Guidelines for Installation of Mrtg on Linux

GUIDELINES FOR INSTALLATION OF MRTG ON LINUX

(Version-3/3-1-2003)

In order to monitor the load on different NIB links and also to aid in the systematic augmentation of internodal bandwidth, Multi Router Traffic Grapher (MRTG) is proposed to be used. MRTG is a software to monitor the traffic load on network links. MRTG generates HTML pages containing graphical images, which provide a LIVE visual representation of this traffic.

MRTG is to be installed by all the "A" type of nodes except Ludhiana. Chandigarh would be installing MRTG in place of Ludhiana. Apart from MRTG of their own interfaces these nodes would also configure MRTG for the nodes as given in Table-1.

The MRTG PC would be used only for MRTG purposes, no other activity like browsing , mail etc. is to be carried out from that PC. All the security guidelines as given in Section (g) of this document must be implemented.

The details of user-id and password must be sent to Sh Dhirendra Verma, DE(Tech-1) (DNW) on

Following steps are required to implement MRTG.

a)Arrange a PC

b)Procure Red Hat Linux 7.1

c)Connect the PC to the NIB LAN .

d)Install Red Hat Linux (Use the IP address as specified in Table-1)

e)Configure Apache Web server

f)Down load and install MRTG

g)Securing the MRTG PC

(The procedure written has been tested with RedHat Linux 7.1)

1. PC :- A normal Pentium III machine with 128 MB RAM , 20 GB hard disk , CD ROM drive , Network Interface card should be sufficient for the installation of MRTG.

1. Red Hat Linux 7.1 :- This should be easily available from the market. Generally Linux books also come along with the Linux CD.

1. Connect PC to LAN :- Special permission has been given to connect this PC to NIB LAN. On this PC, no browsing, sending or receiving of mail etc. is to be done for security reasons. This PC would remain ON forever and is not supposed to be switched off.

1. Linux Installation: The installation procedure given below has been tested with RedHat 7.1. The PC should not be loaded with any variant of Windows operating system. (The PC is not to be made dual bootable). After inserting the Linux CD into CD ROM drive, following are the main options which must be selected while Linux installation is ON.

1. System should be installed as Server System, not as a work station or anything else.
2. IP address, mask and gateway should be provided as per details in table-1.
3. Firewall should be configured as Medium.
4. "GNOME", "Webserver" & "X WINDOW system" package should be selected. Other should not be selected as they may pose security threats.
5. Chose your login type as text. (Not Graphical)

1. Apache Web Server : After the loading of Linux is over , enter into the system and give the following command at the Unix prompt.

#ps -ef |grep httpd

If it shows httpd as running, then fine. Else proceed as below

#cd /etc/init.d

#ls httpd

# ./httpd start

After giving this command, check the default webpage running on this PC by giving the URL as address of the LINUX machine>. If it shows the default page, then fine. Else proceed as below

#setup

After giving this command a menu would be displayed , then do as given below

Choose firewall- mediumCustomizeenable www(http)

Now the default webpage should be opened from another PC.

1. MRTG : After the above steps are over , check the output of the following commands.

The output of the following commands should not give a response like

"type: xxx : not found" where xxx is gcc/perl/wget

#type gcc

#type perl

#type wget

F-1Library Compilation :

Give following commands in sequence:

#mkdir -p /usr/local/src

#cd /usr/local/src

#wget ftp://sunsite.cnlab-switch.ch/mirror/infozip/zlib/zlib.tar.gz

#gunzip -c zlib.tar.gz | tar xf -

#mv zlib-?.?.?/zlib

#cd zlib

#./configure

#make

#cd ..

#wget

#wget

#wget

#gunzip -c libpng-*.tar.gz | tar xf -

#rm libpng-*.tar.gz

#mv libpng-* libpng

#cd libpng

#make -f scripts/makefile.std CC=gcc ZLIBLIB=../zlib ZLIBINC=../zlib

#cd ..

#wget

#gunzip –c gd-1.8.3.tar.gz |tar xf -

#mv gd-1.8.3 gd

#cd gd

Following command is to be given in a single line.

#make INCLUDEDIRS="-I. -I../zlib -I../libpng" LIBDIRS="-L../zlib -L. -L../libpng" LIBS="-lgd -lpng -lz -lm"

#cd ..

#cd /usr/local/src

#wget

#gunzip -c mrtg-2.9.18pre5.tar.gz | tar xvf –

#cd mrtg-2.9.18pre4

#wget

#gunzip -c mrtg-2.9.18.tar.gz | tar xvf -

#cd mrtg-2.9.18

Following command is to be given in single line.

#./configure --prefix=/usr/local/mrtg-2 --with-gd=/usr/local/src/gd --with-z=/usr/local/src/zlib --with-png=/usr/local/src/libpng

#make

#make install

F-2Configuring MRTG for a node e.g Shimla (Shimla MRTG is to be

implemented at Chandigarh as given in Table-1) :

#cd /usr/local/mrtg-2/bin

#mkdir–p /var/www/html/<node-name>

In this case<node-name> would be shimla.

