├── Instalacao-Elastic-FileBeat-Kibana-Logstash-8-x-x.txt
├── Instalacao_bd_zabbix.txt
├── Instalacao_front_zabbix.txt
├── Instalacao_server_zabbix.txt
├── Instalação FRRouting.txt
├── backup-zabbix7.sh
├── instalacao-fastnetmon-adv.sh
├── instalacao-fastnetmon.txt
├── integracao-wanguard-grafana.sh
├── integração-nfdump-grafana.py
├── nfsen-install.sh
├── openvas-install.sh
├── wanguard.sh
└── zabbix_7_grafana_11_install.sh
/Instalacao-Elastic-FileBeat-Kibana-Logstash-8-x-x.txt:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # instale as bibliotecas
3 | apt update
4 | apt upgrade
5 | apt -y install wget ntp apt-transport-https gnupg unzip curl net-tools tcpdump
6 |
7 | #Instalando elastic search
8 | wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.13.2-amd64.deb
9 | wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.13.2-amd64.deb.sha512
10 | shasum -a 512 -c elasticsearch-8.13.2-amd64.deb.sha512
11 | dpkg -i elasticsearch-8.13.2-amd64.deb
12 |
13 | systemctl daemon-reload
14 | systemctl enable elasticsearch.service
15 | systemctl start elasticsearch.service
16 | systemctl status elasticsearch.service
17 | curl -X GET 127.0.0.1:9200
18 |
19 | # Agora vamos editar o arquivo de configuração do elasticsearch.yml
20 | nano /etc/elasticsearch/elasticsearch.yml
21 |
22 | cluster.name: flow-huawei-mikrotik-cisco-juniper-frr
23 | node.name: flow-01
24 | network.host: IP DO SERVIDOR
25 | http.port: 9200
26 |
27 | systemctl daemon-reload
28 | systemctl restart elasticsearch.service
29 | systemctl enable elasticsearch.service
30 |
31 | # Instalação Kibana
32 | wget https://artifacts.elastic.co/downloads/kibana/kibana-8.13.2-amd64.deb
33 | shasum -a 512 kibana-8.13.2-amd64.deb
34 | dpkg -i kibana-8.13.2-amd64.deb
35 |
36 | #acessar arquivo de configuração do Kibana
37 | nano /etc/kibana/kibana.yml
38 | server.port: 5601
39 | server.host: "IP DO SERVIDOR"
40 | server.name: "kibana-flow"
41 | elasticsearch.hosts: ["http://127.0.0.1:9200"]
42 |
43 | #Restart serviços
44 |
45 | systemctl enable kibana.service
46 | systemctl start kibana.service
47 | systemctl status kibana.service
48 | tail -f /var/log/kibana/kibana.log -n 1000
49 |
50 | #instalação LogStash
51 | wget --no-check-certificate https://artifacts.elastic.co/downloads/logstash/logstash-8.8.0-amd64.deb
52 |
53 | dpkg -i logstash-8.8.0-amd64.deb
54 |
55 | /usr/share/logstash/bin/logstash-plugin install logstash-codec-sflow
56 | /usr/share/logstash/bin/logstash-plugin update logstash-codec-netflow
57 | /usr/share/logstash/bin/logstash-plugin update logstash-input-udp
58 | /usr/share/logstash/bin/logstash-plugin update logstash-input-tcp
59 | /usr/share/logstash/bin/logstash-plugin update logstash-filter-dns
60 | /usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
61 | /usr/share/logstash/bin/logstash-plugin update logstash-filter-translate
62 |
63 | nano /etc/logstash/logstash.yml
64 | nano /etc/logstash/pipelines.yml
65 |
66 | systemctl daemon-reload
67 | systemctl enable logstash
68 | systemctl start logstash
69 |
70 | # Instalação FileBeat
71 |
72 | wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.13.2-amd64.deb
73 | wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.13.2-amd64.deb.sha512
74 | shasum -a 512 -c filebeat-8.13.2-amd64.deb.sha512
75 | dpkg -i filebeat-8.13.2-amd64.deb
76 |
77 | # acessar arquivo de configuração do filebeat /etc/filebeat/filebeat.yml e alterar endereço IP do elastic e kibana
78 | nano /etc/filebeat/filebeat.yml
79 | output.elasticsearch:
80 | # Array of hosts to connect to.
81 | hosts: ["10.99.98.2:9200"]
82 |
83 | # Kibana Host
84 | host: "10.99.90.2:5601"
85 |
86 | # Listar modulos do beats e habilitar
87 | filebeat modules list
88 | filebeat modules enable netflow
89 |
90 |
91 | # acessar arquivo de configuração netflow alterar endereço ip de escuta.
92 | nano /etc/filebeat/modules.d/netflow.yml
93 | - module: netflow
94 | log:
95 | enabled: true
96 | var:
97 | netflow_host: 10.255.255.244
98 | netflow_port: 2055
99 | # internal_networks specifies which networks are considered internal or private
100 | # you can specify either a CIDR block or any of the special named ranges listed
101 | # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
102 | internal_networks:
103 | - private
104 |
105 | # restart serviços
106 | systemctl enable filebeat
107 | service filebeat start
108 | filebeat setup
109 | systemctl restart elasticsearch.service
110 |
111 | # Editar visualização TIMELION
112 | #Source.bytes
113 | .es(index="filebeat-*", metric="sum:network.bytes", split="source.ip:10", kibana=true).multiply(1024).scale_interval(30s).fit(mode=scale).if(operator="lt", if=0, then=0).lines(fill=2, stack=true,width=1).label(regex="^.* source.ip:(.+) > .*$", label="$1").yaxis(label="bits / sec",units="bits/s",min=0)
114 | #destination.bytes
115 | .es(index="filebeat-*", metric="sum:network.bytes", split="destination.ip:10",kibana=true).multiply(1024).fit(mode=scale).if(operator="lt", if=0, then=0).lines(fill=2, stack=true,width=1).label(regex="^.* destination.ip:(.+) > .*$", label="$1").yaxis(label="bits / sec",units="bits/s",min=0)
116 | #destination.port.bytes
117 | .es(index="filebeat-*", metric="sum:network.bytes", split="destination.port:10", kibana=true).multiply(1024).scale_interval(1s).fit(mode=scale).if(operator="lt", if=0, then=0).trim(start=2,end=1).label(regex="^.* destination.port:(.+) > .*$", label="$1").lines(width=1, stack=true, fill=1).yaxis(label="bits / sec",units="bits/s",min=0) # CISCO EVE
118 | ip flow-cache timeout active 1
119 | ip flow-capture vlan-id
120 | ip flow-capture mac-addresses
121 | ip flow-export version 9 origin-as
122 | ip flow-export destination 10.99.98.2 2055
123 |
124 |
125 | #acessar interface uplink
126 | ip flow ingress
127 |
128 | #Huawei NETSTREAM
129 | slot 3
130 | ip netstream sampler to slot self
131 | ipv6 netstream sampler to slot self
132 | #
133 | ip netstream as-mode 32
134 | ip netstream timeout active 1
135 | ip netstream timeout inactive 15
136 | ip netstream export version 9 origin-as
137 | ip netstream export index-switch 32
138 | ip netstream export template timeout-rate 2
139 | ip netstream sampler fix-packets 2048 inbound
140 | ip netstream sampler fix-packets 2048 outbound
141 | ip netstream export source IP-HUAWEI
142 | ip netstream export host IP-ELASTIC 2055
143 | ip netstream export template option sampler
144 | ip netstream export template option application-label
145 | ipv6 netstream as-mode 32
146 | ipv6 netstream timeout active 1
147 | ipv6 netstream timeout inactive 15
148 | ipv6 netstream export version 9 origin-as
149 | ipv6 netstream export index-switch 32
150 | ipv6 netstream export template timeout-rate 2
151 | ipv6 netstream sampler fix-packets 2048 inbound
152 | ipv6 netstream sampler fix-packets 2048 outbound
153 | ipv6 netstream export source IP-HUAWEI
154 | ipv6 netstream export host IP-ELASTIC 52055
155 | ipv6 netstream export template option export-stats
156 | ipv6 netstream export template option sampler
157 |
158 | # Acessar interface
159 | ip netstream inbound
160 | ip netstream outbound
161 | ipv6 netstream inbound
162 | ipv6 netstream outbound
163 |
164 | # CISCO
165 | flow record NETFLOW_RECORD
166 | match ipv4 tos
167 | match ipv4 protocol
168 | match ipv4 source address
169 | match ipv4 destination address
170 | match transport source-port
171 | match transport destination-port
172 | match interface input
173 | collect interface output
174 | collect counter bytes
175 | collect counter packets
176 | !
177 |
178 | !
179 | flow exporter NETFLOW_EXPORT
180 | destination X.X.X.X
181 | source FastEthernet0/1/0
182 | transport udp 2055
183 | export-protocol netflow-v5
184 |
185 |
186 | flow record PP-NETFLOW-REC
187 | match ipv4 tos
188 | match ipv4 protocol
189 | match ipv4 source address
190 | match ipv4 destination address
191 | match transport source-port
192 | match transport destination-port
193 | match interface input
194 | collect interface output
195 | collect counter bytes
196 | collect counter packets
197 | !
198 | flow exporter PP-NETFLOW-EXP
199 | destination [IP_DO_SERVIDOR_NETFLOW] vrf Mgmt-PP
200 | source Port-channel1.3920
201 | transport udp {porta}
202 | !
203 | flow monitor PP-NETFLOW-MONITOR
204 | exporter PP-NETFLOW-EXP
205 | record PP-NETFLOW-REC
206 | cache timeout active 60
207 | !
208 | interface Port-channel1.[SUB-INTERFACE-ID]
209 | ip flow monitor PP-NETFLOW-MONITOR input
210 | ip flow monitor PP-NETFLOW-MONITOR output
211 |
212 |
213 | #juniper
214 | #Contrubuição Gelson Magdiel
215 |
216 | set services flow-monitoring version-ipfix template FLOW-EXPORTER flow-active-timeout 60
217 | set services flow-monitoring version-ipfix template FLOW-EXPORTER flow-inactive-timeout 15
218 | set services flow-monitoring version-ipfix template FLOW-EXPORTER template-refresh-rate seconds 30
219 | set services flow-monitoring version-ipfix template FLOW-EXPORTER option-refresh-rate seconds 30
220 | set services flow-monitoring version-ipfix template FLOW-EXPORTER ipv4-template
221 | set services flow-monitoring version-ipfix template FLOW-EXPORTER-v6 flow-active-timeout 60
222 | set services flow-monitoring version-ipfix template FLOW-EXPORTER-v6 flow-inactive-timeout 15
223 | set services flow-monitoring version-ipfix template FLOW-EXPORTER-v6 template-refresh-rate seconds 30
224 | set services flow-monitoring version-ipfix template FLOW-EXPORTER-v6 option-refresh-rate seconds 30
225 | set services flow-monitoring version-ipfix template FLOW-EXPORTER-v6 ipv6-template
226 | set chassis fpc 0 sampling-instance FLOW-EXPORTER
227 | set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 10
228 | set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 5
229 | set forwarding-options sampling instance FLOW-EXPORTER input rate 1000
230 | set forwarding-options sampling instance FLOW-EXPORTER input run-length 0
231 | set forwarding-options sampling instance FLOW-EXPORTER input max-packets-per-second 10000
232 | set forwarding-options sampling instance FLOW-EXPORTER family inet output flow-inactive-timeout 15
233 | set forwarding-options sampling instance FLOW-EXPORTER family inet output flow-active-timeout 60
234 | set forwarding-options sampling instance FLOW-EXPORTER family inet output flow-server 10.1.1.1 port 2055
235 | set forwarding-options sampling instance FLOW-EXPORTER family inet output flow-server 10.1.1.1 autonomous-system-type origin
236 | set forwarding-options sampling instance FLOW-EXPORTER family inet output flow-server 10.1.1.1 version-ipfix template FLOW-EXPORTER
237 | set forwarding-options sampling instance FLOW-EXPORTER family inet output inline-jflow source-address 10.1.1.2
238 | set forwarding-options sampling instance FLOW-EXPORTER family inet6 output flow-inactive-timeout 15
239 | set forwarding-options sampling instance FLOW-EXPORTER family inet6 output flow-active-timeout 60
240 | set forwarding-options sampling instance FLOW-EXPORTER family inet6 output flow-server 10.1.1.1 port 2055
241 | set forwarding-options sampling instance FLOW-EXPORTER family inet6 output flow-server 10.1.1.1 autonomous-system-type origin
242 | set forwarding-options sampling instance FLOW-EXPORTER family inet6 output flow-server 10.1.1.1 version-ipfix template FLOW-EXPORTER-v6
243 | set forwarding-options sampling instance FLOW-EXPORTER family inet6 output inline-jflow source-address 10.1.1.2
244 |
245 | ### Em cada interface e cada unit adicionar os comandos
246 | set interfaces xe-2/0/0 unit 151 family inet sampling input
247 | set interfaces xe-2/0/0 unit 151 family inet6 sampling input
248 |
--------------------------------------------------------------------------------
/Instalacao_bd_zabbix.txt:
--------------------------------------------------------------------------------
1 | Instalação BD
2 | #Atualização
3 | apt update
4 | apt upgrade
5 | useradd zabbix
6 | nano /etc/hostname
7 | echo zabbix-bd > /proc/sys/kernel/hostname
8 |
9 |
10 | # dependencias
11 | apt install -y wget build-essential
12 | apt install -y mariadb-server mariadb-client
13 |
14 | #segurança
15 | mysqladmin -u root password p455w0rd
16 | mysql_secure_installation
17 | change the root password? [y/n] n (não)
18 | remove anonymous users? [y/n] y (sim)
19 | disallow root login remotely? [y/n] y (sim)
20 | remove test database and access to it? [y/n] y (sim)
21 | reload privilege tables now? [y/n] y (sim)
22 |
23 | ##agora que o nosso banco de dados esta instalado e seguro vamos criar o banco que vai receber os dados do zabbix.
24 |
25 | mariadb -uroot -pp455w0rd
26 | create database zabbix character set utf8mb4 collate utf8mb4_bin;
27 | create user 'zabbix'@'%' identified by 'p455w0rd';
28 | grant all privileges on zabbix.* to 'zabbix'@'%';
29 | set global log_bin_trust_function_creators = 1;
30 | quit;
31 |
32 | ##bem, chegou a hora de baixar o nosso zabbix.
