NOW here's some real great news for system and network admins: we have created an appliance which brings together the best monitoring and security auditing tools for a network. Configuring this is similar to any other PCQLinux Appliance. The only thing to remember is to make sure that you need to configure your network card in bridged mode so that the appliance can take the IP address of the physical network, making the tools run on the net¬work properly. Here is a step-by-step guide on how to fine tune them according to your network.

OpenNMS
This is the most renowned Open Source Network Management and Alerting Sys¬tem, but installing it has always been a pain. Thus we decided to put in our appli¬ance, so that you can benefit from it with¬out worrying about installation. As this application is pre installed and preconfig¬ured in our appliance all you have to do is to start a few services, provide some de¬tails about your network to the system, and off it goes monitoring. To begin the configuration, make sure you have an IP, and then run the 'ifconfig' command. N ext, change directory to '/ opt! open¬nms/ etc' by running the following com¬mand and open the file called , discovery-configuration.xml.' lied lopt/opennms/ete Here, you will see the following sec¬tion in the file: include rang~ retries-"2" timeout-"3000"> <begin>192.168.0.1</begin><end>192.168.0.254</end> <Ii nclude-range>

Here, change the IP addresses in start and end tags, with the IP addresses of your network subnet range. For instance, on a 192.168.3.x network, we put 192.168.3.1 in the start tag and 192.168.3.254 in the end tag. Once this is done, save your settings, and close the editor. Now, run the following commands in the sequence given to start Tomcat and OpenNMS server: II/ete/init.d/tomeat5 start /lserviee postgresql start II/opt/opennm Ibln/opennms strat With this your NMS is up and running.

Using OpenNMS
Once you get the IPs, go to any machine on the same network and open your favorite browser. Type the address appli¬ance>:8980/opennms,' and you will get the login screen of OpenNMS. Login to this screen as admin with the password 'admin,' and the OpenNMS dashboard pops up. As you have defined the default range of your network, OpenNMS will au¬tomatically discover all nodes on the network and will also check for services available on those nodes.

Configuring notification

The final thing, which you can do, is to configure notifications in case of failure of any node or any service specific to any node. OpenNMS is capable of configur¬ing alerts in an escalated fashion. For in¬stance, if there is an error in any of the crucial systems, an alert is immediately sent to the concerned person and if for any reason he does not resolve the problem in a given time, the system au¬tomatically escalates the matter and sends an alert to the next level of support. To configure this, go to the 'Admin' menu at the top of the Window, select the 'Configure Notification Path' option, and click on the 'New Path' button. Now, a new Window will open up. Give a name for the notification path. Next, click on the 'Edit' button at the right of the Window. In the next Window click on the 'add address' button. A di¬alog box opens. Enter your mail address where you want to receive the notifications, click on 'Next' twice, then on 'Finish,' and you are done.

Nagios
Unlike OpenNMS, Nagios is another network moni¬toring application which can do both agent-less and agent-based monitoring of nodes. But this applica¬tion doesn't search all machines and services on your network rather one has to configure the machines and servers manually through scripting half-a-dozen configuration files. The configuration of this app is slightly difficult if configured against other tools. But once configured, it can check a lot of things in your servers, such as SMTP, POP3, HTTP, NNTP, PING services; additionally it can even monitor the resources ofthe machines which you want to monitor.

It can check for processor load, disk usage, RAM us¬age, etc, but for this resource monitoring it requires agents to be installed on the host machines. The ba¬sic configuration of Nagios is already done and to run, all you have to do is to run Nagios as: nagios / etc/ nagios/ nagios.cfg. Once Nagios has started you can access its Web based mgmt interface from 'http://p-addr-of-appl/¬cance/nagios.' The default username and password for logging in is nagiosadmin and pass@word re¬spectively. But to fine tune Nagios you have to modify a lot of .cfg files. A complete how to 'on' configuring Nagios can be found on docs. And for your comfort we have created samples of the most important config files. You can find them at /etc/nagios/nagios.cfg.