Before proceeding ahead, please ensure that all the interfaces on Shimla router have the proper description i.e. description command should have been specified for all the interfaces. (For this Chandigarh node-in-charge must coordinate with Shimla node-in-charge)

Following command is to be given in single line. snmp-community> for nodes

must be asked from Data Networks on phone number: 011-3737572/3737571.In

this case <snmp-community> for Shimla would be required. Node router IPs are

given in Table 2. In this case <node-router-ip>,would be 61.0.237.144 and in the field <node-name>, shimla should be given

#./cfgmaker --no-down --global 'WorkDir: /var/www/html/<node-name>' --global 'Options[_]: bits,growright' <snmp-community>@<node router-ip> > <node-name>.cfg

Run MRTG for the node like Shimla in this case by giving the command

#/usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/bin/<node-name>.cfg

It will generate many files in /var/www/html/<node-name>

#cd /etc

Now to configure MRTG to run continuously. Put the following line at the end of the crontab file with the help of vi editor. (A summary of vi commands can be obtained from Internet at

#vi crontab

*/5 * * * * root /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/bin/<node-name>.cfg --logging /var/log/mrtg.log

After adding the above line save crontab file and exit then restart crond by giving following commands

#cd /etc/init.d/

#./crond restart

Now make html file for the node.

#cd /usr/local/mrtg-2/bin/

Following is the single command.

#/usr/local/mrtg-2/bin/indexmaker -section=descr -sort=descr -columns=2 --show=none -title="MRTG for <node-name> Router" <node-name>.cfg > /var/www/html/<node-name>/<node-name>.html

Now the MRTG graphs can be seen for the node in this case Shimla from any Internet connected browser by giving URL as

PC>/<node-name>/<node_name>.html

The step number F-2 is to be repeated for all the nodes whose MRTG is to be implemented as defined in Table-1.

F-3Procedure for protecting the MRTG with password :

In order to protect MRTG from unauthorized viewing, password protection to MRTG site should be implemented.

#cd /var/www/html

Create a file .htaccess with the vi editor

#vi .htaccess

The following lines must be inserted in this file . <your-node-name> is the name of the node which is implementing MRTG , like in this case Chandigarh.

AuthName"Restricted Access for MRTG of <your-node-name>"

AuthType Basic

AuthUserFile/var/www/html/.htpasswd

AuthGroupFile /dev/null

Requireusermrtg-<your-node-name>

After inserting these lines , save the file .htaccess and exit from vi.

Now give the command

#htpasswd -c /var/www/html/.htpasswd mrtg-<your-node-name>

This command will prompt for the password, give the password and remember this password. This password along with the login name which is mrtg-<your-node-name>, should be communicated to the concerned Circle Coordinator, Mr Dhirendra Verma, ADET,Data Networks (011-3737572) and the nodes whose MRTG has been implemented in this machine.

Now give the following command :

#cd /etc/httpd/conf

Open the file httpd.conf with vi editor

# vi httpd.conf

In this file look for the following line :

"This controls which options the .htaccess files in directories can override. Can also be "All", or any combination of "Options", "FileInfo", "AuthConfig"", and "Limit".

AllowOverride None

Change the line, "AllowOverride None" to "AllowOverride All" ,if required

Now restart the Apache web server by following commands

#cd /etc/init.d

# ./httpd restart

1. Securing the MRTG PC: (The implementation of this section is mandatory)

To secure the MRTG PC , it is essential to do the following:-

1. PC power-on password must be configured.
2. Only these services: xinetd, httpd, crond, ipchains, iptable and network should be enabled. This can be done by giving the following command

#setup

Then choose "system services", and select only the services mentioned above. De-select all the others.

1. Use IPchains to prevent unauthorized access to the MRTG PC. The following commands are to be given

#ipchains -F input

#ipchains -P input DENY

#ipchains -A input -j ACCEPT -p tcp -s 61.0.0.0/15 -d <IP addr. of MRTG PC>/32

#ipchains -A input -j ACCEPT -p tcp -s 210.212.79.224/27 -d <IP addr. of MRTG PC>/32

#ipchains -A input -j ACCEPT -p udp -s 61.0.0.0/15 -d <IP addr. of MRTG PC>/32

#ipchains -A input -j ACCEPT -p udp -s 210.212.79.224/27 -d <IP addr. of MRTG PC>/32

After carrying out all the steps , the MRTG is ready for use. MRTG PC must be kept on and is not to be switched off. MRTG PC would be used only for MRTG purposes, no activities like browsing and mail are allowed from this PC. Node-in-charges must check daily, that the MRTG is running.

H.Procedure for reinstalling the MRTG after the new cards insertion:

Assumption:MRTG is running and updating the data after every 5 minutes.

Procedure:

Go to the html directory.

#cd /var/www/html

First take the backup of the existing running MRTG for all the nodes. The following command would move existing directory with a different name (e.g. for taking backup of shimla on 25-Dec,2002 the backup directory name would become shimla-251202)

#mv<node-name<node-name>-ddmmyy

Repeat the above command for all the nodes for which MRTG is working from a particular node.