33 |
34 | cd /tmp
35 | wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-2+debian12_all.deb
36 | dpkg -i zabbix-release_7.0-2+debian12_all.deb
37 | apt update
38 | apt upgrade
39 | apt install -y zabbix-server-mysql zabbix-sql-scripts zabbix-agent
40 |
41 | ##importando base de dados do zabbix
42 |
43 | zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uzabbix -p zabbix
44 |
45 | ## Liberar conexão no bando de dados
46 |
47 | nano /etc/mysql/mariadb.conf.d/50-server.cnf
48 |
49 |
50 | bind-address = 0.0.0.0
51 |
52 | ##ativar os serviços do Zabbix e realizar o primeiro acesso.
53 |
54 | systemctl enable enable mariadb@.service
55 | /etc/init.d/mariadb start
56 | /etc/init.d/mariadb status
57 |
--------------------------------------------------------------------------------
/Instalacao_front_zabbix.txt:
--------------------------------------------------------------------------------
1 | ##agora que atualizamos o repositório do servidor esta na hora de atualizar sistema.
2 |
3 | nano /etc/hostname
4 | echo zabbix-front > /proc/sys/kernel/hostname
5 | apt update
6 | apt upgrade
7 | useradd zabbix
8 |
9 | apt install -y wget build-essential
10 | apt install -y apache2 apache2-utils
11 | apt install -y libapache2-mod-php php php-mysql php-cli php-pear php-gmp php-gd
12 | apt install -y php-bcmath php-curl php-xml php-zip
13 | apt install -y snmpd snmp snmptrapd libsnmp-base libsnmp-dev
14 |
15 | ##bem, chegou a hora de baixar o nosso zabbix.
16 |
17 | cd /tmp
18 | wget https://repo.zabbix.com/zabbix/6.0/debian/pool/main/z/zabbix-release/zabbix-release_6.0-5+debian12_all.deb
19 | dpkg -i zabbix-release_6.0-5+debian12_all.deb
20 | apt update
21 | apt upgrade
22 | apt install -y zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent
23 |
24 | ##timezone php, execute o commando abaixo, em seguida edite que arquivo de configuração etc/zabbix/apache.conf como descrito abaixo:
25 |
26 | timedatectl set-timezone America/Sao_Paulo
27 |
28 | nano /etc/zabbix/apache.conf
29 |
30 | php_value max_execution_time 300
31 | php_value memory_limit 512m
32 | php_value post_max_size 48m
33 | php_value upload_max_filesize 24m
34 | php_value max_input_time 300
35 | php_value max_input_vars 10000
36 | php_value always_populate_raw_post_data -1
37 | php_value date.timezone America/Sao_Paulo
38 |
39 |
40 | ##um pouco de segurança APACHE2
41 |
42 | nano /etc/apache2/sites-enabled/000-default.conf
43 |
44 | options followsymlinks
45 | allowoverride all
46 |
47 | a2enmod rewrite
48 | sed -i 's/servertokens os/servertokens prod/' /etc/apache2/conf-available/security.conf
49 | sed -i 's/serversignature on/serversignature off/' /etc/apache2/conf-available/security.conf
50 |
51 | ##ativar os serviços do Zabbix e realizar o primeiro acesso.
52 |
53 | systemctl enable zabbix-agent apache2
54 | systemctl restart zabbix-agent apache2
55 | systemctl status zabbix-agent apache2
56 |
57 | http://seu_ip_zabbixserver/zabbix
58 |
59 | APOS WIZARD ALTERAR ABAIXO:
60 |
61 | #Alterar configurações de acesso no Frontend, retirar os comentários ( // )
62 | e adicionar os endereços IP do server
63 |
64 | nano /etc/zabbix/web/zabbix.conf.php
65 |
66 | $ZBX_SERVER = 'IPDOZABBIXSERVER
67 | $ZBX_SERVER_PORT = '10051';
68 |
--------------------------------------------------------------------------------
/Instalacao_server_zabbix.txt:
--------------------------------------------------------------------------------
1 | ##agora que atualizamos o repositório do servidor esta na hora de atualizar sistema.
2 | apt update
3 | apt upgrade
4 |
5 | nano /etc/hostname
6 | echo zabbix-server > /proc/sys/kernel/hostname
7 |
8 | # dependencias
9 | apt install -y wget build-essential
10 | apt install -y snmpd snmp snmptrapd libsnmp-base libsnmp-dev
11 |
12 | ##bem, chegou a hora de baixar o nosso zabbix.
13 |
14 | cd /tmp
15 | wget https://repo.zabbix.com/zabbix/6.0/debian/pool/main/z/zabbix-release/zabbix-release_6.0-5+debian12_all.deb
16 | dpkg -i zabbix-release_6.0-5+debian12_all.deb
17 | apt update
18 | apt upgrade
19 | apt install -y zabbix-server-mysql zabbix-sql-scripts zabbix-frontend-php zabbix-apache-conf zabbix-agent
20 |
21 | ##edite o arquivo zabbix_server.conf na camada server para informar os dados para conexão com o banco.
22 |
23 | nano /etc/zabbix/zabbix_server.conf
24 |
25 | DBHost=IP DO BANCO DE DADOS
26 | DBpassword=p455w0rd
27 | DBUser=zabbix
28 |
29 | ##ativar os serviços do Zabbix e realizar o primeiro acesso.
30 |
31 | systemctl enable zabbix-server zabbix-agent
32 | systemctl restart zabbix-server zabbix-agent
33 | systemctl status zabbix-server
34 |
35 | http://seu_ip_zabbixserver/zabbix
36 |
--------------------------------------------------------------------------------
/Instalação FRRouting.txt:
--------------------------------------------------------------------------------
1 | #instalacao Dependencias bibliotecas Linux essenciais.
2 | apt-get -y update ; apt upgrade
3 | apt install -y build-essential cmake gcc linux-headers-`uname -r`
4 | apt install -y git libpcre3-dev libssl-dev wget make linux-headers-amd64
5 |
6 | #SNMP
7 | apt install -y snmpd snmp snmptrapd libsnmp-base libsnmp-dev
8 |
9 | #SMP - NUMA
10 | apt-get -y install numactl coreutils htop numactl numatop
11 |
12 | # Instalação FRR
13 | apt-get -y install frr
14 | apt-get -y install frr-pythontools
15 | apt-get -y install frr-rpki-rtrlib
16 | apt-get -y install frr-snmp
17 |
18 | # Ativar aplicativos do framework FRR:
19 |
20 | sed -i '/bgpd/s/=no/=yes/' /etc/frr/daemons
21 | sed -i '/ospfd/s/=no/=yes/' /etc/frr/daemons
22 | sed -i '/ospf6d/s/=no/=yes/' /etc/frr/daemons
23 | sed -i '/pbrd/s/=no/=yes/' /etc/frr/daemons
24 | sed -i '/bfdd/s/=no/=yes/' /etc/frr/daemons
25 | touch /etc/frr/frr.conf
26 | touch /etc/frr/vtysh.conf
27 | chown frr:frr /etc/frr/frr.conf /etc/frr/vtysh.conf
28 | chmod 640 /etc/frr/frr.conf /etc/frr/vtysh.conf
29 |
30 | # Ativar aplicativos do framework FRR:
31 |
32 | ( echo 'hostname P-BGP-FASTNETMON'
33 | echo 'ip forwarding'
34 | echo 'ipv6 forwarding'
35 | echo 'service integrated-vtysh-config'
36 | ) > /etc/frr/frr.conf
37 |
38 | # - Ativar serviço (Debian: systemd):
39 | systemctl enable frr.service
40 | service frr stop
41 | service frr start
42 |
43 | systemctl status frr.service
44 |
45 |
46 | #BLACK-HOLE FRR FASTNETMON
47 | # para testar o anuncio -
48 | ip route 10.99.89.50/32 null0
49 | #
50 |
51 | ip prefix-list FASTNETMON-ADDRESS seq 5 permit 10.99.89.0/24 le 32
52 | !
53 | route-map FASTNETMON-IN deny 10
54 | !
55 | route-map FASTNETMON-OUT permit 10
56 | match ip address prefix-list FASTNETMON-ADDRESS
57 | set community 65001:666
58 | !
59 | router bgp 65
60 | bgp router-id 10.10.0.2
61 | neighbor 10.10.0.1 remote-as 65001
62 | neighbor 10.10.0.1 description "Huawei"
63 | !
64 | address-family ipv4 unicast
65 | neighbor 10.10.0.1 route-map MARK_FASTNETMON_IMPORT in
66 | neighbor 10.10.0.1 route-map MARK_FASTNETMON_EXPORT out
67 | exit-address-family
68 | !
69 | end
70 | write memory
71 |
72 | community 666:666 OPERADORA-01
73 | community 900:666 OPERADORA-02
74 |
75 | #aplicando BH CISCO
76 |
77 | community 65001:666
78 |
79 | ip prefix-list fastnetmon-coord seq 5 permit 200.200.200.0/22 ge 22 le 32
80 | ip prefix-list fastnetmon-coord seq 10 permit 200.200.204.0/22 ge 22 le 32
81 |
82 | route-map MARK_FASTNETMON_IMPORT deny 10
83 | !
84 | route-map MARK_FASTNETMON_EXPORT permit 10
85 | match ip address prefix-list FASTNETMON_EXPORT
86 | set community 65001:666
87 |
88 | router bgp 65001
89 | bgp router-id 10.100.20.1
90 | neighbor 10.100.20.1 remote-as 260072
91 | neighbor 10.100.20.1 description "NE8K_BORDA"
92 | # neighbor 10.100.20.1 ebgp-multihop 255 # (Caso seja multihop)
93 | !
94 | address-family ipv4 unicast
95 | neighbor 10.100.20.1 route-map MARK_FASTNETMON_IMPORT in
96 | neighbor 10.100.20.1 route-map MARK_FASTNETMON_EXPORT out
97 | exit-address-family
98 |
99 | #cisco
100 | passo 1 - Rota estatica apontando para Null0
101 | ip route 192.0.2.1 255.255.255.255 Null 0 name BACKHOLE
102 |
103 | passo 2 - prefixlist para prefixos meu asn 200.200.200.0 le 32
104 | ip prefix-list AS565002-FASTNETMON seq 5 permit 200.200.200.0/22 ge 32
105 |
106 | passo 3 - prefixlist ignora o IP publico do fastnetmon ( se o IP publico for atacado, voce não ira adicionar no BH.)
107 | ip prefix-list AS65002-FASTNETMON-NEGAR seq 5 permit 200.2
108 |
109 | passo 4 - communiti filter basic seq 10 65001:666
110 | ip community-list standard BH permit 65001:666
111 |
112 | passo 5 - route-map import - negando a accesslist do IP do fastnetmon, e aceito a access-list do meu bloco.
113 | adicionar local-preferec, adicionar o nexthop para 192.0.2.1z
114 | aplico a comunitie das minhas operadoras para BH.
115 | math na access-list do meu ASN
116 | Nega o resto
117 | passo 6 - criar o neigbors BGP com cisco x fastnetmon
118 |
119 |
120 | ip route 192.0.2.1 255.255.255.255 Null0 name BACKHOLE
121 | ip community-list standard BH permit 65001:666
122 |
123 | ip prefix-list AS565002-FASTNETMON seq 5 permit 200.200.200.0/22 ge 32
124 | !
125 | ip prefix-list AS65002-FASTNETMON-NEGAR seq 5 permit 200.200.201.0/30 ge 32
126 |
127 | route-map AS65001-FASTNETMON-IN deny 5
128 | match ip address prefix-list AS65002-FASTNETMON-NEGAR
129 |
130 | route-map AS65001-FASTNETMON-IN permit 10
131 | match ip address prefix-list AS565002-FASTNETMON
132 | match ip next-hop 192.0.2.1
133 | set local-preference 999
134 | set community 65003:666
135 | !
136 | route-map AS65001-FASTNETMON-IN deny 20
137 |
138 | route-map AS65003-OPERADORA-OUT permit 40
139 | match community 65003:666
140 |
141 | route-map AS65003-OPERADORA-OUT deny 100
142 |
143 | #HUAWEI
144 |
145 | #RT BACKHOLE
146 | ip route-static 192.0.2.1 255.255.255.255 NULL 0
147 |
148 | #ACL
149 | ip ip-prefix MITIGACAO-FASTNETMON index 10 permit 0.0.0.0 0 greater-equal 0 less-equal 32
150 | ip ip-prefix DENY-FASTNETMON index 10 permit 10.99.89.50 32 greater-equal 32 less-equal 32
151 |
152 | #COMMUNITI BASIC FASTNETMON
153 | ip community-filter basic FASTNETMON-BLACKHOLE permit 65001:666
154 |
--------------------------------------------------------------------------------
/backup-zabbix7.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #UPGRADE ZABBIX 6 to ZABBIX 7
3 | #backup frontend,alert scripts, external scripts e databases mysql/postgre zabbix server
4 | #Crie um periodo de homologaçao do upgrade
5 | #Tenha um documento de processo de migraçao com todos os comandos
6 | #Aprenda com a homologacao
7 | #Revisar os passos, revisar backup, revisar o banco de dados, revisar zabbix server.
8 | #leia as notas de lançamento e a documentaçao oficial
9 | #Valide as integraçoes, scripts e coletas
10 | #passos
11 | #abrir manutenção
12 | #Analise servicos zabbix server
13 | #backup das configuracoes e banco de dados
14 | #atualizacao
15 | #validacao dos arquivos de configuracao
16 | #upgrade banco de dados
17 | #validar servicos operando.
