Installation will take place in the following stages:


1. OS Installation
2. Installation and Configuration of Packages not included with NetPass
3. Installation and Configuration of Packages included with NetPass
4. Configuring NetPass

  1. Configuring Redirectors

  2. Staying up to date (because this is a Beta release).



The following document uses some example machine names and addresses. They are:


Purpose

Name

Address

Redirector #1

npr1-d.cit.buffalo.edu

128.205.10.40

Redirector #2

npr2-d.cit.buffalo.edu

128.205.10.62

NetPass Server #1

npw1-d.cit.buffalo.edu

128.205.10.27

NetPass Server #2

npw2-d.cit.buffalo.edu

128.205.10.37



1. OS Installation

RedHat Enterprise Linux 4 or Fedora Core 3 are the recommended OS. While other distributions will work, those are the only two we've tested on.


A basic OS installation is all that's needed. The NetPass installer should pull in anything that is missing. You will need to apply the "hidden" patch to your NetPass server(s). You will need to apply the NetPass LVS patch to the redirector(s). Both patches can be downloaded from www.sf.net/projects/netpass

You should use the kernel source supplied with your distribution. Do not use the generic kernel (www.kernel.org). Do the following to acquire your kernel source:

1a. Building the RedHat kernel


1a.1. cd /usr/src/redhat/SOURCES
1a.2. up2date --get-source kernel
1a.3. rpm -iv /var/spool/up2date/kernel*.src.rpm
1a.4. rpmbuild -bp --target=i686  ../SPECS/kernel.spec
1a.5. cd ../BUILD/kernel-2.6.9/linux-2.6.9
1a.6. patch -p1 < hidden.patch (NetPass server) OR patch -p1 < lvs.patch (redirector)
      (patches downloaded from sf.net)
1a.7. cp configs/kernel-2.6.9-i686-hugemem.config .config
1a.8. vi .config
1a.9. set CONFIG_REISERFS_FS=m (you can skip this on the redirectors)
1a.10. vi Makefile
1a.11. set EXTRAVERSION = -netpass
1a.12. make bzImage and answer (if you skipped step 1a.9 this step does not apply):

Reiserfs support (REISERFS_FS) [M/n/y/?] m
  Enable reiserfs debug mode (REISERFS_CHECK) [N/y/?] (NEW) n
  Stats in /proc/fs/reiserfs (REISERFS_PROC_INFO) [N/y/?] (NEW) y
  ReiserFS extended attributes (REISERFS_FS_XATTR) [N/y/?] (NEW) n

1a.13. make modules
1a.14. make modules_install
1a.15. make install
1a.16. Reboot and select the "netpass" kernel. Once tested, make
it the default.

Repeat the above the all machines in the NetPass cluster.


2. Packages not included with NetPass

2a. Nessus

2a.1. Download Nessus from http://www.nessus.org/download/index.php
2a.2. Save the package to /tmp
2a.3. As "root" do the following:

up2date --nox -i openssl-devel bison flex gcc sharutils
or
yum install openssl-devel bison flex gcc sharutils

then

sh /tmp/nessus

2a.4. Install nessus into /usr/local (the default)

2a.5. Create a nessusd certificate using /usr/local/sbin/nessus-mkcert

You will be asked for a number of days. Enter a large number. Only the local machine will attach to this instance so 10 years should be good. Enter all the other info it asks for.

2a.6. Add a nessusd user use /usr/local/sbin/nessus-adduser

login: netpass
auth: pass
pass: netpass
again: netpass
ok? y



2a.7. Start the Nessus daemon (nessusd) use /usr/local/sbin/nessusd -D
2a.8. Start the Nessus client (nessus) use /usr/local/bin/nessus
2a.9. To uninstall Nessus, use /usr/local/sbin/uninstall-nessus
2a.10. Remember to invoke '/usr/local/sbin/nessus-update-plugins' periodically to update your list of plugins
2a.11. Run the command

nessus -q -p 127.0.0.1 1241 netpass netpass

and accept the SSL certificate.

2b. MySQL

Rather than a Master/Master replicated instance of MySQL, this version of NetPass uses MySQL Cluster. This allows you to add more than two machines to the NetPass cluster.

