{"id":2423,"date":"2021-05-02T08:58:44","date_gmt":"2021-05-02T06:58:44","guid":{"rendered":"http:\/\/blogperso.union31.fr\/?p=2423"},"modified":"2021-05-14T11:13:21","modified_gmt":"2021-05-14T09:13:21","slug":"linux-iptables","status":"publish","type":"post","link":"https:\/\/blogperso.union31.fr\/?p=2423","title":{"rendered":"Linux : iptables et autour (IPSET, Conntrack,Munin)"},"content":{"rendered":"\n<p>Article en cours &#8230; Voir : <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Munin : voir les actions \/ mails<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sommaire<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#I_Iptables\" >I Iptables<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#I1_Exemple_de_script_simple_pour_configuration_dun_firewall\" >I.1 Exemple de script (simple) pour configuration d&rsquo;un firewall<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#12_Verifier_la_prise_en_compte\" >1.2 V\u00e9rifier la prise en compte<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#II_IPSET\" >II IPSET<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#II1_Presentation\" >II.1 Pr\u00e9sentation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#II2_Installation\" >II.2 Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#II3_Commandes_IPSET_utiles\" >II.3 Commandes IPSET utiles<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#II4_IPSET_avec_IPTABLES\" >II.4 IPSET avec IPTABLES<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#III_Conntrack\" >III Conntrack<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#III1_Loutil_conntrack\" >III.1 L&rsquo;outil conntrack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#III2_Le_service_Conntrackd\" >III.2 Le service Conntrackd<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV_Metrologie_Munin\" >IV M\u00e9trologie Munin<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV1_Munin_serveur\" >IV.1 Munin serveur<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV11_Installation_et_presentation_rapide\" >IV.1.1 Installation et pr\u00e9sentation rapide<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV12_Architecture_generale\" >IV.1.2 Architecture g\u00e9n\u00e9rale<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV13_Activation_application_web\" >IV.1.3 Activation application web<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV2_Munin_client\" >IV.2 Munin client<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV21_Installation\" >IV.2.1 Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV22_Pluggin_Munin\" >IV.2.2 Pluggin Munin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV23_Personnalisation_Pluggin_Munin\" >IV.2.3 Personnalisation Pluggin Munin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV24_Munin_et_Iptables\" >IV.2.4 Munin et Iptables<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#IV3_Log\" >IV.3 Log<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/blogperso.union31.fr\/?p=2423\/#V_Pour_aller_plus_loin\" >V Pour aller plus loin<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_Iptables\"><\/span>I Iptables<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I1_Exemple_de_script_simple_pour_configuration_dun_firewall\"><\/span>I.1 Exemple de script (simple) pour configuration d&rsquo;un firewall<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Exemple de script de configuration (\u00e0 am\u00e9liorer) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n\necho \"--------------------------\"\necho \"-- Configuration IPSET ---\"\necho \"--------------------------\"\n\nwget -O \/home\/xavior\/scripts\/bl_all.txt https:\/\/lists.blocklist.de\/lists\/all.txt # t\u00e9l\u00e9chargement black list : derni\u00e8re attaque connue -24h tout port confondu\nipset -exist create blacklist hash:ip # cr\u00e9ation de la liste \"blacklist\"\nipset flush blacklist # vide la table\n\n# parcours fichier et int\u00e9gration dans ipset\nwhile read line  \ndo   \n  \tipset add blacklist $line \ndone &lt; \/home\/xavior\/scripts\/bl_all.txt\n\n\n\necho \"--------------------------\"\necho \"- Configuration parefeu --\"\necho \"--------------------------\"\n\nIPTABLES='\/usr\/sbin\/iptables'\t# Commande par defaut\n\n# argument ?