18 | #validar arquivo de configuracao zabbix server
19 | #
20 | #INICIO DO SCRIPT
21 | #set variaveis
22 | user="zabbix"
23 | password="password"
24 | host="localhost"
25 | db_name="zabbix"
26 |
27 | # Other options backup_path="/home/backup"
28 | backup_path="/opt/backup"
29 | date=$(date +"%d-%b-%Y")
30 |
31 | # Aplicar permissões
32 | umask 177
33 | # Create directory backup
34 | mkdir $backup_path
35 | mkdir $backup_path/backup-$date
36 | mkdir $backup_path/backup-$date/frontend
37 | mkdir $backup_path/backup-$date/alertscripts
38 | mkdir $backup_path/backup-$date/externalscripts
39 | mkdir $backup_path/backup-$date/database
40 | mkdir $backup_path/backup-$date/fileconf
41 | mkdir $backup_path/backup-$date/fileconf/mysql
42 | mkdir $backup_path/backup-$date/fileconf/mysql/conf.d
43 | mkdir $backup_path/backup-$date/fileconf/mysql/mariadb.conf.d
44 |
45 | # Dump database into SQL file
46 | mysqldump --user=$user --password=$password --host=$host $db_name --single-transaction --skip-lock-tables > $backup_path/backup-$date/database/$db_name-$date.sql.bkp
47 |
48 | # Delete files older than 30 days
49 | find $backup_path/backup-$date/database/* -mtime +30 -exec rm {} \;
50 |
51 | # Backup Frontend
52 | cp -R /usr/share/zabbix/* $backup_path/backup-$date/frontend
53 |
54 | # Alert Scripts
55 | cp -R /usr/lib/zabbix/alertscripts/* $backup_path/backup-$date/alertscripts
56 |
57 | # External Scripts
58 | cp -R /usr/lib/zabbix/externalscripts/* $backup_path/backup-$date/externalscripts
59 |
60 | # Files Cofiguration
61 | cp -R /etc/zabbix/* $backup_path/backup-$date/fileconf
62 |
63 | # File Cofiguration my.cnf
64 | cp -R /etc/mysql/my.cnf $backup_path/backup-$date/fileconf/mysql
65 |
66 | # File Cofiguration my.cnf
67 | cp -R /etc/mysql/my.cnf.d/* $backup_path/backup-$date/fileconf/mysql
68 | cp -R /etc/mysql/conf.d/* $backup_path/backup-$date/fileconf/mysql/conf.d
69 | cp -R /etc/mysql/mariadb.conf.d/* $backup_path/backup-$date/fileconf/mysql/mariadb.conf.d
70 |
71 | # Add File to .tar
72 | tar -czvf $backup_path/backup-$date.tar
73 |
74 | # Add File to .tar.gz
75 | #gzip $backup_path/backup-$date.tar
76 |
--------------------------------------------------------------------------------
/instalacao-fastnetmon-adv.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #fastnetmon-adv
3 | # instalação dependencias
4 | apt install wget tcpdump net-tools zip curl gpg -y
5 |
6 | # instalação fastnetmon adv
7 | wget https://install.fastnetmon.com/installer -Oinstaller
8 | chmod +x installer
9 | ./installer -activation_coupon KUTPOLAVTAHoDyiNuHbaCiRviSeNvuKuBvuReVkaLaTfiQiFbeToYtoNeVqiZoPd
10 |
11 | # integração grafana nativa
12 | wget https://install.fastnetmon.com/installer -Oinstaller
13 | chmod +x installer
14 | ./installer -install_graphic_stack
15 |
16 | # habilitando clickhouse
17 | fcli set main clickhouse_metrics true
18 | fcli set main clickhouse_metrics_host 127.0.0.1
19 | fcli set main clickhouse_metrics_database fastnetmon
20 | fcli set main clickhouse_metrics_export_top_hosts true
21 | fcli commit
22 |
23 | # verificando exportação
24 | fcli show system_counters|grep click
25 | clickhouse_metrics_writes_total 2044855
26 | clickhouse_metrics_writes_failed
27 |
28 | # Se realizar upgrade, Você precisa instalar a versão avançada primeiro. Depois disso, você pode executar este comando -import_community_edition_configuration
29 | wget https://install.fastnetmon.com/installer -Oinstaller
30 | chmod +x instalador
31 | ./installer -import_community_edition_configuration
32 |
33 | # CLI Temos três categorias de configuração:
34 | main – toolkit wide options
35 | bgp – BGP configuration options
36 | hostgroup – custom threshold configurations for different networks
37 |
38 | # comandos CLI fastnetmon
39 | fcli
40 | show
41 | set value
42 | set (disable|enable)
43 | delete value_for_remove
44 | show
45 |
46 | #Primeiros passos
47 | fcli set main networks_list 100.64.0.0/10
48 | fcli commit
49 |
50 | fcli set main netflow enable
51 | fcli set main netflow_ports 2055
52 | fcli set main netflow_host 0.0.0.0
53 | fcli set main netflow_host ::
54 | fcli set main netflow_sampling_ratio 1
55 | fcli set main average_calculation_time 60
56 | fcli commit
57 |
58 | #verificar pacotes recebidos
59 | fcli show system_counters|grep duration
60 | fcli show netflow9_packets_per_device
61 | fcli show ipfix_packets_per_device
62 |
63 | #Analisar trafego
64 | fastnetmon_client
65 | fcli show total_traffic_counters
66 | fcli show total_traffic_counters_v6
67 | fcli show network_counters
68 | fcli show network_counters_v6
69 | fcli show host_counters bytes outgoing
70 | fcli show host_counters_v6 bytes outgoing
71 | fcli show single_host_counters 10.1.2.3
72 | fcli show single_host_counters_v6 beef::1
73 |
74 | # threshold global
75 | fcli set hostgroup global threshold_mbps 100
76 | fcli set hostgroup global ban_for_bandwidth enable
77 | fcli set hostgroup global enable_ban enable
78 | fcli set hostgroup global enable_ban_incoming enable
79 | fcli set hostgroup global ban_for_udp_pps true
80 | fcli set hostgroup global threshold_udp_pps 1000
81 | fcli set hostgroup global ban_for_tcp_pps true
82 | fcli set hostgroup global threshold_tcp_pps 1000
83 | fcli set hostgroup global ban_for_udp_pps true
84 | fcli set hostgroup global threshold_udp_pps 1000
85 | fcli commit
86 |
87 | #Criando grupos
88 | fcli set main enable_total_hostgroup_counters enable
89 | fcli set hostgroup CDN
90 | fcli set hostgroup CDN calculation_method total
91 | fcli set hostgroup CDN networks 100.64.0.0/24
92 | fcli set hostgroup CDN networks 100.65.0.0/24
93 | fcli commit
94 | fcli show hostgroup_counters_total
95 |
96 | # threshold Grupos
97 | fcli set hostgroup CDN threshold_mbps 100
98 | fcli set hostgroup CDN ban_for_bandwidth enable
99 | fcli set hostgroup CDN enable_ban enable
100 | fcli set hostgroup CDN enable_ban_incoming enable
101 | fcli set hostgroup CDN ban_for_udp_pps true
102 | fcli set hostgroup CDN threshold_udp_pps 1000
103 | fcli set hostgroup CDN ban_for_tcp_pps true
104 | fcli set hostgroup CDN threshold_tcp_pps 1000
105 | fcli set hostgroup CDN ban_for_udp_pps true
106 | fcli set hostgroup CDN threshold_udp_pps 1000
107 | fcli commit
108 |
109 | # Estabelecendo peer bgp
110 | fcli set main gobgp enable
111 | fcli set bgp RT01-BGP
112 | fcli set bgp RT01-BGP local_asn 65001
113 | fcli set bgp RT01-BGP remote_asn 65001
114 | fcli set bgp RT01-BGP local_address 100.125.0.18
115 | fcli set bgp RT01-BGP remote_address 100.125.0.19
116 | fcli set bgp RT01-BGP ipv4_unicast enable
117 | fcli set bgp RT01-BGP ipv6_unicast enable
118 | fcli set bgp RT01-BGP ipv4_flowspec enable
119 | fcli set bgp RT01-BGP active enable
120 | fcli commit
121 |
122 | # verificando as sessoes BGP
123 | gobgp global rib -a ipv4
124 | gobgp neighbor
125 | fcli set reload_bgp
126 |
127 |
128 | # RTBH
129 | fcli set main enable_ban enable
130 | fcli set main enable_ban_ipv6 enable
131 | fcli set main unban_enabled true
132 | fcli set main ban_time 600
133 | fcli set main ban_details_records_count 5
134 |
135 | #Habilitando anuncios BGP
136 | fcli set main gobgp_announce_host enable
137 | fcli set main gobgp_communities_host_ipv4 65001:666
138 | fcli set main gobgp_next_hop_host_ipv4 192.0.2.1
139 |
140 | #Setando RTBH manual
141 | fcli set blackhole 11.22.33.44
142 | fcli show blackhole
143 |
144 | #deletando regra
145 | fcli delete blackhole 312e3232-2e33-332e-3434-000000000000
146 | fcli show blackhole
147 |
148 | #Habilitando anuncios Flowspec
149 | fcli set bgp RT01-BGP ipv4_flowspec enable
150 | fcli set main gobgp_flow_spec_announces enable
151 | fcli set main gobgp_flow_spec_default_action discard
152 | fcli set main gobgp_flow_spec_rate_limit_value 1000
153 | fcli commit
154 | fcli show flowspec
155 |
156 | # Flowspec manual
157 | fcli set flowspec '{ "source_prefix": "4.0.0.0/32", "destination_prefix": "100.64.0.0/32", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } }'
158 |
159 | #deletando regra
160 | fcli delete blackhole 312e3232-2e33-332e-3434-000000000000
161 | fcli show flowspec
162 |
163 |
164 | # Comando para visualização
165 | #Get system counters
166 | show system_counters
167 |
168 | #Get total traffic counters
169 | show total_traffic_counters
170 |
171 | #Interfaces management Get interfaces list
172 | show interfaces
173 |
174 | #List all host groups:
175 | show hostgroup
176 |
177 | #Create new host group with name “new_group”
178 | set hostgroup new_group
179 |
180 | #Delete host group with name:
181 | delete hostgroup new_group
182 |
183 | #Check option value for cerain host group
184 | show hostgroup global networks
185 |
186 | #Set option for certain host group:
187 | show hostgroup host_group_name networks
188 |
189 | #Lookup host group for specified IP address
190 | show ip_hostgroup 11.22.33.44
191 |
192 | #White lists
193 | fcli set main networks_whitelist 11.22.33.44/32
194 |
195 | referencias;
196 |
197 | https://fastnetmon.com/install/
198 | https://fastnetmon.com/docs-fnm-advanced/
199 | https://fastnetmon.com/docs-fnm-advanced/advanced-quick-start/
200 | https://fastnetmon.com/docs-fnm-advanced/migration-from-community-edition-to-advanced/
201 | https://fastnetmon.com/docs-fnm-advanced/advanced-cli-reference/
202 | https://fastnetmon.com/docs-fnm-advanced/advanced-visual-traffic/
203 | https://fastnetmon.com/docs-fnm-advanced/fastnetmon-configuration-for-netflow-and-ipfix/
204 | https://fastnetmon.com/docs-fnm-advanced/fastnetmon-threshold-types/
205 | https://fastnetmon.com/docs-fnm-advanced/per-hostgroup-thresholds/
206 | https://fastnetmon.com/docs-fnm-advanced/fastnetmon-advanced-licensing-server/
207 | https://fastnetmon.com/docs-fnm-advanced/fastnetmon-bgp-flow-spec-configuration/
208 | https://fastnetmon.com/docs-fnm-advanced/fastnetmon-advanced-bgp-blackhole-automation/
209 |
--------------------------------------------------------------------------------
/instalacao-fastnetmon.txt:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #fastnetmon
3 |
4 | # dependencias Bibliotecas
5 | apt install wget tcpdump net-tools zip curl
6 |
7 | cd /tmp/
8 | wget https://install.fastnetmon.com/installer -Oinstaller
9 | chmod +x installer
10 | ./installer -install_community_edition
11 |
12 | # Adicionar prefixos publicos
13 | nano /etc/networks_list
14 | 200.200.200.0/22
15 | 2001:db8::/32
16 |
17 | # Criar o perfil de trafego:
18 | #prefixos
19 | CDN - 100.65.0.0/16
20 | SERVIÇOS DE TV 100.64.0.0/24
21 | CORPORATIVO IP FIXO. 100.66.0.0/16
22 | CGNAT. 100.64.1.0/24
23 | RESIDENCIAL IP FIXO. 100.64.2.0/24
24 | SERVIDORES diversos. 100.64.3.0/24
25 | SERVIDORES DNS. 100.64.4.0/24
26 | ASN LOCAL. 65001
27 | CLIENTES ASN 65002
28 |
29 | #acessar arquivo de configuração do fastnetmon aplicar ajuste.
30 | nano /etc/fastnetmon.conf
31 |
32 | netflow = off/netflow = on
33 | average_calculation_time = 60
34 | #average_calculation_time_for_subnets = 60
35 | ban_time = 600
36 | #enable_subnet_counters = on
37 | ban_for_flows = on
38 | threshold_pps = 50000
39 | netflow_port = 52055
40 | netflow_host = 100.100.20.5
41 | ban_for_pps = on
42 | ban_for_bandwidth = on
43 | threshold_mbps = 1000
44 | threshold_flows = 3500
45 |
46 | # restart o serviço
47 |
48 | systemctl enable fastnetmon
49 | systemctl start fastnetmon
50 | systemctl status fastnetmon
51 |
52 |
53 | # verificar fluxo de rede
54 | fastnetmon_client
55 |
56 | # Criando lista de endereços IP que não serão adicionados na BH.
57 |
58 | nano /etc/networks_whitelist
59 | 200.200.200.0/30
60 |
61 | #habilitar Graficos
62 | nano /etc/fastnetmon.conf
63 | graphite = off/graphite = on/
64 |
65 | #habilitar influxdb
66 |
67 | rm /etc/apt/sources.list.d/influxdb.list
68 | rm /etc/apt/trusted.gpg.d/influxdb.gpg
69 |
70 | apt install lsb-release gnupg2 curl wget
71 | wget -q https://repos.influxdata.com/influxdata-archive_compat.key
72 | echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c influxdata-archive_compat.key' | sha256sum -c && cat influxdata-archive_compat.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null
73 | echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | tee /etc/apt/sources.list.d/influxdata.list
74 |
75 | apt update
76 | apt install influxdb
77 |
78 | # Integrar influxdb com o fastnetmon
79 | nano /etc/influxdb/influxdb.conf
80 |
81 | [[graphite]]
82 | enabled = true
83 | bind-address = ":2003"
84 | protocol = "tcp"
85 | consistency-level = "one"
86 | separator = "."
87 | batch-size = 5000 # will flush if this many points get buffered
88 | batch-timeout = "1s" # will flush at least this often even if we haven't hit buffer limit
89 | templates = [
90 | "fastnetmon.hosts.* app.measurement.cidr.direction.function.resource",
91 | "fastnetmon.networks.* app.measurement.cidr.direction.resource",
92 | "fastnetmon.total.* app.measurement.direction.resource"
93 | ]
94 |
95 | #restar influxdb
96 | systemctl restart influxdb
97 | systemctl restart fastnetmon.service
98 |
99 | #confirmar se o banco de dados foi criado corretamente.
100 | influx
101 | use graphite
102 | show measurements
103 |
104 | #instalação grafana
105 | apt-get install -y apt-transport-https software-properties-common wget
106 |
107 | wget -q -O - https://packages.grafana.com/gpg.key | apt-key add -
108 | echo "deb https://packages.grafana.com/oss/deb stable main" | tee -a /etc/apt/sources.list.d/grafana.list
109 | apt update; apt install grafana
110 |
111 | systemctl enable grafana-server
112 | systemctl start grafana-server
113 |
114 | # acessar grafana adicionar datasource influxdb e configurar interação.