2b.1. Download the latest stable “Max” version of MySQL 4.1 from http://dev.mysql.com/downloads/mysql/4.1.html These instructions assume you downloaded the tar file and not the RPM. Either should work.
2b.2. groupadd mysql
2b.3. useradd -g mysql mysql
2b.4. cd /usr/local
2b.5. tar -zxvpf /PATH/TO/MYSQL-VERSION-OS.tar.gz
2b.6. ln -s FULL-PATH-TO-MYSQL-VERSION-OS mysql
2b.7. cd mysql
2b.8. chown -R root  .
2b.9. chown -R mysql data
2b.10. chgrp -R mysql .
2b.11. mkdir /var/lib/mysql-cluster
2b.12. cd /var/lib/mysql-cluster
2b.13. create config.ini (ONLY on server with management daemon - select one of the NetPass servers. This example uses "npw2-d.cit.buffalo.edu")

[NDBD DEFAULT]
NoOfReplicas=2
[MYSQLD DEFAULT]
[NDB_MGMD DEFAULT]
[TCP DEFAULT]
[NDB_MGMD]
ID=10
HostName=npw2-d.cit.buffalo.edu
[NDBD]
ID=1
HostName= npw2-d.cit.buffalo.edu
DataDir= /var/lib/mysql-cluster
[NDBD]
ID=2
HostName= npw1-d.cit.buffalo.edu
DataDir= /var/lib/mysql-cluster
[MYSQLD]
[MYSQLD]
[MYSQLD]

2b.14. run /usr/local/mysql/bin/ndb_mgmd (ONLY on server with management daemon)
2b.15. run /usr/local/mysql/bin/ndbd --initial
2b.16. edit my.cnf add these lines

[mysqld]
ndbcluster

2b.17 add the following lines to the MySQL machine(s) NOT running management daemon: (note: 128.205.10.37 = npw2-d.cit.buffalo.edu)

[mysql_cluster]
ndb-connectstring=128.205.10.37


2b.18. Install a startup script (available in NetPass/install.d/init.d/mysqld) and type /etc/init.d/mysqld start

2b.16. Note: steps 13 and 14 just on management server. Steps 15, 16 on both. Step 17 only on the machine(s) that are not the management server. Step 18 on both.

2b.17. create the NetPass database on all cluster members

mysqladmin -u root create netpass

repeat command on all cluster members


2b.18. test cluster by connecting to one member:


npw1-d% mysql -u root netpass

mysql> create table foo (a integer) type=ndbcluster;

mysql> insert into foo values(1);


and ensure that table is replicated onto the other member(s):


npw2-d% mysql -u root netpass

mysql> select * from foo;

(should return results)

mysql> drop table foo;



2c. Configure Snort to work with endace cards


2c.1. download libpcap source www.tcpdump.org

2c.2. unpack libpcap to /opt/src/libpcap-0.8.3

2c.3. unpack dag-2.4.14 to /opt/src/dag-2.4.14

2c.4. cd dag-2.4.14

2c.5. mkdir /opt/dag-2.4.14; ln -s /opt/dag-2.4.14 dag

2c.6. ./configure –prefix=/opt/dag-2.4.14

2c.7. make; make install # In this version and possibly others of dag you may need to run dag/drv/dagload by hand to install the kernel modules and create the devices in /dev. If this is the case dont forget to run modprobe on dagmem and dag to load the modules.

2c.8. mkdir /opt/libpcap-0.8.3; ln -s /opt/libpcap-0.8.3 libpcap

2c.9. cd /opt/src/libpcap-0.8.3

2c.10. ./configure –prefix=/opt/libpcap-0.8.3 –with-dag=/opt/src/dag-2.4.14

2c.11. make; make install

2c.12. download latest snort src from snort.org and unpack in /opt/snort/snort-2.3.3

2c.13. mkdir /opt/snort-2.3.3; ln -s /opt/snort-2.3.3 /opt/snort

2c.14. cd /opt/src/snort-2.3.3

2c.15. download snort-2.3.3-vlan.patch

2c.16. patch -p1 < snort-2.3.3-vlan.patch

2c.17. ./configure --prefix=/opt/snort-2.3.3 –with-libpcap-includes=/opt/libpcap-0.8.3/include –with-libpcap-libraries=/opt/libpcap-0.8.3/lib

