_script_path /usr/local/bin/notify_about_attack.py fcli set hostgroup global enable_ban true fcli set main enable_ban_hostgroup true fcli set hostgroup global enable_ban_incoming true fcli set hostgroup global ban_for_bandwidth true fcli set hostgroup global ban_for_pps true fcli set hostgroup global ban_for_flows false fcli set main sflow_ports 6343 fcli commit |
– Lệnh check DB trong Clickhouse:
| clickhouse-client > SHOW DATABASES; # phải có DB fastnetmon > use fastnetmon; > SHOW TABLES FROM fastnetmon; |
– Cài đặt Grafana, cho Fastnetmon Community:
| cd /root
./installer -install_graphic_stack_community |
=> Lúc cài xong lưu ý mật khẩu login web Grafana ở đây.
| cat <<EOF>>/etc/grafana/provisioning/datasources/fastnetmon.yaml apiVersion: 1 datasources: – orgId: 1 version: 1 name: InfluxDB type: influxdb access: proxy url: http://127.0.0.1:8086 database: fastnetmon isDefault: true uid: fastnetmoninfluxdbdatasource EOFsystemctl restart influxdbsystemctl restart grafana-server |
– Trong bản Fastnetmon Advanced sẽ không có file /etc/fastnetmon.conf thay vào đó ta sẽ connect vào DB để config:
– Để connect với mongoDB, Download mongoDB compass và connect bằng ssh -> connect vào db:
username: fastnetmon_user
pass: <Nằm trong file /etc/fastnetmon/keychain/.mongo_fastnetmon_password>
– Mở public cho port 8123 và 9000, đối với Fastnetmon Advanced:
| vi /etc/clickhouse-server/config.xml
<listen_host>0.0.0.0</listen_host> |
| systemctl restart clickhouse-server |
– Limits for Dos/DDoS attacks, trong Fastnetmon Advanced:
| fcli set hostgroup global threshold_pps 600000 fcli set hostgroup global threshold_mbps 5000 fcli set hostgroup global threshold_flows 3500 fcli set main ban_time 5400 fcli set main sflow on |
– Điều chỉnh các thông số cho Fastnetmon Community trong file /etc/fastnetmon.conf:
| enable_ban = on enable_ban_hostgroup = on enable_ban_incoming = on ban_for_bandwidth = on ban_for_pps = on ban_for_flows = on enable_ban_ipv6 = on ban_for_pps = off ban_for_bandwidth = on ban_for_flows = offinfluxdb = on influxdb_host = 127.0.0.1 influxdb_port = 8086 influxdb_database = fastnetmoninfluxdb_auth = off influxdb_user = fastnetmon influxdb_password = secureinfluxdb_push_period = 1clickhouse_metrics = on |
| systemctl restart fastnetmon |
– Lưu data trong vòng 35 ngày bằng cách set TTL cho mỗi table có trong DB Fastnetmon Advanced:
| clickhouse-client
> use fastnetmon; > SHOW CREATE TABLE host_metrics; ALTER TABLE asn_metrics_ipv4 MODIFY TTL metricDate + toIntervalDay (36); |
– Cấu hình Domain và SSL:
| cat /etc/nginx/sites-available/grafana.conf server {# Listen on IPv6 listen [::]:81;# Listen on IPv4 listen 81; root /usr/share/nginx/www; index index.html index.htm;proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300;auth_basic “Restricted”; auth_basic_user_file /etc/nginx/.htpasswd;gzip on; gzip_comp_level 9; gzip_types application/json text/plain application/xml text/javascript text/css application/ecmascript application/octet-stream;location / { proxy_set_header Host $host; proxy_pass http://127.0.0.1:3000/; }}server {listen 443 ssl; http2 on;server_name fnm-vnpt.cloudzone.vn;ssl_certificate /etc/grafana/grafana.crt; ssl_certificate_key /etc/grafana/grafana.key;ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers HIGH:!aNULL:!MD5; root /usr/share/nginx/www; proxy_connect_timeout 300; satisfy any; auth_basic “Restricted”; gzip on; location / { |
| nginx -t systemctl restart nginx |
– Lấy mật khẩu để Dashboard kết nối đến Clickhouse của Fastnetmon Advanced thực hiển check TopBW:
| cat /etc/grafana/provisioning/datasources/fastnetmon-clickhouse.yaml |
Leave A Comment?