115 |
116 | http://localhost:8086
117 | graphite
118 |
119 |
120 |
121 | root@fastnetmon:/tmp# cat /etc/fastnetmon.conf
122 | ###
123 | ### Principais parâmetros de configuração
124 | ###
125 |
126 | ### Configuração de registro
127 |
128 | # Nível de registro, pode ser informação ou depuração
129 | logging_level = info
130 |
131 | # habilite esta opção se quiser enviar logs para o recurso syslog local
132 | logging_local_syslog_logging = off
133 |
134 | # habilite esta opção se quiser enviar logs para um servidor syslog remoto via UDP
135 | logging_remote_syslog_logging = off
136 |
137 | # especifica um servidor e uma porta personalizados para registro remoto
138 | logging_remote_syslog_server = 10.10.10.10
139 | logging_remote_syslog_port = 514
140 |
141 | # Para melhorar o FastNetMon, precisamos saber como você o usa e qual é a sua plataforma de software e hardware.
142 | # Para conseguir isso, FastNetMon envia informações de uso a cada 1 hora para nosso servidor de estatísticas https://community-stats.fastnetmon.com
143 | # Mantemos altos padrões de proteção de dados e você pode encontrar nossa política de privacidade aqui: https://community-stats.fastnetmon.com
144 | # Você pode encontrar informações que estão sendo enviadas no GitHub: https://github.com/pavel-odintsov/fastnetmon/search?q=send_usage_data_to_reporting_server
145 | # Se você preferir desativar esse recurso, você precisa definir o seguinte sinalizador como ativado
146 | disable_usage_report = off
147 |
148 | # Ativa/desativa qualquer ação em caso de ataque
149 | enable_ban = on
150 |
151 | #Habilitar banimento para IPv6
152 | enable_ban_ipv6 = on
153 |
154 | # desabilita o processamento para determinada direção do tráfego
155 | process_incoming_traffic = on
156 | process_outgoing_traffic = on
157 |
158 | # dump todo o tráfego no arquivo de log
159 | dump_all_traffic = off
160 |
161 | # dump outro tráfego para registrar, útil para detectar prefixos perdidos
162 | dump_other_traffic = off
163 |
164 | # Quantos pacotes serão coletados do tráfego de ataque
165 | ban_details_records_count = 20
166 |
167 | # Quanto tempo (em segundos) devemos manter um IP em estado bloqueado
168 | # Se você definir 0 aqui, desabilita completamente a capacidade de cancelar o banimento
169 | ban_time = 1900
170 |
171 | # Verifique se o ataque ainda está ativo, antes de acionar um callback de cancelamento de banimento com esta opção
172 | # Se o ataque ainda estiver ativo, verifique cada execução do watchdog de unban
173 | unban_only_if_attack_finished = on
174 |
175 | # lista de todas as suas redes no formato CIDR
176 | networks_list_path = /etc/networks_list
177 |
178 | # lista redes em formato CIDR que não serão monitoradas quanto a ataques
179 | white_list_path = /etc/networks_whitelist
180 |
181 | # período de redesenho da tela do cliente
182 | check_period = 1
183 |
184 | # O rastreamento de conexão é muito útil para detecção de ataques porque fornece grandes quantidades de informações,
185 | # mas consome muito CPU e não é recomendado em grandes redes
186 | enable_connection_tracking = on
187 |
188 | # Diferentes abordagens para detecção de ataques
189 | ban_for_pps = on
190 | ban_for_bandwidth = on
191 | ban_for_flows = off
192 |
193 | # Limites para ataques Dos/DDoS
194 | threshold_pps = 20000
195 | threshold_mbps = 1000
196 | threshold_flows = 3500
197 |
198 | # Limites de ataque por protocolo
199 | # Não implementamos limites de fluxo por protocolo devido a limitações lógicas de cálculo de fluxo
200 | # Esses limites devem ser menores que os limites globais de pps/mbps
201 |
202 | threshold_tcp_mbps = 100000
203 | threshold_udp_mbps = 100000
204 | threshold_icmp_mbps = 100000
205 |
206 | threshold_tcp_pps = 100000
207 | threshold_udp_pps = 100000
208 | threshold_icmp_pps = 100000
209 |
210 | ban_for_tcp_bandwidth = off
211 | ban_for_udp_bandwidth = off
212 | ban_for_icmp_bandwidth = off
213 |
214 | ban_for_tcp_pps = off
215 | ban_for_udp_pps = off
216 | ban_for_icmp_pps = off
217 |
218 | ###
219 | ### Métodos de captura de tráfego
220 | ###
221 |
222 | #
223 | # Opção padrão para captura de espelho de porta no Linux
224 | # Mecanismo de captura AF_PACKETe
225 | mirror_afpacket = off
226 |
227 | # Método de captura de tráfego baseado em XDP de alta eficiência
228 | # O XDP desconectará completamente a interface de rede do Linux e você poderá perder a conectividade se o tráfego de gerenciamento de rota for feito na mesma interface
229 | # Você precisa ter uma placa de rede separada para interface de gerenciamento
230 | mirror_afxdp = off
231 |
232 | # Ativa a lógica baseada em poll para verificar novos pacotes. Geralmente, elimina a pesquisa ativa e reduz a carga da CPU
233 | poll_mode_xdp = off
234 |
235 | # Coloca a interface no modo promisc automaticamente
236 | xdp_set_promisc = on
237 |
238 | # Habilita explicitamente o modo de cópia zero, requer suporte de driver
239 | zero_copy_xdp = off
240 |
241 | # Força o modo XDP nativo que requer suporte da placa de rede
242 | force_native_mode_xdp = off
243 |
244 | # Mude para usar o tamanho do IP como tamanho do pacote em vez dos dados do mecanismo de captura. Deve ser ativado quando o tráfego é cortado externamente
245 | xdp_read_packet_length_from_ip_header = off
246 |
247 | # Caminho para o programa de microcódigo XDP para processamento de pacotes
248 | microcode_xdp_path = /etc/xdp_kernel.o
249 |
250 | # Você pode usar esta opção para multiplicar todo o tráfego recebido por este valor
251 | # Pode ser útil para amostras de portas espelhadas
252 | mirror_af_packet_custom_sampling_rate = 1
253 |
254 | # AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html
255 | # Available modes: cpu, lb, hash, random, rollover, queue_mapping
256 | mirror_af_packet_fanout_mode = cpu
257 |
258 | # Esta opção deve ser habilitada se você estiver usando Juniper com espelhamento dos primeiros X bytes do pacote: máximo-packet-length 110;
259 | af_packet_read_packet_length_from_ip_header = off
260 |
261 | # Captura de tráfego Netmap, apenas para FreeBSD
262 | mirror_netmap = off
263 |
264 | # Taxa de amostragem de espelhamento baseada em Netmap
265 | netmap_sampling_ratio = 1
266 |
267 | # Esta opção deve ser habilitada se você estiver usando Juniper com espelhamento dos primeiros X bytes do pacote: máximo-packet-length 110;
268 | netmap_read_packet_length_from_ip_header = off
269 |
270 | # Modo Pcap, muito lento e não recomendado para uso em produção
271 | pcap = off
272 |
273 | # Método de captura Netflow com suporte v5, v9 e IPFIX
274 | netflow = off
275 |
276 | # Captura sFLOW adequada para switches
277 | sflow = off
278 |
279 | # Configuração para modos Netmap, mirror, pcap, AF_XDP
280 | # Para pcap poderíamos especificar "qualquer"
281 | # Para Netmap poderíamos especificar múltiplas interfaces separadas por vírgula
282 | interfaces = eth3,eth4
283 |
284 | # Usamos valores médios para velocidade de tráfego para determinado IP e calculamos a média nesse período (segundos)
285 | average_calculation_time = 5
286 |
287 | # Atraso entre tentativas de recálculo de tráfego
288 | speed_calculation_delay = 1
289 |
290 | #Configuração do Netflow
291 |
292 | # é possível especificar múltiplas portas aqui, usando vírgulas como delimitador
293 | netflow_port = 2055
294 |
295 | #
296 | # Host coletor Netflow para escutar.
297 | #
298 | # Para vincular todas as interfaces para uso IPv4 e IPv6 ::
299 | # Para vincular apenas em IPv4 use 0.0.0.0
300 | #
301 | # Para vincular localhost para IPv4 e IPv6 use ::1
302 | # Para vincular apenas em IPv4 use 127.0.0.1
303 | #
304 | netflow_host = 0.0.0.0
305 |
306 | # Os agentes Netflow v9 e IPFIX usam abordagens diferentes e muito complexas para notificar sobre a proporção da amostra
307 | # Aqui você pode especificar uma taxa de amostragem para todos esses agentes
308 | # Para NetFlow v5 extraímos a taxa de amostragem diretamente dos pacotes e esta opção não é usada
309 | netflow_sampling_ratio = 1
310 |
311 | #configuração do sFlow
312 |
313 | # É possível especificar múltiplas portas aqui, usando vírgulas como delimitador
314 | sflow_port = 6343
315 | # sflow_port = 6343,6344
316 | sflow_host = 0.0.0.0
317 |
318 | # Alguns fornecedores podem mentir sobre o comprimento total do pacote sFlow. Para evitar esse problema, podemos passar a usar o tamanho do cabeçalho do pacote IP analisado
319 | sflow_read_packet_length_from_ip_header = off
320 |
321 | ###
322 | ### Ações quando ataque detectado
323 | ###
324 |
325 | # Este script é executado para banimento, cancelamento de banimento e coleta de detalhes de ataque
326 | notify_script_path = /usr/local/bin/notify_about_attack.sh
327 |
328 | # coleta um dump completo do ataque com carga completa em formato compatível com pcap
329 | collect_attack_pcap_dumps = off
330 |
331 | # Salva detalhes do ataque no Redis cloud
332 | redis_enabled = off
333 |
334 | #Configuração do Redis cloud
335 | redis_port = 6379
336 | redis_host = 127.0.0.1
337 |
338 | # especifique um prefixo personalizado aqui
339 | redis_prefix = mydc1
340 |
341 | # Poderíamos armazenar informações de ataque no MongoDB
342 | mongodb_enabled = off
343 | mongodb_host = localhost
344 | mongodb_port = 27017
345 | mongodb_database_name = fastnetmon
346 |
347 | # Anuncie IPs bloqueados com protocolo BGP com ExaBGP
348 | exabgp = off
349 | exabgp_command_pipe = /var/run/exabgp.cmd
350 | exabgp_community = 65001:666
351 |
352 | # especifique múltiplas comunidades com esta sintaxe:
353 | # exabgp_community = [65001:666 65001:777]
354 |
355 | # especifica comunidades diferentes para anúncios de host e sub-rede
356 | # exabgp_community_subnet = 65001:667
357 | # exabgp_community_host = 65001:668
358 |
359 | exabgp_next_hop = 10.0.3.114
360 |
361 | # Em casos complexos você pode ter ambas as opções habilitadas e anunciar o host e a sub-rede simultaneamente
362 |
363 | # Anuncia o próprio host /32 com BGP
364 | exabgp_announce_host = on
365 |
366 | # Anuncia a sub-rede de origem do endereço IP em vez do próprio IP
367 | exabgp_announce_whole_subnet = off
368 |
369 | # Integração GoBGP
370 | gobgp = off
371 |
372 | # Configuração para anuncios ipv4
373 | gobgp_next_hop = 0.0.0.0
374 | gobgp_announce_host = on
375 | gobgp_announce_whole_subnet = off
376 |
377 | gobgp_community_host = 65001:666
378 | gobgp_community_subnet = 65001:777
379 |
380 | # Configuração para IPv6 anunciada
381 | gobgp_next_hop_ipv6 = 100::1
382 | gobgp_announce_host_ipv6 = on
383 | gobgp_announce_whole_subnet_ipv6 = off
384 |
385 | gobgp_community_host_ipv6 = 65001:666
386 | gobgp_community_subnet_ipv6 = 65001:777
387 |
388 | # Antes de usar o InfluxDB você precisa criar um banco de dados usando a ferramenta influx:
389 | #cria banco de dados fastnetmon
390 |
391 | # Integração InfluxDB
392 | # Mais detalhes podem ser encontrados aqui: https://fastnetmon.com/docs/influxdb_integration/
393 | influxdb = off
394 | influxdb_host = 127.0.0.1
395 | influxdb_port = 8086
396 | influxdb_database = fastnetmon
397 |
398 | # Autenticação InfluxDB
399 | influxdb_auth = off
400 | influxdb_user = fastnetmon
401 | influxdb_password = secure
402 |
403 | # Com que frequência exportamos métricas para o InfluxDB
404 | influxdb_push_period = 1
405 |
406 | # Monitoramento de grafite
407 | graphite = off
408 | # Por favor, use apenas IP porque nomes de domínio não são permitidos aqui
409 | graphite_host = 127.0.0.1
410 | graphite_port = 2003
411 |
412 | # Namespace padrão para dados Graphite
413 | graphite_prefix = fastnetmon
414 |
415 | # Com que frequência exportamos métricas para Graphite
416 | graphite_push_period = 1
417 |
418 | # Adicione endereços IP locais e aliases à lista de monitoramento
419 | #Funciona apenas para Linux
420 | monitor_local_ip_addresses = on
421 |
422 | # Adicione endereços IP para VEs OpenVZ/Virtuozzo à lista de monitoramento de rede
423 | monitor_openvz_vps_ip_addresses = off
424 |
425 | # Cria um grupo de hosts com limites fora do padrão
426 | # Você deve criar este grupo antes (no arquivo de configuração) de especificar quaisquer limites
427 | # grupo de hosts = meus_hosts:10.10.10.221/32,10.10.10.222/32
428 | # hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
429 |
430 | #Configurar este grupo
431 | my_hosts_enable_ban = off
432 |
433 | my_hosts_ban_for_pps = off
434 | my_hosts_ban_for_bandwidth = off
435 | my_hosts_ban_for_flows = off
436 |
437 | my_hosts_threshold_pps = 100000
438 | my_hosts_threshold_mbps = 1000
439 | my_hosts_threshold_flows = 3500
440 |
441 | # Caminho para o arquivo pid para verificar "se outra cópia da ferramenta está sendo executada", é útil quando você executa múltiplas instâncias da ferramenta
442 | pid_path = /var/run/fastnetmon.pid
443 |
444 | # Caminho para o arquivo onde armazenamos informações de tráfego IPv4 para fastnetmon_client
445 | cli_stats_file_path = /tmp/fastnetmon.dat
446 |
447 | # Caminho para o arquivo onde armazenamos informações de tráfego IPv6 para fastnetmon_client
448 | cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
449 |
450 | # Habilite a API gRPC (necessário para a ferramenta fastnetmon_api_client)
451 | enable_api = on
452 |
453 | # Permite exportação de tráfego para Kafka
454 | kafka_traffic_export = off
455 |
456 | # Nome do tópico de exportação de tráfego Kafka
457 | kafka_traffic_export_topic = fastnetmon
458 |
459 | # Formato de exportação de tráfego Kafka: json ou protobuf
460 | kafka_traffic_export_format = json
461 |
462 | # Lista de exportação de tráfego Kafka de corretores separados por vírgula
463 | kafka_traffic_export_brokers = 10.154.0.1:9092,10.154.0.2:9092
464 |
465 | # Endpoint de monitoramento do Prometheus
466 | prometheus = on
467 |
468 | # Prometheus port
469 | prometheus_port = 9209
470 |
471 | # Prometheus host
472 | prometheus_host = 127.0.0.1
473 |
474 | ###
475 | ### Configuração do cliente
476 | ###
477 |
478 | # Campo utilizado para classificação no cliente, os valores válidos são: pacotes, bytes ou fluxos
479 | sort_parameter = packets
480 |
481 | # Quantos IPs serão listados para fluxos da rede de download e upload
482 | max_ips_in_list = 7
483 | root@fastnetmon:/tmp#
484 |
485 |
486 |
487 |
488 | #BLACK-HOLE FRR/HUAWEI
489 | # para testar o anuncio -
490 | ip route 10.99.93.2 32 null0
491 | #
492 |
493 | ip prefix-list FASTNETMON-ADDRESS seq 5 permit 10.99.0.0/16 le 32
494 | !