2c.18. make; make install

2c.19. cd /opt/snort-2.3.3

2c.20. mkdir logs; mkdir etc

2c.21 cp classification.config and reference.config from an updated rulset at snort.org and place in /opt/snort/etc

2c.22 download and untar NetPass-Snort-0.01.tar.gz

2c.23 cp etc/snort.conf from NetPass-Snort-0.01.tar.gz to /opt/snort/etc

2c.24 cp install.d/init.d/snortd from netpass cvs tree to /etc/init.d/snortd

2c.25 cp install.d/sysconfig.snort /etc/sysconfig/snort

2c.26 perl -MCPAN -e shell, install File::Tail, SOAP::Lite, and Sys::HostIP

2c.27 cd into the directory you intarred NetPass-Snort-0.01.tar.gz in

2c.28 perl Makefile.PL

2c.29 make; make install # this will install the NetPass::Snort perl module and the npsnortd.pl daemon. To modify parameters passed to npsnortd edit

/etc/sysconfig/npsnortd

2c.30 start npsnortd by /etc/init.d/npsnortd start


3. Packages included with NetPass

This version of NetPass includes pre-built versions of Perl, SquidGuard and Apache. These versions have been tested and are known to work and included all of the recommended options. Use of these is optional, but encouraged. This document doesn't discuss how to set up any of these by hand. The source distribution includes various scripts (to be documented in the future) to assist in, for example, building a new copy of Perl with all of the required modules.

This version of NetPass is a pre-release (beta) version of 2.0. As such, it is not available as a packaged distribution. This document instructs you to extract the source from CVS. Doing so allows you do more easily stay in sync with changes as features are implemented and bugs fixed in the beta code. Instructions for getting the latest updates and installing them are given below.

3a. Installing NetPass

3a.1. Select a location where the source code will reside. We'll use "/opt/netpass-src".
3a.2. sudo mkdir /opt/netpass-src
3a.3. cd /opt/netpass-src
3a.4. sudo chown you:yourgroup .
3a.5. cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/netpass login
3a.6. cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/netpass co -P NetPass
3a.7. cd NetPass
3a.8. sudo ./install /opt/netpass

The installation procedure is a bit ugly, but will walk you through downloading the pre-built binaries, installing them, and configuring them.

3b. NetPass Installation Procedure

The NetPass installation script can both install and uninstall NetPass. It will add (and remove) patches to various system configuration files.

It will do the following (confirmation is prompted for often and a log file is kept in /tmp/netpass-install.txt):

3b.1. Create a netpass user and a netpass group.
3b.2. Create /var/run/netpass and chown it to netpass:netpass
3b.3. Download and unpack pre-built binaries for Perl, Apache and SquidGuard. These will be installed into /opt
3b.4. Copy the NetPass source into /opt/netpass
3b.5. Download and install HTMLArea into /opt/netpass/www
3b.6. Make a /cookies mount point, a /var/cookies file. reiserfs will be written to the /var/cookies file and /etc/fstab will be modified as needed.
3b.7. Configure apache. You will be prompted for all of the options. If you answer "Y" to enabling SSL, you must already have your certificate files. The Installer will not help you create them. It will ask for their location.
3b.8. Configure Swatch for log watching
3b.9. Configure Squid. You will be prompted for some address ranges.
3b.10. Configure startup scripts.
3b.11. Patch system configuration files (services and syslog.conf).
3b.12. Install /etc/iptables.sh. You will be prompted for address ranges. The file has an area for placing customizations. If you make any, place them in the specified area (see comments in that file) then use the commands: "sudo /etc/iptables.sh" "sudo /etc/init.d/iptables save"  to have the changes take effect.
3b.13. Load the NetPass database into MySQL
3b.14. Install crontab files
3b.15. chown netpass:netpass /opt/netpass
3b.16. startup Apache and NetPass


4. Configuring NetPass


At this time, the GUI for editing the configuration is not fully functional. It's still necessary to edit the configuration using a text editor. The first two steps should only be done upon initial configuration. Once the configuration is imported into the database, you will no longer use the netpass-example.conf file. To make edits in the future, you'll “checkout” the configuration from the database (coconf.pl -l -o /tmp/netpass.conf), edit it and check it back in (ciconf.pl -u -i /tmp/netpass.conf)


4a. To make the initial configuration:

4a.1. cd /opt/netpass
4a.2. cp etc/netpass-example.conf /tmp/netpass.conf
4a.3. edit that file and make any changes to the <policy> <radius> <ldap> <snmpcommunities> <vlanmap> and <network> sections. Ignore the other sections for now. Save your changes.

