From d9f509b936b88aaba9023d2f44e198602b8e8b00 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 31 May 2012 09:27:35 +0200 Subject: [PATCH] Import --- createlinks | 34 ++++++++ .../e-smith/db/configuration/defaults/ntop/TCPPort | 1 + .../e-smith/db/configuration/defaults/ntop/access | 1 + .../e-smith/db/configuration/defaults/ntop/status | 1 + .../e-smith/db/configuration/defaults/ntop/type | 1 + root/etc/e-smith/events/actions/ntop-init-domain | 50 ++++++++++++ root/etc/e-smith/templates/etc/hosts.allow/ntop | 4 + root/etc/e-smith/templates/etc/ntop.conf/10user | 4 + root/etc/e-smith/templates/etc/ntop.conf/20db | 3 + .../e-smith/templates/etc/ntop.conf/30interface | 20 +++++ .../e-smith/templates/etc/ntop.conf/40httpServer | 8 ++ .../etc/e-smith/templates/etc/ntop.conf/50localNet | 21 +++++ root/etc/e-smith/templates/etc/ntop.conf/60options | 30 +++++++ .../e-smith/templates/etc/ntop.conf/70protocols | 1 + .../templates/etc/ntop/protocols.list/10Mail | 11 +++ root/etc/e-smith/templates/etc/services/20ntop | 1 + root/var/service/ntop/log/run | 7 ++ root/var/service/ntop/run | 8 ++ smeserver-ntop.spec | 91 ++++++++++++++++++++++ 19 files changed, 297 insertions(+) create mode 100644 createlinks create mode 100644 root/etc/e-smith/db/configuration/defaults/ntop/TCPPort create mode 100644 root/etc/e-smith/db/configuration/defaults/ntop/access create mode 100644 root/etc/e-smith/db/configuration/defaults/ntop/status create mode 100644 root/etc/e-smith/db/configuration/defaults/ntop/type create mode 100644 root/etc/e-smith/events/actions/ntop-init-domain create mode 100644 root/etc/e-smith/templates/etc/hosts.allow/ntop create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/10user create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/20db create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/30interface create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/40httpServer create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/50localNet create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/60options create mode 100644 root/etc/e-smith/templates/etc/ntop.conf/70protocols create mode 100644 root/etc/e-smith/templates/etc/ntop/protocols.list/10Mail create mode 100644 root/etc/e-smith/templates/etc/services/20ntop create mode 100644 root/var/service/ntop/log/run create mode 100644 root/var/service/ntop/run create mode 100644 smeserver-ntop.spec diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..45c3068 --- /dev/null +++ b/createlinks @@ -0,0 +1,34 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +service_link_enhanced("ntop", "S93", "7"); +service_link_enhanced("ntop", "K83", "6"); +service_link_enhanced("ntop", "K83", "0"); + +safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/ntop'); +safe_symlink("/var/service/ntop" , 'root/service/ntop'); + +safe_touch("root/var/service/ntop/down"); + +templates2events("/etc/ntop.conf", "ntop-update"); +templates2events("/etc/ntop.conf", "remoteaccess-update"); +templates2events("/etc/ntop.conf", "network-create"); +templates2events("/etc/ntop.conf", "network-delete"); +templates2events("/etc/ntop.conf", "bootstrap-console-save"); +templates2events("/etc/httpd/conf/httpd.conf", "ntop-update"); +templates2events("/etc/services", "ntop-update"); +templates2events("/etc/hosts.allow", "ntop-update"); +templates2events("/etc/ntop/protocols.list", "ntop-update"); +templates2events("/etc/ntop/protocols.list", "bootstrap-console-save"); + +foreach my $event (qw/ipasserelle-update bootstrap-ldap-save ntop-update/){ + event_link("ntop-init-domain", "$event", "90"); +} + +for my $event qw(ntop-update remoteaccess-update network-create network-delete){ + safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ntop"); +} + +safe_symlink("sigusr1", "root/etc/e-smith/events/ntop-update/services2adjust/httpd-e-smith"); + diff --git a/root/etc/e-smith/db/configuration/defaults/ntop/TCPPort b/root/etc/e-smith/db/configuration/defaults/ntop/TCPPort new file mode 100644 index 0000000..13de30f --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ntop/TCPPort @@ -0,0 +1 @@ +3000 diff --git a/root/etc/e-smith/db/configuration/defaults/ntop/access b/root/etc/e-smith/db/configuration/defaults/ntop/access new file mode 100644 index 0000000..3e18ebf --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ntop/access @@ -0,0 +1 @@ +private diff --git a/root/etc/e-smith/db/configuration/defaults/ntop/status b/root/etc/e-smith/db/configuration/defaults/ntop/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ntop/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/ntop/type b/root/etc/e-smith/db/configuration/defaults/ntop/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ntop/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/events/actions/ntop-init-domain b/root/etc/e-smith/events/actions/ntop-init-domain new file mode 100644 index 0000000..4fa7ed1 --- /dev/null +++ b/root/etc/e-smith/events/actions/ntop-init-domain @@ -0,0 +1,50 @@ +#!/usr/bin/perl -w +#---------------------------------------------------------------------- +# copyright (C) 2010-2011 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +use strict; +use warnings; +use esmith::DomainsDB; +use esmith::ConfigDB; + +my $d = esmith::DomainsDB->open or die "Couldn't open DomainsDB\n"; +my $c = esmith::ConfigDB->open_ro() or die "Couldn't open ConfigDB\n"; + +my $domain = $c->get('DomainName')->value; +my $vhost = $d->get("ntop.$domain"); + +if (!$vhost){ + $d->new_record("ntop.$domain",{ + type => 'domain', + Content => 'Primary', + Description => "Ntop", + Nameservers => 'internet', + TemplatePath => 'WebAppVirtualHost', + Removable => 'no', + ProxyPassTarget => 'http://127.0.0.1:3000/' + }); + + unless ( system("/sbin/e-smith/signal-event", "domain-create", "ntop.$domain") == 0 ){ + die "Failed to create domain ntop.$domain\n"; + } +} + diff --git a/root/etc/e-smith/templates/etc/hosts.allow/ntop b/root/etc/e-smith/templates/etc/hosts.allow/ntop new file mode 100644 index 0000000..4513b7b --- /dev/null +++ b/root/etc/e-smith/templates/etc/hosts.allow/ntop @@ -0,0 +1,4 @@ +{ + $DB->hosts_allow_spec('ntop'); +} + diff --git a/root/etc/e-smith/templates/etc/ntop.conf/10user b/root/etc/e-smith/templates/etc/ntop.conf/10user new file mode 100644 index 0000000..2ef1e20 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/10user @@ -0,0 +1,4 @@ +### Sets the user that ntop runs as. +### NOTE: This should not be root unless you really understand the security risks. +--user ntop + diff --git a/root/etc/e-smith/templates/etc/ntop.conf/20db b/root/etc/e-smith/templates/etc/ntop.conf/20db new file mode 100644 index 0000000..37f9330 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/20db @@ -0,0 +1,3 @@ +### Sets the directory that ntop runs from. +--db-file-path /var/lib/ntop +--output-packet-path /var/lib/ntop/pcap diff --git a/root/etc/e-smith/templates/etc/ntop.conf/30interface b/root/etc/e-smith/templates/etc/ntop.conf/30interface new file mode 100644 index 0000000..2b91761 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/30interface @@ -0,0 +1,20 @@ +### Interface(s) that ntop will capture on (default: eth0) +{ + my $if = $InternalInterface{'Name'} || 'eth0'; + my $mode = $SystemMode || 'serveronly'; + if ($mode ne 'serveronly'){ + my $extif = $ExternalInteraface{'Name'} || 'eth1'; + $if .