495 | route-map FASTNETMON-IN deny 10
496 | !
497 | route-map FASTNETMON-OUT permit 10
498 | match ip address prefix-list FASTNETMON-ADDRESS
499 | set community 65001:666
500 | !
501 | router bgp 65
502 | bgp router-id 10.10.0.2
503 | neighbor 10.10.0.1 remote-as 65001
504 | neighbor 10.10.0.1 description "Huawei"
505 | !
506 | address-family ipv4 unicast
507 | neighbor 10.10.0.1 route-map MARK_FASTNETMON_IMPORT in
508 | neighbor 10.10.0.1 route-map MARK_FASTNETMON_EXPORT out
509 | exit-address-family
510 | !
511 | end
512 | write memory
513 |
514 | community 666:666 OPERADORA-01
515 | community 900:666 OPERADORA-02
516 |
517 | #huawei BGP
518 | ip route-static 192.0.2.1 255.255.255.255 NULL0 description BH
519 |
520 | ip ip-prefix ACCEPT-FASTNETMON index 10 permit 0.0.0.0 0 greater-equal 32
521 | ip ip-prefix IGNORE-FASTNETMON index 10 permit 10.99.88.0 30 greater-equal 28 less-equal 32
522 |
523 | ip community-filter basic FASTNETMON-BH index 10 permit 65001:666
524 |
525 | route-policy FASTNETMON-IN deny node 10
526 | if-match ip-prefix IGNORE-FASTNETMON
527 |
528 | ip route-static 192.0.2.1 255.255.255.255 NULL0 description BH
529 | route-policy FASTNETMON-IN permit node 20
530 | if-match ip-prefix ACCEPT-FASTNETMON
531 | if-match community-filter FASTNETMON-BH
532 | apply local-preference 999
533 | apply ip-address next-hop 192.0.2.1
534 | apply community 666:666 900:666
535 |
536 |
537 | route-policy FASTNETMON-IN deny node 100
538 |
539 | route-policy FASTNETMON-OUT deny node 100
540 |
541 | ip community-filter basic BLACKHOLE-MEU-AS index 10 permit 65006:666
542 |
543 |
544 | route-policy AS-OPERADORA-01-OUT permit node 20
545 | if-match community-filter BLACKHOLE-MEU-AS
546 | apply community 666:666
547 |
548 | route-policy AS-OPERADORA-02-OUT permit node 20
549 | if-match community-filter BLACKHOLE-MEU-AS
550 | apply community 900:666
551 |
552 | #ajustar /32 publico OPCIONAL firewall NFTABLES
553 | nano /etc/network/interfaces
554 | allow-hotplug eno1
555 | iface eno1 inet static
556 | address 200.200.200.255/32
557 |
558 | # Ativar firewall FASTNEMON caso o use endereço IP privado
559 | systemctl enable nftables
560 |
561 | # Criar script de firewall
562 | nano /etc/nftables.conf
563 | #!/usr/sbin/nft -f
564 | flush ruleset
565 | table inet filter {
566 | chain input {
567 | type filter hook input priority 0;
568 | # Permite que apenas conexoes que foram aberta pelo servidor seja respondidas
569 | ip daddr 200.200.200.255 ct state related,established counter accept
570 | ip daddr 200.200.200.255 counter drop
571 | }
572 | chain forward {
573 | type filter hook forward priority 0;
574 | }
575 | chain output {
576 | type filter hook output priority 0;
577 | }
578 | }
579 | systemctl start nftables
580 |
581 |
582 | ip prefix-list FASTNETMON-ADDRESS seq 5 permit 45.163.148.0/22 le 32
583 | !
584 | route-map FASTNETMON-IN deny 10
585 | !
586 | route-map FASTNETMON-OUT permit 10
587 | match ip address prefix-list FASTNETMON-ADDRESS
588 | set community 65001:666
589 | !
590 | router bgp 65001
591 | bgp router-id 10.100.0.2
592 | neighbor 10.100.0.1 remote-as 260072
593 | neighbor 10.100.0.1 description "Huawei"
594 | !
595 | address-family ipv4 unicast
596 | neighbor 10.100.0.1 route-map MARK_FASTNETMON_IMPORT in
597 | neighbor 10.100.0.1 route-map MARK_FASTNETMON_EXPORT out
598 | exit-address-family
599 | !
600 | end
601 | write memory
602 |
603 | community 666:666 MIGO
604 | community 900:666 WEBBY
605 |
606 |
607 | ip route-static 192.0.2.1 255.255.255.255 NULL0 description BH
608 |
609 | ip ip-prefix ACCEPT-FASTNETMON index 10 permit 0.0.0.0 0 greater-equal 32
610 | ip ip-prefix IGNORE-FASTNETMON index 10 permit 45.163.148.136 30 greater-equal 28 less-equal 32
611 |
612 | ip community-filter basic FASTNETMON-BH index 10 permit 65001:666
613 |
614 | route-policy FASTNETMON-IN deny node 10
615 | if-match ip-prefix IGNORE-FASTNETMON
616 |
617 | route-policy FASTNETMON-IN permit node 20
618 | if-match community-filter FASTNETMON-BH
619 | apply local-preference 999
620 | apply ip-address next-hop 192.0.2.1
621 | apply community 666:666 900:666
622 | if-match ip-prefix ACCEPT-FASTNETMON
623 |
624 | route-policy FASTNETMON-IN deny node 100
625 |
626 | route-policy FASTNETMON-OUT deny node 100
627 |
628 | ip community-filter basic BLACKHOLE index 10 permit 65006:666
629 |
630 |
631 | route-policy AS263152-MIGO-OUT permit node 20
632 | if-match community-filter BLACKHOLE
633 | apply community 666:666
634 |
635 | route-policy AS262493-WEBBY-OUT permit node 20
636 | if-match community-filter BLACKHOLE
637 | apply community 900:666
638 |
639 |
640 |
641 | ---- desfazendo graphite
642 |
643 | # sed -i 's/graphite = on/graphite = off/' /etc/fastnetmon.conf
644 | # vim /etc/influxdb/influxdb.conf
645 | Comente:
646 | [[graphite]]
647 | # enabled = true
648 | # bind-address = ":2003"
649 | # protocol = "tcp"
650 | # consistency-level = "one"
651 | # separator = "."
652 | # templates = [
653 | # "fastnetmon.hosts.* app.measurement.cidr.direction.function.resource",
654 | # "fastnetmon.networks.* app.measurement.cidr.direction.resource",
655 | # "fastnetmon.total.* app.measurement.direction.resource"
656 | # ]
657 |
658 | # systemctl restart influxdb fastnetmon
659 |
660 |
661 | Ative o influxdb
662 | # sed -i 's/influxdb = off/influxdb = on/' /etc/fastnetmon.conf
663 |
664 | # InfluxDB integration
665 | influxdb = on
666 | influxdb_host = 127.0.0.1
667 | influxdb_port = 8086
668 | influxdb_database = fastnetmon
669 |
670 | # influx
671 | > DROP DATABASE graphite
672 | > CREATE DATABASE fastnetmon
673 | > SHOW DATABASES
674 | > EXIT
675 |
676 |
677 |
--------------------------------------------------------------------------------
/integracao-wanguard-grafana.sh:
--------------------------------------------------------------------------------
1 | ### Para integrar Andrisoft Wanguard Anti-DDoS com Grafana, você pode seguir estes passos principais:
2 | ### utilizar a API do Wanguard para coletar dados, armazená-los em um banco de dados (como MySQL), e configurar o Grafana para visualizar esses dados.
3 |
4 | ### Passo 1: Configurar o Banco de Dados
5 |
6 | 1. **Instale MySQL**:
7 | ```bash
8 | sudo apt update
9 | sudo apt install mysql-server
10 | sudo mysql_secure_installation
11 | ```
12 |
13 | 2. **Crie o banco de dados e a tabela**:
14 | ```sql
15 | CREATE DATABASE wanguard_data;
16 |
17 | USE wanguard_data;
18 |
19 | CREATE TABLE ddos_metrics (
20 | id INT AUTO_INCREMENT PRIMARY KEY,
21 | timestamp DATETIME,
22 | attack_type VARCHAR(255),
23 | attack_target VARCHAR(255),
24 | attack_size FLOAT,
25 | attack_duration FLOAT
26 | );
27 | ```
28 |
29 | ### Passo 2: Script Python para Extrair Dados do Wanguard
30 |
31 | 1. **Instale as bibliotecas necessárias**:
32 | ```bash
33 | pip install requests mysql-connector-python
34 | ```
35 |
36 | 2. **Desenvolva o script Python**:
37 | ```python
38 | import requests
39 | import mysql.connector
40 | from datetime import datetime
41 |
42 | # Configurações do Andrisoft Wanguard
43 | wanguard_api_url = 'http:///api/v1/ddos/attacks'
44 | wanguard_api_key = 'your_api_key'
45 |
46 | # Configurações do Banco de Dados MySQL
47 | db_config = {
48 | 'user': 'your_db_user',
49 | 'password': 'your_db_password',
50 | 'host': 'localhost',
51 | 'database': 'wanguard_data'
52 | }
53 |
54 | def fetch_wanguard_data():
55 | headers = {'Authorization': f'Bearer {wanguard_api_key}'}
56 | response = requests.get(wanguard_api_url, headers=headers)
57 | response.raise_for_status()
58 | return response.json()
59 |
60 | def store_data_in_db(data):
61 | conn = mysql.connector.connect(**db_config)
62 | cursor = conn.cursor()
63 |
64 | for attack in data['attacks']:
65 | timestamp = datetime.strptime(attack['timestamp'], '%Y-%m-%dT%H:%M:%S')
66 | attack_type = attack['type']
67 | attack_target = attack['target']
68 | attack_size = attack['size']
69 | attack_duration = attack['duration']
70 |
71 | query = """
72 | INSERT INTO ddos_metrics (timestamp, attack_type, attack_target, attack_size, attack_duration)
73 | VALUES (%s, %s, %s, %s, %s)
74 | """
75 | cursor.execute(query, (timestamp, attack_type, attack_target, attack_size, attack_duration))
76 |
77 | conn.commit()
78 | cursor.close()
79 | conn.close()
80 |
81 | def main():
82 | try:
83 | data = fetch_wanguard_data()
84 | store_data_in_db(data)
85 | print("Dados armazenados com sucesso!")
86 | except Exception as e:
87 | print(f"Erro ao processar dados: {e}")
88 |
89 | if __name__ == "__main__":
90 | main()
91 | ```
92 |
93 | ### Passo 3: Configurar Grafana
94 |
95 | 1. **Adicione MySQL como Fonte de Dados no Grafana**:
96 | - Acesse o Grafana e vá para **Configuration (⚙️)** > **Data Sources** > **Add data source**.
97 | - Escolha **MySQL** e configure a conexão com o banco de dados que você criou.
98 |
99 | 2. **Crie um Dashboard**:
100 | - Crie um novo dashboard e adicione painéis.
101 | - Configure as consultas SQL para exibir os dados armazenados na tabela `ddos_metrics`.
102 |
103 | ### Exemplo de Consulta SQL para Grafana
104 |
105 | ```sql
106 | SELECT
107 | timestamp AS "Time",
108 | attack_type AS "Attack Type",
109 | attack_target AS "Attack Target",
110 | attack_size AS "Attack Size",
111 | attack_duration AS "Attack Duration"
112 | FROM
113 | ddos_metrics
114 | WHERE
115 | $__timeFilter(timestamp)
116 | ORDER BY
117 | timestamp DESC
118 | ```
119 |
120 | Isso permitirá que você visualize os dados do Andrisoft Wanguard no Grafana. Para mais detalhes, consulte a [documentação oficial do Andrisoft Wanguard](https://www.andrisoft.com/docs/wanguard/8.3/index.html).
121 |
--------------------------------------------------------------------------------
/integração-nfdump-grafana.py:
--------------------------------------------------------------------------------
1 | #Para integrar o NFdump com o Grafana, você pode criar um script em Python que colete dados do NFdump e os envie para o Grafana via uma fonte de dados suportada, como o InfluxDB ou Prometheus. Aqui está um exemplo de como você pode fazer isso usando o InfluxDB como intermediário:
2 |
3 | ### Passo 1: Instalação das Ferramentas Necessárias
4 |
5 | #1. **NFdump**: Certifique-se de que o NFdump está instalado e configurado em seu sistema.
6 | #2. **InfluxDB**: Instale e configure o InfluxDB.
7 | #3. **Grafana**: Instale e configure o Grafana e adicione o InfluxDB como fonte de dados.
8 |
9 | ### Passo 2: Coletar Dados do NFdump
10 |
11 | #Você pode usar um comando do NFdump para exportar os dados desejados. Por exemplo:
12 | #```bash
13 | # nfdump -r /path/to/nfcapd.file -o csv > nfdump_data.csv
14 | #```
15 |
16 | ### Passo 3: Criar um Script Python para Enviar Dados para o InfluxDB
17 |
18 | #Aqui está um exemplo de script Python que lê os dados do arquivo CSV gerado pelo NFdump e envia esses dados para o InfluxDB.