Now follow the given commands set below (in orange color) for each node for whichMRTG has to be installed.

#mkdir -p /var/www/html/<node-name>

#cd /usr/local/mrtg-2/bin/

#./cfgmaker --no-down --global 'WorkDir: /var/www/html/<node-name>' --global 'Options[_]: bits,growright' <snmp-community>@<node router-ip> > <node-name>.cfg

Now restart the Apache web server by following commands

#cd /etc/init.d

# ./httpd restart

Wait here for at-least 10 minutes.

#cd /usr/local/mrtg-2/bin/

#/usr/local/mrtg-2/bin/indexmaker -section=descr -sort=descr -columns=2 --show=none -title="MRTG for <node-name> Router" <node-name>.cfg > /var/www/html/<node-name>/<node-name>.html

Now the MRTG graphs can be seen for the node from any Internet connected browser by giving URL as

PC>/<node-name>/<node_name>.html

After every 5 minutes, the data should be updated and the WAN links on new cards slot should be visible in MRTG.

Any feedback on this document should be forwarded to Mr. Dhirendra Verma, DE(Tech-1),DNW on

Annexure-1

Help URL’s for working on Linux

Following link may be referred for operation of “vi” editor.

For basic linux/unix commands, refer to:

Table 1

S No / Node Name / IP address / Mask / Gateway / Nodes to be covered
Bangalore / 61.1.128.124 / 255.255.255.192 / 61.1.128.94 / Bangalore, Mysore
Calcutta / 61.0.128.124 / 255.255.255.192 / 61.0.128.94 / Calcutta, Guwahati, Shillong
Chennai / 61.1.192.124 / 255.255.255.192 / 61.1.192.94 / Chennai, Madurai, Coimbatore
Mumbai / 61.1.64.124 / 255.255.255.192 / 61.1.64.94 / Mumbai, Nasik
New Delhi / 61.0.0.25 / 255.255.255.192 / 61.0.0.30 / New Delhi, Agra, Faridabad, Ghaziabad, Gurgaon, Meerut, Noida
Pune / 61.1.96.124 / 255.255.255.192 / 61.1.96.124 / Pune, Nagpur
Ahmedabad / 61.1.32.58 / 255.255.255.192 / 61.1.32.46 / Ahemdabad, Rajkot, Vadodara, Surat
Ernakulam / 61.1.224.58 / 255.255.255.192 / 61.1.224.46 / Ernakulam, Trivandrum
Hyderabad / 61.1.160.124 / 255.255.255.128 / 61.1.160.94 / Hyderabad, Bhubneshwar, Vizag
Indore / 61.1.0.58 / 255.255.255.192 / 61.1.0.46 / Indore, Bhopal, Gwalior, Jabalpur
Jaipur / 61.0.192.58 / 255.255.255.192 / 61.0.192.46 / Jaipur, Jodhpur
Lucknow / 61.0.96.58 / 255.255.255.192 / 61.0.96.46 / Lucknow, Kanpur, Varanasi, Allahabad
Chandigarh / 61.0.65.188 / 255.255.255.192 / 61.0.65.174 / Ludhiana, Amritsar, Jallandhar, Jammu, Shimla, Chandigarh
Patna / 61.0.160.58 / 255.255.255.192 / 61.0.160.46 / Patna

TABLE-2

LOOPBACK ADDRESSES

A- Type Locations

61.0.239.16 / Bangalore
61.0.239.32 / Calcutta
61.0.239.48 / Chennai
61.0.239.64 / Mumbai
61.0.239.80 / New Delhi
61.0.239.96 / Pune
61.0.239.112 / Ahmedabad
61.0.239.128 / Ernakulam
61.0.239.144 / Hyderabad
61.0.239.160 / Indore
61.0.239.176 / Jaipur
61.0.239.192 / Lucknow
61.0.239.208 / Ludhiana
61.0.239.224 / Patna

(B Type)

61.0.238.0 / Agra
61.0.238.16 / Allahabad
61.0.238.32 / Amritsar
61.0.238.48 / Bhopal
61.0.238.64 / Bhubaneshwar
61.0.238.80 / Chandigarh
61.0.238.96 / Coimbatore
61.0.238.112 / Faridabad
61.0.238.128 / Ghaziabad
61.0.238.144 / Gurgaon
61.0.238.160 / Guwahati
61.0.238.176 / Gwalior
61.0.238.192 / Jabalpur
61.0.238.208 / Jallandhar
61.0.238.224 / Jammu
61.0.238.240 / Jodhpur
61.0.237.0 / Kanpur
61.0.237.16 / Madurai
61.0.237.32 / Meerut
61.0.237.48 / Mysore
61.0.237.64 / Nagpur
61.0.237.80 / Nashik
61.0.237.96 / Noida
61.0.237.112 / Rajkot
61.0.237.128 / Shillong
61.0.237.144 / Shimla
61.0.237.160 / Surat
61.0.237.176 / Trivandrum
61.0.237.192 / Vadodara
61.0.237.208 / Varansai
61.0.237.224 / Vizag

Data Networks Circle, Jan 2003- 1 -