4a.4. leave ADMIN_AUTH_METHOD set to NetPass::Auth::DB
4a.5. Import the configuration into the database:
bin/ciconf.pl -i /tmp/netpass.conf

4b. To make changes in the future:

4b.1. bin/coconf.pl -l -o /tmp/netpass.conf
4b.2. edit the file
4b.3. bin/ciconf.pl -u -i /tmp/netpass.conf

The intent is to finish the Web UI features within the next week.

4c. Configuring users.

To add administrative users to NetPass:

4c.1. Connect to your NetPass server: http://yourserver/Admin/
4c.2. Login as “netpass” with a password of “netpass”
4c.3. Go to the User Editor screen
4c.4. Add as many users as you need. The “default” group means “all groups”. So if you give a user “Admin” permissions to “default” that means they have full access to everything.

4c.4. If you are not going to use Radius as an authentication mechanism, then specify a password for each user by clicking on a user and then clicking on the “change password” link.

4c.5. If you are going to use Radius, then you don't need to specify a password. Instead, once you've created at least one “Default/Admin” user, go to the “Configuration->General” screen and change “ADMIN_AUTH_METHOD” to “NetPass::Auth::Radius” and then commit the changes.

4c.6. At this point, the “netpass” account will no longer be usable (unless you have it configured into your Radius server) and you should use the “Default/Admin” account that you created in step [4c.4]




  1. Configuring Redirectors


5a. Installing the software onto the redirectors.


5a.1. Install the OS (RH4)

5a.2. Patch (lvs.patch) and install the kernel (see Section 1, above)

5a.3. Copy the NetPass source tree to each redirector

5a.4. cd /opt/netpass-src/NetPass

5a.5. sudo install.d/install-lvs.sh
that will install required packages onto the system

5a.6. sudo install.d/lvs
that will configure ha.cf and ldirectord.cf

5a.7. cp install.d/iptables-lvs.sh /etc/iptables.sh

5a.8. vi /etc/iptables.sh and adjust local system rules (change 128.205's to something appropriate so you can SSH into the redirectors).

5a.9. sudo /etc/iptables.sh ; sudo /etc/init.d/iptables save

5b. Configuring the interfaces on the redirectors.


Once you've configured your <network>'s you'll want to do the following (on one of the NetPass servers)

5b.1. bin/coconf.pl -o /tmp/netpass.conf
(note: no -l this time since we just want a copy, we dont want to
lock it since we arent going to edit it)

5b.2. bin/interfacecfg.pl -d 1 > /tmp/redir1.sh

5b.3. bin/interfacecfg.pl -d 2 > /tmp/redir2.sh

5b.4. scp /tmp/redir1.sh redirector1:/tmp

5b.5. scp /tmp/redir2.sh redirector2:/tmp

5c. Making the redirector configuration persist across reboots.


5c.1. mkdir -p /opt/netpass/bin

5c.2. cp /tmp/redir1.sh /opt/netpass/bin/hascript.sh

5c.3. chmod 755 /opt/netpass/bin/hascript.sh

5c.4. cp /opt/netpass-src/NetPass/install.d/init.d/netpassha /etc/init.d/

5c.5. chkconfig --add netpassha

5c.6. chkconfig --level 2345 on netpassha


For now, if you add or remove a network, you would re-do the appropriate parts of the 2nd and 3rd sections, above. Note that adding a network requires a restart of heartbeat (because “haresources” changes), so existing networks will see a 1-2 minute outage.


  1. Staying up to date.

    Periodically, over the next few weeks, as bugs are fixed and features are finished, you'll be asked to update. To do so:

    6.1. cd /opt/netpass-src/NetPass
    6.2. cvs update
    6.3. sudo ./install -c /opt/netpass
    6.4. sudo /etc/init.d/apache restart

    The "-c" is important. It instructs "install" to only copy the source into place and skip all other steps.