= ",$extif"; + } + # Now, do we have some VPN interface to look at ? + my $ovpndb = esmith::ConfigDB->open_ro('openvpn-s2s'); + my $s2s = ${'openvpn-s2s'}{'status'} || 'disabled'; + if (defined $ovpndb && $s2s eq 'enabled'){ + foreach my $vpn ($ovpndb->get_all_by_prop(type=>'client'),$ovpndb->get_all_by_prop(type=>'server')){ + my $name = $vpn->key; + $if .= ",tun$name"; + } + } + $OUT .= "--interface $if\n"; +} +--no-interface-merge diff --git a/root/etc/e-smith/templates/etc/ntop.conf/40httpServer b/root/etc/e-smith/templates/etc/ntop.conf/40httpServer new file mode 100644 index 0000000..49ee7b4 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/40httpServer @@ -0,0 +1,8 @@ +### Sets the port that the HTTP webserver listens on +### NOTE: --http-server 3000 is the default +--w3c +{ + my $port = $ntop{'TCPPort'} || '3000'; + $OUT .= "--http-server 127.0.0.1:$port\n"; +} + diff --git a/root/etc/e-smith/templates/etc/ntop.conf/50localNet b/root/etc/e-smith/templates/etc/ntop.conf/50localNet new file mode 100644 index 0000000..c288b32 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/50localNet @@ -0,0 +1,21 @@ +### Sets the networks that ntop should consider as local. +### NOTE: Uses dotted decimal and CIDR notation. Example: 192.168.0.0/24 +### The addresses of the interfaces are always local and don't need to be specified. +#--local-subnets xx.xx.xx.xx/yy + +{ + use esmith::NetworksDB; + my $ndb = esmith::NetworksDB->open_ro() || + die('Can not open Networks DB'); + + my $networks = ''; + my @nets = $ndb->networks(); + foreach my $net (@nets){ + my $key = $net->key; + my $mask = $net->prop('Mask'); + $networks .= "$key/$mask".','; + } + $OUT .= "--local-subnets $networks\n" if ($networks ne ''); + +} + diff --git a/root/etc/e-smith/templates/etc/ntop.conf/60options b/root/etc/e-smith/templates/etc/ntop.conf/60options new file mode 100644 index 0000000..ca15237 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/60options @@ -0,0 +1,30 @@ + +{ + my $decoder = $ntop{'Decoders'} || 'enabled'; + my $localonly = $ntop{'LocalOnly'} || 'no'; + my $filter = $ntop{'Filter'} || ''; + my $pcap = $ntop{'SaveSuspuciousPackets'} || 'disabled'; + + if ($decoder eq 'disabled'){ + $OUT .= "--disable-decoders\n"; + } + if ($localonly eq 'yes'){ + $OUT .= "--track-local-hosts\n"; + } + if ($filter ne ''){ + $OUT .= "--filter-expression=\"$filter\"\n"; + } + if ($pcap eq 'enabled'){ + $OUT .= "--create-suspicious-packets\n"; + } + + $OUT .=<<"HERE"; + +--refresh-time=180 +--skip-version-check +--disable-mutexextrainfo +--no-fc + +HERE + +} diff --git a/root/etc/e-smith/templates/etc/ntop.conf/70protocols b/root/etc/e-smith/templates/etc/ntop.conf/70protocols new file mode 100644 index 0000000..56a59cb --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop.conf/70protocols @@ -0,0 +1 @@ +--protocols=/etc/ntop/protocols.list diff --git a/root/etc/e-smith/templates/etc/ntop/protocols.list/10Mail b/root/etc/e-smith/templates/etc/ntop/protocols.list/10Mail new file mode 100644 index 0000000..8a5b4f9 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ntop/protocols.list/10Mail @@ -0,0 +1,11 @@ +Mail=pop3|pop3s|imap|imaps|smtp|smtps|submission +Web=http|https|squid|webcache|http-alt +FTP=ftp|ftp-data|tftp +Netbios=netbios-ns|netbios-dgm|netbios-ssn +SSH=ssh +DNS=domain +DHCP=bootps|bootpc +Messenger=1863|5000|5001|5190-5193|5222|5223|5269|irc|ircs|ircd +VoIP=5060|10000-20000|4569 +VPN=1194 +P2P=6881-6999|6346|6347|6348|4661-4665 diff --git a/root/etc/e-smith/templates/etc/services/20ntop b/root/etc/e-smith/templates/etc/services/20ntop new file mode 100644 index 0000000..9da60a9 --- /dev/null +++ b/root/etc/e-smith/templates/etc/services/20ntop @@ -0,0 +1 @@ +ntop { ${'ntop'}{TCPPort} }/tcp # Ntop Web frontend diff --git a/root/var/service/ntop/log/run b/root/var/service/ntop/log/run new file mode 100644 index 0000000..a9de4ac --- /dev/null +++ b/root/var/service/ntop/log/run @@ -0,0 +1,7 @@ +#!/bin/sh + +exec \ + /usr/local/bin/setuidgid smelog \ + /usr/local/bin/multilog t s5000000 \ + /var/log/ntop + diff --git a/root/var/service/ntop/run b/root/var/service/ntop/run new file mode 100644 index 0000000..231601c --- /dev/null +++ b/root/var/service/ntop/run @@ -0,0 +1,8 @@ +#!/bin/sh + +exec 2>&1 + +[ -e /var/lib/ntop/ntop_pw.db ] || exec /usr/sbin/ntop --set-admin-password=admin + +exec /usr/sbin/ntop @/etc/ntop.conf + diff --git a/smeserver-ntop.spec b/smeserver-ntop.spec new file mode 100644 index 0000000..44d7a34 --- /dev/null +++ b/smeserver-ntop.spec @@ -0,0 +1,91 @@ +# $Id: smeserver-ntop.spec,v 1.24 2009/05/26 09:48:21 vip-ire Exp $ +# Authority: vip-ire +# Name: Daniel Berteaud + +Summary: Ntop integration in SME Server +%define name smeserver-ntop +Name: %{name} +%define version 0.1.0 +%define release 1 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: Applications/System +Source: %{name}-%{version}.tar.gz + +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +BuildArch: noarch + +BuildRequires: e-smith-devtools + +Requires: ntop +Requires: e-smith-base +Requires: smeserver-webapps-common + +%description +This package contains all the needed scripts and templates +to run ntop on your SME Server + +%changelog +* Thu May 31 2012 Daniel B. 0.1.0-1 +- Move to GIT + +* Tue Feb 21 2012 Daniel B. 0.1-6 +- Expand ntop conf in bootstrap-console-save + +* Wed Dec 07 2011 Daniel B. 0.1-5 +- templates cleanup +- fix Decoders prop +- create pcap dir +- Add some more default options +- Define displayed protocols instead of defaults ones +- Make save-suspicious-packets optional + +* Thu Oct 20 2011 Daniel B. 0.1-4 +- Add VPN (openvpn-s2s) interfaces + +* Wed Oct 12 2011 Daniel B. 0.1-3 +- Don't merge traffic on different interfaces + +* Thu Feb 24 2011 Daniel B. 0.1-2 +- stop requiring mod_proxy_html, use a vhost for proxypass instead +- remove link from the server-manager +- Make it working with the EPEL version of ntop + +* Tue Nov 16 2010 Daniel B. 0.1-1 +- initiale release + +%prep + +%setup -q -n %{name}-%{version} + +%build +perl createlinks +%{__mkdir_p} root/var/log/ntop +%{__mkdir_p} root/var/lib/ntop/pcap + + +%install +/bin/rm -rf $RPM_BUILD_ROOT +(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) +/bin/rm -f %{name}-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --file /var/service/ntop/run 'attr(0755,root,root)' \ + --file /var/service/ntop/log/run 'attr(0755,root,root)' \ + --dir /var/log/ntop 'attr(0750,smelog,smelog)' \ + --dir /var/lib/ntop/pcap 'attr(0750,ntop,ntop)' \ + > %{name}-%{version}-filelist + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) + +%clean +rm -rf $RPM_BUILD_ROOT + + +%post + +%preun + +true +