NTop
This network monitoring tool needs no introduction; without any doubts it has made its place in this appli¬ance. The complete package is installed, so you don't have to do anything except run it on your network. Running it is also very simple. You have two options here, either run in daemon mode or as a standard app. The option for running it in a standard mode: #ntop ethx. Here with the '-i' switch you have to provide the name of your network card on which you want to run NTop. So, for instance, your appliance is us¬ing the ethO net¬work adapter to connect to your physical net¬work, then the command will look like 'ntop -I ethO.' To run it as a daemon, the command will be #ntop.ethx. Once NTop has started, you can access it from any machine on the same network by opening a Web browser and giving the address 'http:ip-addr-of- the¬appliacne:3000' where ip-addr-of-the-appliacne is the physical IP of the PCQLinux Security and Monitor¬ing Appliance. The port 3000 is the default port of NTop and when no other port is explicitly provided it uses this port. You can also explicitly provide some other ports to NTop by using - W switch with the port number while running NTop #ntop -d -I ethO.

Ettercap
Ettercap is one of the best sniffing and man in the middle tool with lots of plug-ins. You can do good penetrating testing of your network by using this tool. It can simulate all those attacks which a hacker will run in a LAN environment to capture data. Run¬ning it is pretty simple. Just type the command 'etter¬cap -C' and it will start. To start the sniffing process, click on the Sniffing menu and then on the Unified Sniffing. It will ask you to select the network card on which you want to set the watch. Next hit en¬ter to start the sniffing process. If you want to do some targeted sniffing then go to the target option machines. and click on the 'Select target' option. A pop-up will open, here select the targets (source and destina¬tion) on which you want to set the sniffing and hit enter to start the sniffing process. You can even scan for all the live hosts from then, Hosts Scan for hosts option. From here you can even directly select and add targets for sniffing. Once the sniffing on tar¬gets has started, you can see the data flowing be¬tween both machines from View-+connections option. All authentication-related data, such as the passwords and usernames will be separately identi¬fied and listed at the bottom of the page.

You can even run a suite of different plugins from the plugin menu. To start plugins, go to the Plugins menu and select on the manage plugins option. There are more than 20 different plugins available with Ettercap with which you can run simple DoS attacks, ARP poisoning attacks, File Theft attack, isolate nodes, etc.

Dsniff Suite
Yet another sniffing and spoofing tool for penetration testing. Unlike Ettercap, it doesn't run from a single Windows system, but has a set of tools which you can run manually to simulate a LAN attack in many ways. The suite contains the tools mentioned in the table. Explaining how to run each of these is not possible in a single article so we will talk about them one by one in our coming issues. But if you can't wait so long then a 'man' can solve your problem. Just run the 'man' command with the name of the tools and you will get a detailed description and how to 'on' running the tools. Just make sure you type the name in small caps.

This is a small tool which can work as a great network traffic monitoring utility in NOCs. The core job of EtherApe is to graphically represent the data flow be¬tween all machines on your network in real-time. Different protocols are represented in different colors and the amount of data is represented by the thickness of the line joining the source and the destination ma¬chine. Running the application is very simple. All you have to do is to run the command #etherape from an X terminal and a Window will pop up. In this Window click on the capture menu and then go to the interface option to select the network card you want to run the monitoring. Once you have selected the net¬work card, go to the Mode option in the same menu to select the type of protocol and network you want to monitor. For in¬stance you can select between options like TCP and IP, or Ether¬net, Token Ring, and FDDI networks. Once you are done with the selection, the monitor¬ing process will start and you will be pre¬sented with the real¬time data traffic flow of your network.

Arpwatch
A very useful tool to monitor arpspoofing or any sort of suspicious arp activity. All you have to do is to run the command arpwatch Here replace with the mail id where you would like to receive alerts from arpwatch. This tool will keep running and will notify you in case it finds any arp flip-flop or some other kind of arp poisoning happening on the network.