19 |
20 | #```python
21 | #!/usr/bin/env python
22 | import csv
23 | from influxdb import InfluxDBClient
24 |
25 | # Configuração do InfluxDB
26 | influxdb_host = 'localhost'
27 | influxdb_port = 8086
28 | influxdb_user = 'username'
29 | influxdb_password = 'password'
30 | influxdb_database = 'nfdump'
31 |
32 | # Inicializando o cliente do InfluxDB
33 | client = InfluxDBClient(host=influxdb_host, port=influxdb_port, username=influxdb_user, password=influxdb_password)
34 |
35 | # Verificando se o banco de dados existe, caso contrário, criando-o
36 | databases = client.get_list_database()
37 | if {'name': influxdb_database} not in databases:
38 | client.create_database(influxdb_database)
39 | client.switch_database(influxdb_database)
40 |
41 | # Função para converter os dados do CSV para o formato do InfluxDB
42 | def convert_to_influxdb_format(csv_file):
43 | points = []
44 | with open(csv_file, 'r') as f:
45 | reader = csv.DictReader(f)
46 | for row in reader:
47 | point = {
48 | "measurement": "nfdump_data",
49 | "tags": {
50 | "src_ip": row['src_ip'],
51 | "dst_ip": row['dst_ip']
52 | },
53 | "time": row['timestamp'],
54 | "fields": {
55 | "bytes": int(row['bytes']),
56 | "packets": int(row['packets']),
57 | "src_port": int(row['src_port']),
58 | "dst_port": int(row['dst_port']),
59 | "protocol": row['protocol']
60 | }
61 | }
62 | points.append(point)
63 | return points
64 |
65 | # Caminho para o arquivo CSV gerado pelo NFdump
66 | csv_file_path = 'nfdump_data.csv'
67 |
68 | # Convertendo e enviando os dados para o InfluxDB
69 | data_points = convert_to_influxdb_format(csv_file_path)
70 | client.write_points(data_points)
71 |
72 | print("Dados enviados para o InfluxDB com sucesso!")
73 | #```
74 |
75 | ### Passo 4: Configurar o Grafana
76 |
77 | #1. Abra o Grafana e adicione o InfluxDB como uma fonte de dados.
78 | #2. Crie um dashboard no Grafana para visualizar os dados do NFdump.
79 |
80 | #Com esses passos, você terá um fluxo de trabalho onde os dados coletados pelo NFdump são exportados, processados por um script Python, enviados para o InfluxDB e visualizados no Grafana.
81 |
82 | ### Observações Finais
83 |
84 | #1. **Automatização**: Para uma solução automatizada, considere configurar um cron job ou um serviço que execute o script Python periodicamente.
85 | #2. **Segurança**: Garanta que suas credenciais e dados sensíveis estejam protegidos.
86 | #3. **Escalabilidade**: Se precisar lidar com grandes volumes de dados, considere otimizações e práticas recomendadas para o InfluxDB e o NFdump.
87 |
88 | #Esta solução fornece um caminho completo da coleta de dados até a visualização, aproveitando ferramentas robustas como NFdump, InfluxDB e Grafana.
89 |
--------------------------------------------------------------------------------
/nfsen-install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Instalação NFsen NETFLOW
3 |
4 | #NFDUMP
5 | apt update
6 | apt upgrade
7 | apt install nfdump
8 | nfdump -V
9 |
10 | #atualização de bibliotecas
11 | apt install -y build-essential autoconf make gcc wget
12 | apt install -y rrdtool mrtg librrds-perl librrdp-perl librrd-dev
13 | apt install -y libmailtools-perl bison
14 | apt install -y flex libpcap-dev php libsocket6-perl apache2 php-common apache2-utils
15 | apt install -y libapache2-mod-php libtool dh-autoreconf pkg-config libbz2-dev byacc doxygen graphviz
16 | apt install -y libapache2-mod-php php php-mysql php-cli php-pear php-gmp php-gd
17 | apt install -y php-bcmath php-curl php-xml php-zip git tcpdump
18 |
19 | #instalar modulo MCPAN
20 | perl -MCPAN -e 'install socket6'
21 |
22 | #INSTALAR NFSEN
23 | cd /usr/src/
24 | wget https://github.com/p-alik/nfsen/archive/refs/tags/nfsen-1.3.8.tar.gz
25 | tar -zxvf nfsen-1.3.8.tar.gz
26 | cd /usr/src/nfsen-nfsen-1.3.8
27 | cp etc/nfsen-dist.conf /etc/nfsen.conf
28 |
29 | #instalar versão compativel com nfdump 1.7
30 | git clone https://github.com/phaag/nfsen
31 | cd /nfsen
32 | cp etc/nfsen-dist.conf /etc/nfsen.conf
33 |
34 | #editar o arquivo de configuração do nfsen
35 |
36 | nano /etc/nfsen.conf
37 |
38 | $BASEDIR = "/opt/nfsen";
39 | $HTMLDIR = "/var/www/nfsen/";
40 | $PREFIX = '/usr/bin';
41 | $USER = "www-data";
42 | $WWWGROUP = "www-data";
43 | %sources = (
44 | 'BGP' =>{ 'port' => '9995', 'col' =>'#0000ff', 'type' => 'netflow' },
45 | 'BNG' =>{ 'port' => '9996', 'col' =>'#00ffff', 'type' => 'netflow' },
46 | );
47 |
48 | #ajustar RRD linha 76, alterar versão para 1.8
49 | nano /usr/src/nfsen-nfsen-1.3.8/libexec/NfSenRRD.pm
50 |
51 | if ( $rrd_version >= 1.2 && $rrd_version < 1.8 ) {
52 |
53 | # instale o NFsen no linux
54 |
55 | mkdir /opt/nfsen
56 |
57 | ./install.pl /etc/nfsen.conf
58 |
59 | ps aux | grep nfsen
60 |
61 | # ajuste Aliase no apache
62 | nano /etc/apache2/sites-enabled/000-default.conf
63 | Alias /nfsen /var/www/nfsen/
64 |
65 | # aplicar link simbolico
66 | ln -s /var/www/nfsen/nfsen.php /var/www/nfsen/index.php
67 |
68 | #startar o serviço
69 |
70 | service apache2 reload
71 | /opt/nfsen/bin/nfsen start
72 |
73 | # enviar fluxo via Probe NETFLOW ( host linux )
74 |
75 | apt install fprobe
76 |
77 |
78 | #localizar binarios variavel path
79 | which nfdump
80 |
81 | #adicionar outra sourcer
82 | nano /etc/nfsen.conf
83 | %sources = (
84 | 'P-BGP-BORDA' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
85 | 'CE-IPOE' => { 'port' => '9996', 'col' => '#00ffff', 'type' => 'netflow' },
86 | );
87 |
88 | /opt/nfsen/bin/nfsen reconfig
89 | /opt/nfsen/bin/nfsen stop
90 | /opt/nfsen/bin/nfsen start
91 |
--------------------------------------------------------------------------------
/openvas-install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #atualizar SO
3 | apt update
4 | apt upgrade
5 | apt autoremove
6 |
7 | #Instalação Openvas
8 | apt install openvas
9 |
10 | #iniciar serviço -
11 | gvm-setup
12 |
13 | #ajustar acesso via endereço IP externo
14 | nano /usr/lib/systemd/system/greenbone-security-assistant.service
15 | systemctl daemon-reload
16 | gvm-check-setup
17 | sudo -u _gvm greenbone-nvt-sync --rsync
18 | greenbone-feed-sync --type GVMD_DATA
19 | greenbone-feed-sync --type SCAP
20 | greenbone-feed-sync --type CERT
21 | greenbone-scapdata-sync
22 | greenbone-certdata-sync
23 | gvm-feed-update
24 | gvm-start
25 |
26 |
--------------------------------------------------------------------------------
/wanguard.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Wanguard - Guia de preparacao, instalacao e uso
3 | #=================================================================================
4 | # Site do fabricante: https://www.andrisoft.com/
5 | #
6 | #Agradecimentos:
7 | # Proprietario desta conta git
8 | # Raphael Rodrigues
9 | # Contatos:
10 | # - Site..........: https://raphaelisp.com.br/
11 | # - Site..........: https://flowspec.net.br/
12 | # - WhatsApp / Tel: +55 22 99999-0768
13 | # - Youtube.......: https://www.youtube.com/@raphaelisp
14 | # - Instagram.....: https://www.instagram.com/raphaelispconnect/
15 | #
16 | # Patrick Brandao, Gran-Mestre Supremo em Network e Linux User Power Full
17 | # Contatos:
18 | # - Site..........: http://patrickbrandao.com/
19 | # - WhatsApp / Tel: +55 31 9 8405-2336
20 | # - Youtube.......: https://www.youtube.com/@tol83
21 | # - Instagram.....: https://www.instagram.com/patrickbrd
22 | #
23 | # Referencias:
24 | # https://www.andrisoft.com/de/download
25 | # https://www.andrisoft.com/download/debian11
26 | # https://www.andrisoft.com/download/debian12
27 | #
28 | # Requisitos para uso do software:
29 | # Maquina virtual ou Baremetal (recomendado, ligar direto na borda)
30 | # RAM......: 128 GB (se for VM, colocar como reservada)
31 | # CPU......: o maximo possivel de nucleos
32 | # HD.......: 256 GB (minimo, SSD ou NVME)
33 | # REDE.....: 10gbit (1 gb e' inadimissivel)
34 | #
35 | #
36 | # Voce pode instalar em maquina/vm inferior: pode
37 | # Voce deve: NAO. Vai faltar recursos e rapidez
38 | # e normalmente quem faz esse tipo de
39 | # porcaria sempre culpa o software,
40 | # nunca a sua propria avareza.
41 | #
42 | # Sistema operacional: Debian 12 64 bits
43 | # Utilize a ISO 64 bits NETINSTALL
44 | #
45 | # Durante a instalacao:
46 | # - IP fixo SEMPRE, nao use DHCP
47 | # - Coloque IPv4 e IPv6
48 | # - NAO INSTALE X-WINDOW (Interface Grafica)
49 | # - Instale: SSH e ferramentas do sistema
50 | #
51 | # Recomendado para maximo de aproveitamento:
52 | # - opcional....: gerencia em interface de 1g ou 10g (NAO MANDE FLOW AQUI)
53 | # - obrigatorio.: colega de FLOW numa interface de 10g
54 | # - opcional....: porta de 10g ou 40/100g para receber trafego de port-mirror
55 | #
56 | # Para melhor visualizacao do trafego de entrada, e' recomendado
57 | # que todos os links cheguem em um switch de alta capacidade
58 | # e que sejam entregues ao BGP ligado nesse switch
59 | # Esse tipo de ligacao permite que o port-mirror seja ativado
60 | # no switch para enviar uma copia fiel do trafego de entrada
61 | # ao WanGuard
62 | # O Flow/NetFlow/sFlow nao e' o trafego de entrada real, e sim
63 | # um resumo/amostra/abstracao do trafego.
64 | # Obrigatorio: sincronismo NTP em TODOS os equipamentos envolvidos
65 | # Recomendado: usar o WanGuard como servidor NTP para que o relogio
66 | # dele e de todos os equipamentos sejam sincronizados
67 | # fielmente
68 | #
69 | # Begin :)
70 | apt-get -y update
71 | apt-get -y upgrade
72 |
73 | # Instalar pacotes
74 | apt-get -y install apt-transport-https build-essential gnupg wget python3-pysimplesoap ntp unzip curl net-tools tcpdump
75 |
76 | #SNMP
77 | apt install -y snmpd snmp snmptrapd libsnmp-base libsnmp-dev
78 |
79 | #SMP - NUMA
80 | apt-get -y install numactl coreutils htop numactl numatop
81 |
82 | # time-zone
83 | apt-get -y install ntpdate systemd-timesyncd
84 |
85 | # Sincronismo data hora
86 | timedatectl set-timezone America/Sao_Paulo
87 | ntpdate a.ntp.br
88 |
89 | # config de data hora:
90 | (
91 | echo
92 | echo '[Time]'
93 | echo 'NTP=200.160.0.8'
94 | echo 'FallbackNTP=2001:12ff::8'
95 | echo '#RootDistanceMaxSec=5'
96 | echo '#PollIntervalMinSec=32'
97 | echo '#PollIntervalMaxSec=2048'
98 | echo
99 | ) > /etc/systemd/timesyncd.conf
100 |
101 | # Atualizar timectl:
102 | timedatectl set-ntp true
103 | timedatectl status
104 |
105 | # repositorios
106 | wget -O - https://www.andrisoft.com/andrisoft.gpg.key | gpg --dearmor --yes --output /usr/share/keyrings/andrisoft-keyring.gpg
107 | echo "deb [signed-by=/usr/share/keyrings/andrisoft-keyring.gpg] https://www.andrisoft.com/files/debian12 bookworm main" > /etc/apt/sources.list.d/andrisoft.list
108 |
109 | # Instalar pacotes essenciais:
110 | apt update
111 | apt-get -y install wanbgp python3-pip exabgp wanconsole wansupervisor wanfilter
112 |
113 | # Fixar timezone no PHP 8 (coloque o mesmo timezone do sistema)
114 | sed -i 's#;date.timezone.*#date.timezone=America/Sao_Paulo#g' \
115 | /etc/php/8.2/apache2/php.ini \
116 | /etc/php/8.2/cli/php.ini
117 |
118 | # Config do apache:
119 | sed -i 's#/var/www/html#/opt/andrisoft/webroot#g' /etc/apache2/sites-available/000-default.conf
120 | ln -sf /opt/andrisoft/etc/andrisoft_apache.conf /etc/apache2/conf-enabled/andrisoft_apache.conf
121 |
122 | # Ajustes MariaDB safe.cnf
123 | (
124 | echo
125 | echo '[mysqld_safe]'
126 | echo 'nice = 0'
127 | echo 'skip_log_error'
128 | echo 'syslog'
129 | echo "timezone='America/Sao_Paulo'"
130 | echo
131 | ) > /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf
132 |
133 | # Adicionando senha root
134 | mysqladmin -u root password W4ngu4rd1
135 |
136 | # Ajustes MariaDB server.cnf
137 | (
138 | echo
139 | echo '[server]'
140 | echo
141 | echo '[mysqld]'
142 | echo 'user = mysql'
143 | echo 'pid-file = /run/mysqld/mysqld.pid'
144 | echo 'basedir = /usr'
145 | echo 'datadir = /var/lib/mysql'
146 | echo 'tmpdir = /tmp'
147 | echo 'lc-messages-dir = /usr/share/mysql'
148 | echo 'lc-messages = en_US'
149 | echo 'skip-name-resolve'
150 | echo 'skip-external-locking'
151 | echo 'bind-address = 127.0.0.1'
152 | echo 'bind-address = IP-DO-SERVIDOR'
153 | echo 'expire_logs_days = 10'
154 | echo 'character-set-server = utf8mb4'
155 | echo 'collation-server = utf8mb4_general_ci'
156 | echo
157 | echo '# Tuning, 4x'
158 | echo 'key_buffer_size = 512M'
159 | echo 'max_allowed_packet = 1G'
160 | echo 'thread_stack = 2048K'
161 | echo 'thread_cache_size = 32'
162 | echo 'max_connections = 512'
163 | echo 'table_cache = 512'
164 | echo
165 | echo 'table_open_cache = 512'
166 | echo 'sort_buffer_size = 2M'
167 | echo 'read_buffer_size = 2M'
168 | echo 'read_rnd_buffer_size = 8M'
169 | echo 'myisam_sort_buffer_size = 64M'
170 | echo 'query_cache_size = 32M'
171 | echo 'thread_concurrency = 16'
172 | echo
173 | echo '[embedded]'
174 | echo '[mariadb]'
175 | echo '[mariadb-10.11]'
176 | echo
177 | ) > /etc/mysql/mariadb.conf.d/50-server.cnf
178 |
179 | # Reiniciar MariaDB
180 | systemctl restart mariadb
181 |
182 | # ou limpar Config mariadb
183 | # mysqladmin -u root password W4ngu4rd1
184 | # sed -i '/^[^#]/ s/\(^.*bind-address.*$\)/#\ \1/' /etc/mysql/mariadb.conf.d/50-server.cnf
185 | # Instalar o banco de dados inicial do MariaDB
186 | # mysql_secure_installation
187 |
188 | # Reiniciar servicos dependentes:
189 | systemctl restart mariadb
190 | systemctl restart apache2
191 |
192 | # Sem banner:
193 | echo -n > /etc/motd
194 | rm -f /etc/update-motd.d/10-uname
195 |
196 | # Colocar banner bonitinho!
