Installation will take place in the
1. OS Installation
2. Installation and Configuration of Packages not included with NetPass
3. Installation and Configuration of Packages included with NetPass
4. Configuring NetPass
Staying up to date (because this
is a Beta release).
The following document uses some example machine names and addresses. They are:
NetPass Server #1
NetPass Server #2
1. OS Installation
RedHat Enterprise Linux 4 or Fedora Core 3 are the recommended OS. While other distributions will work, those are the only two we've tested on.
A basic OS installation is all that's
needed. The NetPass installer should pull in anything that is
missing. You will need to apply the "hidden" patch to your
NetPass server(s). You will need to apply the NetPass LVS patch to
the redirector(s). Both patches can be downloaded from
You should use the kernel source supplied with your distribution. Do not use the generic kernel (www.kernel.org). Do the following to acquire your kernel source:
1a. Building the RedHat kernel
1a.1. cd /usr/src/redhat/SOURCES
1a.2. up2date --get-source kernel
1a.3. rpm -iv /var/spool/up2date/kernel*.src.rpm
1a.4. rpmbuild -bp --target=i686 ../SPECS/kernel.spec
1a.5. cd ../BUILD/kernel-2.6.9/linux-2.6.9
1a.6. patch -p1 < hidden.patch (NetPass server) OR patch -p1 < lvs.patch (redirector)
(patches downloaded from sf.net)
1a.7. cp configs/kernel-2.6.9-i686-hugemem.config .config
1a.8. vi .config
1a.9. set CONFIG_REISERFS_FS=m (you can skip this on the redirectors)
1a.10. vi Makefile
1a.11. set EXTRAVERSION = -netpass
1a.12. make bzImage and answer (if you skipped step 1a.9 this step does not apply):
Reiserfs support (REISERFS_FS) [M/n/y/?] m
Enable reiserfs debug mode (REISERFS_CHECK) [N/y/?] (NEW) n
Stats in /proc/fs/reiserfs (REISERFS_PROC_INFO) [N/y/?] (NEW) y
ReiserFS extended attributes (REISERFS_FS_XATTR) [N/y/?] (NEW) n
1a.13. make modules
1a.14. make modules_install
1a.15. make install
1a.16. Reboot and select the "netpass" kernel. Once tested, make
it the default.
Repeat the above the all machines in the NetPass cluster.
2. Packages not included with NetPass
2a.1. Download Nessus from http://www.nessus.org/download/index.php
2a.2. Save the package to /tmp
2a.3. As "root" do the following:
up2date --nox -i openssl-devel bison flex gcc sharutils
yum install openssl-devel bison flex gcc sharutils
2a.4. Install nessus into /usr/local (the default)
2a.5. Create a nessusd certificate using /usr/local/sbin/nessus-mkcert
You will be asked for a number of days. Enter a large number. Only the local machine will attach to this instance so 10 years should be good. Enter all the other info it asks for.
2a.6. Add a nessusd user use /usr/local/sbin/nessus-adduser
2a.7. Start the Nessus daemon (nessusd) use /usr/local/sbin/nessusd -D
2a.8. Start the Nessus client (nessus) use /usr/local/bin/nessus
2a.9. To uninstall Nessus, use /usr/local/sbin/uninstall-nessus
2a.10. Remember to invoke '/usr/local/sbin/nessus-update-plugins' periodically to update your list of plugins
2a.11. Run the command
nessus -q -p 127.0.0.1 1241 netpass netpass
and accept the SSL certificate.
Rather than a Master/Master replicated instance of MySQL, this version of NetPass uses MySQL Cluster. This allows you to add more than two machines to the NetPass cluster.
2b.1. Download the latest stable “Max” version of MySQL 4.1 from http://dev.mysql.com/downloads/mysql/4.1.html These instructions assume you downloaded the tar file and not the RPM. Either should work.
2b.2. groupadd mysql
2b.3. useradd -g mysql mysql
2b.4. cd /usr/local
2b.5. tar -zxvpf /PATH/TO/MYSQL-VERSION-OS.tar.gz
2b.6. ln -s FULL-PATH-TO-MYSQL-VERSION-OS mysql
2b.7. cd mysql
2b.8. chown -R root .
2b.9. chown -R mysql data
2b.10. chgrp -R mysql .
2b.11. mkdir /var/lib/mysql-cluster
2b.12. cd /var/lib/mysql-cluster
2b.13. create config.ini (ONLY on server with management daemon - select one of the NetPass servers. This example uses "npw2-d.cit.buffalo.edu")
2b.14. run /usr/local/mysql/bin/ndb_mgmd (ONLY on server with management daemon)
2b.15. run /usr/local/mysql/bin/ndbd --initial
2b.16. edit my.cnf add these lines
2b.17 add the following lines to the MySQL machine(s) NOT running management daemon: (note: 220.127.116.11 = npw2-d.cit.buffalo.edu)
2b.18. Install a startup script (available in NetPass/install.d/init.d/mysqld) and type /etc/init.d/mysqld start
2b.16. Note: steps 13 and 14 just on management server. Steps 15, 16 on both. Step 17 only on the machine(s) that are not the management server. Step 18 on both.