\nif &#91; -n \"$1\" ]; then\t# Teste si arg1 contient une string\n\tIPTABLES=$1\nfi \necho \"Utilisation de la commande : $IPTABLES\"\n\n# R\u00e9initialisation des chaines\n$IPTABLES -F\n$IPTABLES -X\n$IPTABLES -t nat -F\n$IPTABLES -t nat -X\n$IPTABLES -t mangle -F\n$IPTABLES -t mangle -X\n\n# Politique par d\u00e9faut des chaines\n$IPTABLES -P INPUT DROP\n$IPTABLES -P FORWARD ACCEPT\n$IPTABLES -P OUTPUT ACCEPT\n\n\n$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # Autoriser les connexions d\u00e9j\u00e0 \u00e9tablies\n\n\n#######################\n# Chaine OUPUT \/ INPUT\n\n$IPTABLES -A INPUT  -i lo -j ACCEPT # Boucle locale\n$IPTABLES -A OUTPUT -o lo -j ACCEPT # Boucle locale\n\n# IPSET\n\n$IPTABLES -A INPUT   -m set --match-set blacklist src -j LOG --log-prefix 'IPTABLES_DROP_IN_BL '\n$IPTABLES -A INPUT   -m set --match-set blacklist src -j DROP\n\n$IPTABLES -A OUTPUT   -m set --match-set blacklist dst -j LOG --log-prefix 'IPTABLES_DROP_OUT_BL '\n$IPTABLES -A OUTPUT   -m set --match-set blacklist dst -j DROP\n\n\n\n#  PING\n$IPTABLES -A INPUT -i wlp2s0 -p icmp -j ACCEPT \t# On autorise les pings sur carte WIFI\n$IPTABLES -A INPUT -i eno1 -p icmp -j ACCEPT \t# On autorise les pings sur carte LAN\n#$IPTABLES -A OUTPUT  -p icmp -j ACCEPT  \t# Autorise sortie PING\n\n\n###############################\n#  Services SERVEUR sur PC\n\n# Port web \n$IPTABLES -A INPUT -p tcp --dport 80  -j LOG --log-prefix 'IPTABLES_IN_80 '\n$IPTABLES -A INPUT -p tcp --dport 80  -j ACCEPT\n\n$IPTABLES -A INPUT -p tcp --dport 443  -j LOG --log-prefix 'IPTABLES_IN_443 '\n$IPTABLES -A INPUT -p tcp --dport 443  -j ACCEPT\n\n\n\n$IPTABLES -A INPUT -p tcp --dport 22  -j ACCEPT \t# Serveur SSH\n$IPTABLES -A INPUT -p tcp --dport 4049 -j ACCEPT  \t# Munin-node\n\n\n# regle pour que ces protocoles \/ port n'apparaissent pas dans les log\n$IPTABLES -A INPUT -p udp --dport 5353 -j DROP   # Multicast DNS\n$IPTABLES -A INPUT -p udp --dport 7437 -j DROP   # Multicast du routeur maison (? service)\n$IPTABLES -A INPUT -p udp --dport 135  -j DROP   # EPMAP (RPC)\n$IPTABLES -A INPUT -p udp --dport 137  -j DROP   # NetBios Name Service\n$IPTABLES -A INPUT -p udp --dport 138  -j DROP   # Netbios Datagram Service\n$IPTABLES -A INPUT -p udp --dport 139  -j DROP   # Netbios Session Service\n$IPTABLES -A INPUT -p tcp --dport 135  -j DROP   # EPMAP RPC\n$IPTABLES -A INPUT -p tcp --dport 137  -j DROP   # NetBios \/ SMB\n$IPTABLES -A INPUT -p tcp --dport 138  -j DROP   # NetBios \/ SMB\n$IPTABLES -A INPUT -p tcp --dport 139  -j DROP   # NetBios \/ SMB\n$IPTABLES -A INPUT -p udp --dport 67   -j DROP   # Bootp du routeur local\n$IPTABLES -A INPUT -p udp --dport 68   -j DROP   # Bootp du routeur local\n\n$IPTABLES -A INPUT -p udp --dport 20002   -j DROP   # Multicast routeur maison\n$IPTABLES -A INPUT -p igmp -d 224.0.0.1\/24 -j DROP #IGMP Multicast routeur maison\n\n# LOG du reste ...\n$IPTABLES -A INPUT  -j LOG --log-prefix 'IPTABLES_IN_DROP ' # on loggue les DROP ...\n$IPTABLES -A OUTPUT -j LOG --log-prefix 'IPTABLES_OUT '  # on loggue la sortie ...