197 | (
198 | echo
199 | echo
200 | echo ' 888 888 .d8888b. 888 '
201 | echo ' 888 o 888 d88P Y88b 888 '
202 | echo ' 888 d8b 888 888 888 888 '
203 | echo ' 888 d888b 888 8888b. 88888b. 888 888 888 8888b. 888d888 .d88888 '
204 | echo ' 888d88888b888 "88b 888 "88b 888 88888 888 888 "88b 888P" d88" 888 '
205 | echo ' 88888P Y88888 .d888888 888 888 888 888 888 888 .d888888 888 888 888 '
206 | echo ' 8888P Y8888 888 888 888 888 Y88b d88P Y88b 888 888 888 888 Y88b 888 '
207 | echo ' 888P Y88A "T88888R 88I 88C CY8888P88 KY88888 "Y88888B R88 DY88888 '
208 | echo
209 | echo
210 | ) > /etc/motd
211 |
212 | # Criar login andrisoft
213 | export DEBIAN_FRONTEND=noninteractive
214 | mysql -uroot -pW4ngu4rd1 -e "CREATE DATABASE andrisoft;"
215 |
216 | # Criar usuario andrisoft
217 | mysql -uroot -pW4ngu4rd1 -e "CREATE USER IF NOT EXISTS 'andrisoft'@'localhost' identified by W4ngu4rd1';"
218 | mysql -uroot -pW4ngu4rd1 -e "GRANT ALL PRIVILEGES ON andrisoft.* TO 'andrisoft'@'localhost' IDENTIFIED BY W4ngu4rd1';"
219 | mysql -uroot -pW4ngu4rd1 -e "FLUSH PRIVILEGES;"
220 | mysql -uroot -pW4ngu4rd1 -e "UNINSTALL PLUGIN validate_password;" 2>/dev/null
221 |
222 | # Criar database andrisoft
223 | mysql -uroot -pW4ngu4rd1 andrisoft < /opt/andrisoft/sql/andrisoft.sql
224 | mysql -uroot -pW4ngu4rd1 andrisoft < /opt/andrisoft/sql/as_numbers.sql
225 |
226 | # CONFIG MODO 1 - Manualmente:
227 | # - IPs para escutar a interface web
228 | # V4IP=$(ip -o -4 ro get 1.2.3.4 | sed 's#.*src.###g' | cut -f1 -d' ')
229 | # V6IP=$(ip -o -6 ro get 2804:fada::1 | sed 's#.*src.###g' | cut -f1 -d' ')
230 | # IPBIND=$(echo $V4IP $V6IP)
231 |
232 | # - IP do banco de dados MariaDB: (loopback lo0 de gerencia, ou mover para outro servidor)
233 | IPBIND=IP-DO-SERVIDOR
234 | echo $IPBIND > /opt/andrisoft/etc/dbhost.conf
235 |
236 | # - Senha do usuario andrisoft para acessar o banco de dados (database: andrisoft)
237 | echo -n wanguardsql > /opt/andrisoft/etc/dbpass.conf
238 |
239 | # - Testar acesso ao banco de dados com as credenciais do wanguard:
240 | mysql -uandrisoft -pW4ngu4rd1 andrisoft -e "SHOW TABLES;"
241 |
242 | # - IP Wan de gerencia:
243 | # mysql -uandrisoft -pwanguardsql andrisoft -e "update wanserver set ip = 'IP-DO-SERVIDOR' where ip = '127.0.0.1';"
244 | #Configuração do wanguard Wizard interativo
245 | # /opt/andrisoft/bin/install_console
246 | # /opt/andrisoft/bin/install_supervisor
247 | systemctl start WANsupervisor
248 | systemctl enable WANsupervisor
249 |
250 | #influxdb
251 | wget https://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.deb
252 | dpkg -i ./influxdb_1.8.10_amd64.deb
253 | cp /etc/influxdb/influxdb.conf /etc/influxdb/influxdb.conf.backup
254 | cp /opt/andrisoft/etc/influxdb.conf /etc/influxdb/influxdb.conf
255 | systemctl restart influxdb
256 | /opt/andrisoft/bin/install_influxdb
257 |
258 | # SysCTL - Tuning universal
259 | #=================================================================================
260 | (
261 | echo "net.core.rmem_default=31457280"
262 | echo "net.core.wmem_default=31457280"
263 | echo "net.core.rmem_max=134217728"
264 | echo "net.core.wmem_max=134217728"
265 | echo "net.core.netdev_max_backlog=250000"
266 | echo "net.core.optmem_max=33554432"
267 | echo "net.core.default_qdisc=fq"
268 | echo "net.core.somaxconn=4096"
269 | ) > /etc/sysctl.d/051-net-core.conf
270 |
271 | (
272 | echo "net.ipv4.tcp_sack = 1"
273 | echo "net.ipv4.tcp_timestamps = 1"
274 | echo "net.ipv4.tcp_low_latency = 1"
275 | echo "net.ipv4.tcp_max_syn_backlog = 8192"
276 | echo "net.ipv4.tcp_rmem = 4096 87380 67108864"
277 | echo "net.ipv4.tcp_wmem = 4096 65536 67108864"
278 | echo "net.ipv4.tcp_mem = 6672016 6682016 7185248"
279 | echo "net.ipv4.tcp_congestion_control=htcp"
280 | echo "net.ipv4.tcp_mtu_probing=1"
281 | echo "net.ipv4.tcp_moderate_rcvbuf =1"
282 | echo "net.ipv4.tcp_no_metrics_save = 1"
283 | ) > /etc/sysctl.d/052-net-tcp-ipv4.conf
284 |
285 | echo "net.ipv4.ip_local_port_range=1024 65535" > /etc/sysctl.d/056-port-range-ipv4.conf
286 | echo "net.ipv4.ip_default_ttl=128" > /etc/sysctl.d/062-default-ttl-ipv4.conf
287 |
288 | (
289 | echo "net.ipv4.neigh.default.gc_interval = 30"
290 | echo "net.ipv4.neigh.default.gc_stale_time = 60"
291 | echo "net.ipv4.neigh.default.gc_thresh1 = 4096"
292 | echo "net.ipv4.neigh.default.gc_thresh2 = 8192"
293 | echo "net.ipv4.neigh.default.gc_thresh3 = 12288"
294 |
295 | echo "net.ipv4.ipfrag_high_thresh=4194304"
296 | echo "net.ipv4.ipfrag_low_thresh=3145728"
297 | echo "net.ipv4.ipfrag_max_dist=64"
298 | echo "net.ipv4.ipfrag_secret_interval=0"
299 | echo "net.ipv4.ipfrag_time=30"
300 | ) > /etc/sysctl.d/063-neigh-ipv4.conf
301 |
302 | (
303 | echo "net.ipv6.neigh.default.gc_interval = 30"
304 | echo "net.ipv6.neigh.default.gc_stale_time = 60"
305 | echo "net.ipv6.neigh.default.gc_thresh1 = 4096"
306 | echo "net.ipv6.neigh.default.gc_thresh2 = 8192"
307 | echo "net.ipv6.neigh.default.gc_thresh3 = 12288"
308 |
309 | echo "net.ipv6.ip6frag_high_thresh=4194304"
310 | echo "net.ipv6.ip6frag_low_thresh=3145728"
311 | echo "net.ipv6.ip6frag_secret_interval=0"
312 | echo "net.ipv6.ip6frag_time=60"
313 | ) > /etc/sysctl.d/064-neigh-ipv6.conf
314 |
315 | echo "net.ipv4.conf.default.forwarding=1" > /etc/sysctl.d/065-default-foward-ipv4.conf
316 | echo "net.ipv6.conf.default.forwarding=1" > /etc/sysctl.d/066-default-foward-ipv6.conf
317 | echo "net.ipv4.conf.all.forwarding=1" > /etc/sysctl.d/067-all-foward-ipv4.conf
318 | echo "net.ipv6.conf.all.forwarding=1" > /etc/sysctl.d/068-all-foward-ipv6.conf
319 | echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/069-ipv4-forward.conf
320 |
321 | (
322 | echo "fs.file-max = 3263776"
323 | echo "fs.aio-max-nr=3263776"
324 | echo "fs.mount-max=1048576"
325 | echo "fs.mqueue.msg_max=128"
326 | echo "fs.mqueue.msgsize_max=131072"
327 | echo "fs.mqueue.queues_max=4096"
328 | echo "fs.pipe-max-size=8388608"
329 | ) > /etc/sysctl.d/072-fs-options.conf
330 | echo "vm.swappiness=1" > /etc/sysctl.d/073-swappiness.conf
331 | echo "vm.vfs_cache_pressure=50" > /etc/sysctl.d/074-vfs-cache-pressure.conf
332 | echo "kernel.panic=3" > /etc/sysctl.d/081-kernel-panic.conf
333 | echo "kernel.threads-max=1031306" > /etc/sysctl.d/082-kernel-threads.conf
334 | echo "kernel.pid_max=262144" > /etc/sysctl.d/083-kernel-pid.conf
335 | echo "kernel.msgmax=327680" > /etc/sysctl.d/084-kernel-msgmax.conf
336 | echo "kernel.msgmnb=655360" > /etc/sysctl.d/085-kernel-msgmnb.conf
337 | echo "kernel.msgmni=32768" > /etc/sysctl.d/086-kernel-msgmni.conf
338 | echo "vm.min_free_kbytes = 32768" > /etc/sysctl.d/087-kernel-free-min-kb.conf
339 |
340 | # Aplicar:
341 | sysctl -p 2>/dev/null 1>/dev/null
342 | sysctl --system 2>/dev/null 1>/dev/null
343 |
344 | # Licenciamento do WanGuard
345 | #=================================================================================
346 | # Acesse:
347 | # https://www.andrisoft.com/store/user/form
348 | #
349 | # E crie uma conta.
350 | #
351 | # Confirme o email de ativacao da conta
352 | #
353 | # Acesse seu servidor via HTTP (nao e' https), porta 80
354 | #
355 | # Vai aparecer a tela do wanguard com o checklist da instalacao
356 | #
357 | # Observe o botao "Upload License Key", precisa usar ele para
358 | # fazer upload da licenca.
