Search:  
Gentoo Wiki

IPAudit

IPAUDIT and IPAUDIT-WEB Howto.

This is my first post so please be patient with me.


WORK in PROGRESS...

Contents

Introduction

IPAudit is a network activity monitor and can monitor on a network by host, protocol and port.

What we will accomplish here is the installation of IPAudit and IPAudit-web, set it up to "sniff" network traffic and allow it to be viewed from apache.

Installation

The installation has 2 parts - installing ipaudit from portage and then downloading and installing ipaudit-web.

to emerge ipaudit we need to add it to

echo "net-analyzer/ipaudit ~x86" >> /etc/portage/package.keywords
emerge ipaudit

The installation of ipaudit-web requires a user, so :

groupadd ipaudit
useradd -g ipaudit -d /var/spool/ipaudit -m ipaudit

now get the ipaudit-web source. This can be obtained via a web download or by cvs.

web download from IPAUDIT-WEB


cvs: (straight from the INSTALL DOCS)

ADDR=pserver:anonymous@cvs.ipaudit.sourceforge.net:/cvsroot/ipaudit
cvs -d:$ADDR login 
cvs -d:$ADDR co ipaudit-web

When you're prompted for

      CVS password: _ 
just hit enter.


Compile:

cd ipaudit-web/compile
./configure
make
as root: make install
as root: make install-cron

The "make install-cron" will install the new crontab entries as the user ipaudit - so make sure that the /usr/bin/crontab binary is executable by the user ipaudit.

the make install will install the scripts and binaries into /var/spool/ipaudit.

Since the package you download contains the ipaudit binary as well - you can either use that or link your emerge'd binary in. I chose to rather link the binary in as any updates to ipaudit from portage will then update ipaudit web as well.

cd /var/spool/ipaudit/bin
rm ipaudit
ln -s /usr/sbin/ipaudit ipaudit
chmod u+rwxs /usr/sbin/ipaudit

the "sticky bit" needs to be set as the user ipaudit will be running ipaudit and this needs to put the network interface into promiscuous mode.

Configure

The configuration of the system is done through the "ipaudit-web.conf" file.

This is in the ~ipaudit/ directory.

cd ~ipaudit
vi ipaudit-web.conf
LOCALRANGE=192.168.0.0/24
INTERFACE=eth0:eth1
OTHERRANGE=10.0.0

The above config paramaters are all needed - the rest can be left as is.

Setup web access

There are a host of options here. You could use the default

http://you.host.dom/~ipaudit/

or you could rewrite it to a better site - like

http://ipaudit.host.dom/

To get apache2 to rewrite is quite simple. In the virtual host config file just add this

RewriteRule   ^/~([^/]+)/?(.*)    /  [R]
Redirect /~ipaudit http://ipaudit.host.dom

restart apache2 and it is done.

Retrieved from "http://www.gentoo-wiki.info/IPAudit"

Last modified: Mon, 08 Sep 2008 01:25:00 +0000 Hits: 3,182