2b.17. create the NetPass database on all cluster members
mysqladmin -u root create netpass
repeat command on all cluster members
2b.18. test cluster by connecting to one member:
npw1-d% mysql -u root netpass
mysql> create table foo (a integer) type=ndbcluster;
mysql> insert into foo values(1);
and ensure that table is replicated onto the other member(s):
npw2-d% mysql -u root netpass
mysql> select * from foo;
(should return results)
mysql> drop table foo;
2c. Configure Snort to work with endace cards
2c.1. download libpcap source www.tcpdump.org
2c.2. unpack libpcap to /opt/src/libpcap-0.8.3
2c.3. unpack dag-2.4.14 to /opt/src/dag-2.4.14
2c.4. cd dag-2.4.14
2c.5. mkdir /opt/dag-2.4.14; ln -s /opt/dag-2.4.14 dag
2c.6. ./configure –prefix=/opt/dag-2.4.14
2c.7. make; make install # In this version and possibly others of dag you may need to run dag/drv/dagload by hand to install the kernel modules and create the devices in /dev. If this is the case dont forget to run modprobe on dagmem and dag to load the modules.
2c.8. mkdir /opt/libpcap-0.8.3; ln -s /opt/libpcap-0.8.3 libpcap
2c.9. cd /opt/src/libpcap-0.8.3
2c.10. ./configure –prefix=/opt/libpcap-0.8.3 –with-dag=/opt/src/dag-2.4.14
2c.11. make; make install
2c.12. download latest snort src from snort.org and unpack in /opt/snort/snort-2.3.3
2c.13. mkdir /opt/snort-2.3.3; ln -s /opt/snort-2.3.3 /opt/snort
2c.14. cd /opt/src/snort-2.3.3
2c.15. download snort-2.3.3-vlan.patch
2c.16. patch -p1 < snort-2.3.3-vlan.patch
2c.17. ./configure --prefix=/opt/snort-2.3.3 –with-libpcap-includes=/opt/libpcap-0.8.3/include –with-libpcap-libraries=/opt/libpcap-0.8.3/lib
2c.18. make; make install
2c.19. cd /opt/snort-2.3.3
2c.20. mkdir logs; mkdir etc
2c.21 cp classification.config and reference.config from an updated rulset at snort.org and place in /opt/snort/etc
2c.22 download and untar NetPass-Snort-0.01.tar.gz
2c.23 cp etc/snort.conf from NetPass-Snort-0.01.tar.gz to /opt/snort/etc
2c.24 cp install.d/init.d/snortd from netpass cvs tree to /etc/init.d/snortd
2c.25 cp install.d/sysconfig.snort /etc/sysconfig/snort
2c.26 perl -MCPAN -e shell, install File::Tail, SOAP::Lite, and Sys::HostIP
2c.27 cd into the directory you intarred NetPass-Snort-0.01.tar.gz in
2c.28 perl Makefile.PL
2c.29 make; make install # this will install the NetPass::Snort perl module and the npsnortd.pl daemon. To modify parameters passed to npsnortd edit
2c.30 start npsnortd by /etc/init.d/npsnortd start
3. Packages included with
This version of NetPass includes pre-built versions of Perl, SquidGuard and Apache. These versions have been tested and are known to work and included all of the recommended options. Use of these is optional, but encouraged. This document doesn't discuss how to set up any of these by hand. The source distribution includes various scripts (to be documented in the future) to assist in, for example, building a new copy of Perl with all of the required modules.
This version of NetPass is a pre-release (beta) version of 2.0. As such, it is not available as a packaged distribution. This document instructs you to extract the source from CVS. Doing so allows you do more easily stay in sync with changes as features are implemented and bugs fixed in the beta code. Instructions for getting the latest updates and installing them are given below.
3a. Installing NetPass
3a.1. Select a location where the source code will reside. We'll use "/opt/netpass-src".
3a.2. sudo mkdir /opt/netpass-src
3a.3. cd /opt/netpass-src
3a.4. sudo chown you:yourgroup .
3a.5. cvs -d:pserver:email@example.com:/cvsroot/netpass login
3a.6. cvs -z3 -d:pserver:firstname.lastname@example.org:/cvsroot/netpass co -P NetPass
3a.7. cd NetPass
3a.8. sudo ./install /opt/netpass
The installation procedure is a bit ugly, but will walk you through downloading the pre-built binaries, installing them, and configuring them.
3b. NetPass Installation Procedure
The NetPass installation script can both install and uninstall NetPass. It will add (and remove) patches to various system configuration files.
It will do the following (confirmation is prompted for often and a log file is kept in /tmp/netpass-install.txt):
3b.1. Create a netpass user and a netpass group.
3b.2. Create /var/run/netpass and chown it to netpass:netpass
3b.3. Download and unpack pre-built binaries for Perl, Apache and SquidGuard. These will be installed into /opt
3b.4. Copy the NetPass source into /opt/netpass
3b.5. Download and install HTMLArea into /opt/netpass/www
3b.6. Make a /cookies mount point, a /var/cookies file. reiserfs will be written to the /var/cookies file and /etc/fstab will be modified as needed.