359 | #
360 | # 1 - Licenca TRIAL
361 | # Acesse: https://www.andrisoft.com/trial/registration
362 | #
363 | # Preencha o formulario com dados empresariais
364 | #
365 | # Aguarde a licenca de teste no seu e-mail
366 | #
367 | # 2 - Licencas:
368 | # Acesse: https://www.andrisoft.com/store/software
369 | #
370 | # Tipos:
371 | # - Wanguard Sensor license (~ $595)
372 | # - base inicial para anti-ddos
373 | # - monitoramento passivo (netflow, snmp)
374 | # - flowspec-bgp e blackhole-bgp
375 | #
376 | # - Wanguard Filter license (~ $995)
377 | # - permite usar o recurso netfilter/iptables para filtragem
378 | # no proprio wanguard
379 | #
380 | # - Wansight Sensor license (~ $300)
381 | # - somente monitoramento passivo (netflow, snmp)
382 | #
383 | # - DPDK Engine license (~ $1410)
384 | # - semelhante ao Filter mas com DPDK (40g+ trafego)
385 | #
386 | # Primeiro acesso: http://IP-DO-SERVIDOR/
387 | # Login e senha padrao:
388 | # admin / changeme
389 | #
390 | # Mudar senha em:
391 | # - no canto SUPERIOR DIREITO, click no icone do login "admin"
392 | # tem o menu "Change Password"
393 | # > informe a nova senha
394 | # Peering entre o roteador e o WanGuard para injecao BGP (ipv4 e flowspec)
395 | #=================================================================================
396 | # Exemplo HUAWEI (ignore erros)
397 | #---------------------------------------------------------------------------------
398 | route-policy ACCEPT-ALL permit node 65535
399 | #
400 | route-policy DENY-ALL deny node 65535
401 | #
402 | bgp 65001
403 | peer IP-WANGUARD as-number 65001
404 | peer IP-WANGUARD description WANGUARD-IPV4
405 | peer IP-WANGUARD connect-interface LoopBack0
406 | peer IP-WANGUARD timer connect-retry 1
407 |
408 | ipv4-family unicast
409 | peer IP-WANGUARD enable
410 | y
411 | peer IP-WANGUARD route-policy ACCEPT-ALL import
412 | peer IP-WANGUARD route-policy DENY-ALL export
413 | peer IP-WANGUARD advertise-community
414 | peer IP-WANGUARD advertise-ext-community
415 | peer IP-WANGUARD advertise-large-community
416 | peer IP-WANGUARD reflect-client
417 |
418 | ipv4-family flow
419 | peer IP-WANGUARD enable
420 | y
421 | peer IP-WANGUARD redirect ip rfc-compatible
422 | peer IP-WANGUARD route-policy ACCEPT-ALL import
423 | peer IP-WANGUARD route-policy DENY-ALL export
424 | peer IP-WANGUARD validation-disable
425 | peer IP-WANGUARD advertise-community
426 | peer IP-WANGUARD advertise-large-community
427 | peer IP-WANGUARD reflect-client
428 | route validation-mode include-as
429 | #
430 | commit
431 | run save
432 | y
433 |
434 | # Sincronizar data/hora via NTP (usar o proprio WanGuard como NTP Server)
435 | #========================================================================
436 | ntp-service server disable
437 | y
438 | ntp-service ipv6 server disable
439 | y
440 | ntp-service server source-interface all disable
441 | y
442 | ntp-service ipv6 server source-interface all disable
443 | y
444 |
445 | # IP de origem padrao de requisicoes NTP:
446 | ntp-service source-interface LoopBack 0
447 | ntp-service ipv6 source-interface LoopBack0
448 |
449 | # Usando WanGuard local - Via IPv4
450 | ntp-service unicast-peer IP-WANGUARD source-interface LoopBack 0
451 |
452 | # Usando WanGuard local - Via IPv6
453 | ntp-service unicast-peer ipv6 IP-WANGUARD-V6 source-interface LoopBack0
454 |
455 | # Via IPv4 em NTP publico (use uma interface que tenha ipv4 publico navegavel)
456 | #ntp-service unicast-peer 200.160.0.8 source-interface LoopBack0
457 | #ntp-service unicast-peer 200.189.40.8 source-interface LoopBack0
458 | # Via IPv6 em NTP publico (use uma interface que tenha ipv6 global navegavel)
459 | #ntp-service unicast-peer ipv6 2001:12F8:9:1::8 source-interface LoopBack0
460 | #ntp-service unicast-peer ipv6 2001:12FF::8 source-interface LoopBack0
461 | commit
462 | run save
463 | y
464 |
465 | # Config netstream geral
466 | #========================================================================
467 | ip netstream as-mode 32
468 | ip netstream timeout active 1
469 | ip netstream timeout inactive 15
470 | ip netstream tcp-flag enable
471 | ip netstream export version ipfix peer-as bgp-nexthop ttl
472 | ip netstream export template sequence-number fixed
473 | ip netstream export index-switch 32
474 | ip netstream export template timeout-rate 1
475 | ip netstream sampler fix-packets 1000 inbound
476 | ip netstream sampler fix-packets 1000 outbound
477 | ip netstream export template option sampler
478 | ip netstream export template option application-label
479 | #
480 | ipv6 netstream as-mode 32
481 | ipv6 netstream timeout active 1
482 | ipv6 netstream timeout inactive 15
483 | ipv6 netstream tcp-flag enable
484 | ipv6 netstream export version ipfix peer-as bgp-nexthop ttl
485 | ipv6 netstream export template sequence-number fixed
486 | ipv6 netstream export index-switch 32
487 | ipv6 netstream export template timeout-rate 1
488 | ipv6 netstream sampler fix-packets 1024 inbound
489 | ipv6 netstream sampler fix-packets 1024 outbound
490 | ipv6 netstream export template option sampler
491 | #
492 | # Ativar CPU para flow na controladora
493 | #========================================================================
494 | # F1A:
495 | slot 1
496 | ip netstream sampler to slot self
497 | ipv6 netstream sampler to slot self
498 | commit
499 |
500 | # NE 8000 M8
501 | slot 10
502 | ip netstream sampler to slot self
503 | ipv6 netstream sampler to slot self
504 | commit
505 | # Exemplo JUNIPER (ignore erros)
506 | #---------------------------------------------------------------------------------
507 | # Segue dados para estabelecer peer bgp entre Juniper e wanguard.
508 | # Lado Juniper MX204
509 |
510 | set routing-options flow term-order standard
511 | set policy-options community wanguard_flowspec members 64496:500
512 | set policy-options community wanguard_flowspec members 64496:500
513 | set policy-options policy-statement flowspec_import term flowspec_in from community wanguard_flowspec
514 | set policy-options policy-statement flowspec_import term flowspec_in from community wanguard_flowspec
515 | set policy-options policy-statement flowspec_import term flowspec_in then accept set routing-options flow term-order standard
516 | set policy-options policy-statement flowspec_import term flowspec_in then accept
517 |
518 | set protocols bgp group WANGUARD neighbor IP-BGP local-address IP-PEER
519 | set protocols bgp group WANGUARD family inet flow
520 | set protocols bgp group WANGUARD family inet flow no-validate flowspec_import
521 |
522 | set protocols bgp group WANGUARD type internal
523 | set protocols bgp group WANGUARD local-address IP-ROTEADOR
524 | set protocols bgp group WANGUARD family inet unicast
525 | set protocols bgp group WANGUARD family inet flow no-validate flowspec_import
526 |
527 | set protocols bgp group WANGUARD neighbor IP-WANGUARD description IBGP_WANGUARD
528 | set protocols bgp group WANGUARD neighbor IP-WANGUARD local-address IP-ROTEADOR
529 | set protocols bgp group WANGUARD neighbor IP-WANGUARD import flowspec_import
530 | set protocols bgp group WANGUARD neighbor IP-WANGUARD family inet flow prefix-limit maximum 100
531 | set protocols bgp group WANGUARD neighbor IP-WANGUARD family inet flow no-validate flowspec_import
532 | set protocols bgp group WANGUARD neighbor IP-WANGUARD family inet flow legacy-redirect-ip-action receive
533 | set protocols bgp group WANGUARD neighbor IP-WANGUARD export deny-all
534 | set protocols bgp group WANGUARD neighbor IP-WANGUARD peer-as ASN-WANGUARD
535 |
536 | # *La no MX, confirmar as configs de netflow.*
537 |
538 | set forwarding-options sampling instance WANGUARD family inet output flow-inactive-timeout 15
539 | set forwarding-options sampling instance WANGUARD family inet output flow-active-timeout 60
540 | set forwarding-options sampling instance WANGUARD family inet output flow-server IP-WANGUARD port 2055
541 | set forwarding-options sampling instance WANGUARD family inet output flow-server IP-WANGUARD autonomous-system-type origin
542 | set forwarding-options sampling instance WANGUARD family inet output flow-server IP-WANGUARD version-ipfix template WANGUARD
543 |
544 | set forwarding-options sampling instance WANGUARD family inet6 output flow-inactive-timeout 15
545 | set forwarding-options sampling instance WANGUARD family inet6 output flow-active-timeout 60
546 | set forwarding-options sampling instance WANGUARD family inet6 output flow-server IP-WANGUARD port 2055
547 | set forwarding-options sampling instance WANGUARD family inet6 output flow-server IP-WANGUARD autonomous-system-type originset
548 | set forwarding-options sampling instance WANGUARD family inet6 output flow-server IP-WANGUARD version-ipfix template WANGUARD-v6
549 |
550 | -
551 | set services flow-monitoring version-ipfix template FLOW flow-active-timeout 15
552 | set services flow-monitoring version-ipfix template FLOW flow-inactive-timeout 15
553 | set services flow-monitoring version-ipfix template FLOW template-refresh-rate seconds 30
554 | set services flow-monitoring version-ipfix template FLOW option-refresh-rate seconds 30
555 | set services flow-monitoring version-ipfix template FLOW ipv4-template
556 | set services flow-monitoring version-ipfix template FLOW-v6 flow-active-timeout 15
557 | set services flow-monitoring version-ipfix template FLOW-v6 flow-inactive-timeout 15
558 | set services flow-monitoring version-ipfix template FLOW-v6 template-refresh-rate seconds 30
559 | set services flow-monitoring version-ipfix template FLOW-v6 option-refresh-rate seconds 30
560 | set services flow-monitoring version-ipfix template FLOW-v6 ipv6-template
561 |
562 | set forwarding-options sampling instance FLOW family inet output flow-server IP-WANGUARD port 2056
563 | set forwarding-options sampling instance FLOW family inet output flow-server IP-WANGUARD autonomous-system-type origin
564 | set forwarding-options sampling instance FLOW family inet output flow-server IP-WANGUARD version-ipfix template WANGUARD
565 | set forwarding-options sampling instance FLOW-V6 family inet6 output flow-server IP-WANGUARD port 2056
566 | set forwarding-options sampling instance FLOW-V6 family inet6 output flow-server IP-WANGUARD autonomous-system-type origin
567 | set forwarding-options sampling instance FLOW-V6 family inet6 output flow-server IP-WANGUARD version-ipfix template WANGUARD-v6
568 |
569 | set policy-options prefix-list ntp-servers
570 | set policy-options prefix-list ntp-servers 200.189.40.8/32
571 |
572 | set firewall family inet filter protect-re term aceita-ntp from prefix-list ntp-servers
573 | set firewall family inet filter protect-re term aceita-ntp from prefix-list localhost
574 | set firewall family inet filter protect-re term aceita-ntp from protocol udp
575 | set firewall family inet filter protect-re term aceita-ntp from port ntp
576 | set firewall family inet filter protect-re term aceita-ntp then policer limit-32k
577 | set firewall family inet filter protect-re term aceita-ntp then accept
578 |
579 | # *Recomendo adicionar export netflow somente nas interfaces UPLINK e Troca de Trafego - Ex transito IP, IXBR, CDN, PNI, IX Internacional*
580 | # Exemplo CISCO (ignore erros)
581 | #---------------------------------------------------------------------------------
582 | # Segue dados para estabelecer peer bgp entre CISCO e wanguard.
583 |
584 | ip nat log translations flow-export v9 udp destination IPDOCOLETADOR 2055
585 | ip nat translation timeout 700
586 | ip nat translation tcp-timeout 100
587 | ip nat translation pptp-timeout 200
588 | ip nat translation udp-timeout 100
589 | ip nat translation finrst-timeout 30
590 | ip nat translation syn-timeout 30
591 | ip nat translation dns-timeout 30
592 | ip nat translation routemap-entry-timeout 30
593 | ip nat translation icmp-timeout 10
594 | ip nat translation port-timeout tcp 443 300
595 | ip nat translation port-timeout udp 443 300
596 |
597 |
598 | flow record IPDOCOLETADOR
599 | match ipv4 tos
600 | match ipv4 protocol
601 | match ipv4 source address
602 | match ipv4 destination address
603 | match transport source-port
604 | match transport destination-port
605 | match interface input
606 | collect interface output
607 | collect counter bytes
608 | collect counter packets
609 |
610 | export-protocol netflow-v9
611 |
--------------------------------------------------------------------------------
/zabbix_7_grafana_11_install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Autor: Raphael Rodrigues
3 | #Homologado para Debian 12 LTS
4 | #Baixe o script - wget https://raw.githubusercontent.com/raphaelrrl/scritps/refs/heads/main/zabbix_7_grafana_11_install.sh
5 | #Execute o comando- chmod +x zabbix_7_grafana_11_install.sh - para permissão de execução.
6 | #Execute o comando- chmod 777 zabbix_7_grafana_11_install.sh - para permissão de total ao script.
7 | #Em seguida execute o comando- ./zabbix_7_grafana_11_install.sh
8 |
9 | # Upgrade do SO
10 | apt update
11 | apt upgrade
12 | cd /tmp
13 | rm *deb*
14 | rm /tmp/finish
15 |
16 | # Instalacao dependencias bibliotecas essenciais
17 | apt install -y wget build-essential
18 | apt install -y apache2 apache2-utils
19 | apt install -y libapache2-mod-php php php-mysql php-cli php-pear php-gmp php-gd
20 | apt install -y php-bcmath php-curl php-xml php-zip
21 | apt install -y mariadb-server mariadb-client
22 | apt install -y snmpd snmp snmptrapd libsnmp-base libsnmp-dev
23 | apt install -y screen figlet toilet cowsay
24 | useradd zabbix
25 |
26 | ##bem, chegou a hora de baixar o nosso zabbix.
27 | cd /tmp
28 | wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-2+debian12_all.deb
29 | dpkg -i zabbix-release_7.0-2+debian12_all.deb
30 | sleep 3
31 | apt update -y ; apt upgrade -y
32 | apt install -y zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent
33 |
34 | ##agora que o nosso banco de dados esta instalado vamos criar a base que ira receber os dados do zabbix.
35 | export DEBIAN_FRONTEND=noninteractive
36 | mariadb -uroot -e "create database zabbix character set utf8mb4 collate utf8mb4_bin";
37 | mariadb -uroot -e "create user 'zabbix'@'localhost' identified by 'p455w0rd'";
38 | mariadb -uroot -e "grant all privileges on zabbix.* to 'zabbix'@'localhost'";
39 | zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uzabbix -pp455w0rd zabbix
40 | echo 'Populando base de dados zabbix, pode demorar um pouco dependendo do hardware'
41 | sleep 10
42 | sed -i 's/# DBPassword=/DBPassword=p455w0rd/' /etc/zabbix/zabbix_server.conf
43 |
44 | ##timezone php, execute o commando abaixo, em seguida edite que arquivo de configuração etc/zabbix/apache.conf como descrito abaixo:
45 | timedatectl set-timezone America/Sao_Paulo
46 | sed -i 's/# php_value date.timezone Europe\/Riga/php_value date.timezone America\/Sao_Paulo/g' /etc/apache2/conf-enabled/zabbix.conf
47 | sed -i 's#/var/www/html#/usr/share/zabbix#g' /etc/apache2/sites-available/000-default.conf
48 | systemctl enable zabbix-server zabbix-agent
49 | systemctl restart zabbix-server zabbix-agent apache2
50 | systemctl status zabbix-server
51 |
52 | # Grafana Install oficial repo
53 | apt-get install -y apt-transport-https
54 | apt-get install -y software-properties-common
55 | wget -q -O - https://packages.grafana.com/gpg.key | apt-key add -
56 | sleep 10
57 | mkdir -p /etc/apt/keyrings/
58 | wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | tee /etc/apt/keyrings/grafana.gpg > /dev/null
59 | echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee -a /etc/apt/sources.list.d/grafana.list
60 | apt-get update -y
61 | apt-get install -y grafana
62 |
63 | #Instalando Datasource Zabbix
64 | grafana-cli plugins install alexanderzobnin-zabbix-app
65 | grafana-cli plugins update alexanderzobnin-zabbix-app
66 | systemctl daemon-reload
67 | systemctl start grafana-server
68 | systemctl enable grafana-server
69 | touch /tmp/finish
70 |
71 | #O pulo do gato para o perfeito monitoramento, ajustes SNMP
72 | wget http://ftp.de.debian.org/debian/pool/non-free/s/snmp-mibs-downloader/snmp-mibs-downloader_1.5_all.deb
73 | Sleep 20
74 | dpkg -i snmp-mibs-downloader_1.5_all.deb
75 | sleep 20
76 | apt-get -y install smistrip
77 |
78 | #ajuste mib quebrada
79 | wget http://pastebin.com/raw.php?i=p3QyuXzZ -O /usr/share/snmp/mibs/ietf/SNMPv2-PDU
80 |
81 | clear
82 | figlet -c senha BD p455w0rd
83 | figlet -c FINALIZADO!
84 | systemctl status zabbix-server | grep Active
85 |
--------------------------------------------------------------------------------