3b.7. Configure apache. You will be prompted for all of the options. If you answer "Y" to enabling SSL, you must already have your certificate files. The Installer will not help you create them. It will ask for their location.
3b.8. Configure Swatch for log watching
3b.9. Configure Squid. You will be prompted for some address ranges.
3b.10. Configure startup scripts.
3b.11. Patch system configuration files (services and syslog.conf).
3b.12. Install /etc/iptables.sh. You will be prompted for address ranges. The file has an area for placing customizations. If you make any, place them in the specified area (see comments in that file) then use the commands: "sudo /etc/iptables.sh" "sudo /etc/init.d/iptables save" to have the changes take effect.
3b.13. Load the NetPass database into MySQL
3b.14. Install crontab files
3b.15. chown netpass:netpass /opt/netpass
3b.16. startup Apache and NetPass
4. Configuring NetPass
At this time, the GUI for editing the configuration is not fully functional. It's still necessary to edit the configuration using a text editor. The first two steps should only be done upon initial configuration. Once the configuration is imported into the database, you will no longer use the netpass-example.conf file. To make edits in the future, you'll “checkout” the configuration from the database (coconf.pl -l -o /tmp/netpass.conf), edit it and check it back in (ciconf.pl -u -i /tmp/netpass.conf)
4a. To make the initial
4a.1. cd /opt/netpass
4a.2. cp etc/netpass-example.conf /tmp/netpass.conf
4a.3. edit that file and make any changes to the <policy> <radius> <ldap> <snmpcommunities> <vlanmap> and <network> sections. Ignore the other sections for now. Save your changes.
4a.4. leave ADMIN_AUTH_METHOD set to
4a.5. Import the configuration into the database:
bin/ciconf.pl -i /tmp/netpass.conf
4b. To make changes in the future:
4b.1. bin/coconf.pl -l -o /tmp/netpass.conf
4b.2. edit the file
4b.3. bin/ciconf.pl -u -i /tmp/netpass.conf
The intent is to finish the Web UI features within the next week.
4c. Configuring users.
To add administrative users to NetPass:
4c.1. Connect to your NetPass server:
4c.2. Login as “netpass” with a password of “netpass”
4c.3. Go to the User Editor screen
4c.4. Add as many users as you need. The “default” group means “all groups”. So if you give a user “Admin” permissions to “default” that means they have full access to everything.
4c.4. If you are not going to use Radius as an authentication mechanism, then specify a password for each user by clicking on a user and then clicking on the “change password” link.
4c.5. If you are going to use Radius, then you don't need to specify a password. Instead, once you've created at least one “Default/Admin” user, go to the “Configuration->General” screen and change “ADMIN_AUTH_METHOD” to “NetPass::Auth::Radius” and then commit the changes.
4c.6. At this point, the “netpass” account will no longer be usable (unless you have it configured into your Radius server) and you should use the “Default/Admin” account that you created in step [4c.4]
5a. Installing the software onto the redirectors.
5a.1. Install the OS (RH4)
5a.2. Patch (lvs.patch) and install the kernel (see Section 1, above)
5a.3. Copy the NetPass source tree to each redirector
5a.4. cd /opt/netpass-src/NetPass
that will install required packages onto the system
that will configure ha.cf and ldirectord.cf
5a.7. cp install.d/iptables-lvs.sh /etc/iptables.sh
5a.8. vi /etc/iptables.sh and adjust local system rules (change 128.205's to something appropriate so you can SSH into the redirectors).
sudo /etc/iptables.sh ; sudo
5b. Configuring the interfaces on the redirectors.
Once you've configured your <network>'s
you'll want to do the following (on one of the NetPass servers)
bin/coconf.pl -o /tmp/netpass.conf
(note: no -l this time since we just want a copy, we dont want to
lock it since we arent going to edit it)
5b.2. bin/interfacecfg.pl -d 1 > /tmp/redir1.sh
5b.3. bin/interfacecfg.pl -d 2 > /tmp/redir2.sh
5b.4. scp /tmp/redir1.sh redirector1:/tmp
5c. Making the redirector configuration persist across reboots.
5c.1. mkdir -p /opt/netpass/bin
5c.2. cp /tmp/redir1.sh /opt/netpass/bin/hascript.sh
5c.3. chmod 755 /opt/netpass/bin/hascript.sh
5c.4. cp /opt/netpass-src/NetPass/install.d/init.d/netpassha /etc/init.d/
5c.5. chkconfig --add netpassha
chkconfig --level 2345 on
For now, if you add or remove a network, you would re-do the appropriate parts of the 2nd and 3rd sections, above. Note that adding a network requires a restart of heartbeat (because “haresources” changes), so existing networks will see a 1-2 minute outage.
Staying up to date.
Periodically, over the next few weeks, as bugs are fixed and features are finished, you'll be asked to update. To do so:
6.1. cd /opt/netpass-src/NetPass
6.2. cvs update
6.3. sudo ./install -c /opt/netpass
6.4. sudo /etc/init.d/apache restart
The "-c" is important. It instructs "install" to only copy the source into place and skip all other steps.