\n\n# Affichage global\n\necho \"IPATBLES : \"\n$IPTABLES -L -v # Affichage des r\u00e8gles\necho \"IPSET : \"\nipset list -t\n\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"12_Verifier_la_prise_en_compte\"><\/span>1.2 V\u00e9rifier la prise en compte<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pour v\u00e9rifier il suffit de lire ma table d&rsquo;iptables :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo <strong><span class=\"has-inline-color has-vivid-purple-color\">iptables -L<\/span><\/strong>\n<em>Chain INPUT (policy DROP)\ntarget     prot opt source               destination         \nACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED\nACCEPT     all  --  anywhere             anywhere            \nLOG        all  --  anywhere             anywhere             match-set blacklist src LOG level warning prefix \"IPTABLES_DROP_IN_BL \"\nDROP       all  --  anywhere             anywhere             match-set blacklist src\nACCEPT     icmp --  anywhere             anywhere            \nACCEPT     icmp --  anywhere             anywhere            \nLOG        tcp  --  anywhere             anywhere             tcp dpt:http LOG level warning prefix \"IPTABLES_IN_80 \"\nACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http\nLOG        tcp  --  anywhere             anywhere             tcp dpt:https LOG level warning prefix \"IPTABLES_IN_443 \"\nACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https\nACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh\nACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4049\nDROP       udp  --  anywhere             anywhere             udp dpt:mdns\nDROP       udp  --  anywhere             anywhere             udp dpt:7437\nDROP       udp  --  anywhere             anywhere             udp dpt:135\nDROP       udp  --  anywhere             anywhere             udp dpt:netbios-ns\nDROP       udp  --  anywhere             anywhere             udp dpt:netbios-dgm\nDROP       udp  --  anywhere             anywhere             udp dpt:netbios-ssn\nDROP       tcp  --  anywhere             anywhere             tcp dpt:epmap\nDROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ns\nDROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-dgm\nDROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn\nDROP       udp  --  anywhere             anywhere             udp dpt:bootps\nDROP       udp  --  anywhere             anywhere             udp dpt:bootpc\nDROP       udp  --  anywhere             anywhere             udp dpt:20002\nDROP       igmp --  anywhere             base-address.mcast.net\/24 \nLOG        all  --  anywhere             anywhere             LOG level warning prefix \"IPTABLES_IN_DROP \"\n\nChain FORWARD (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nACCEPT     all  --  anywhere             anywhere            \nLOG        all  --  anywhere             anywhere             match-set blacklist dst LOG level warning prefix \"IPTABLES_DROP_OUT_BL \"\nDROP       all  --  anywhere             anywhere             match-set blacklist dst\nLOG        all  --  anywhere             anywhere             LOG level warning prefix \"IPTABLES_OUT \"<\/em>\n<\/code><\/pre>\n\n\n\n<p>N\u00e9anmoins ce n&rsquo;est pas optimal car on ne voit pas les r\u00e8gles sur les interfaces. il vaut mieux pr\u00e9f\u00e9rer les options suivantes pour visualier les targets et interfaces in et out :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo <strong><span class=\"has-inline-color has-vivid-purple-color\">iptables -L <\/span><span class=\"has-inline-color has-vivid-red-color\">-v<\/span><\/strong>\n<em>Chain INPUT (policy DROP 40 packets, 4648 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n1130K   34G ACCEPT     all  --  any    any     anywhere             anywhere             ctstate ESTABLISHED\n 1400  106K ACCEPT     all  --  <span class=\"has-inline-color has-vivid-purple-color\">lo<\/span>     any     anywhere             anywhere            \n    0     0 LOG        all  --  any    any     anywhere             anywhere             match-set blacklist src LOG level warning prefix \"IPTABLES_DROP_IN_BL \"\n    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set blacklist src\n    0     0 ACCEPT     icmp --  <span class=\"has-inline-color has-vivid-purple-color\">wlp2s0<\/span> any     anywhere             anywhere            \n    0     0 ACCEPT     icmp --  eno1   any     anywhere             anywhere            \n    1    52 LOG        tcp  --  any    any     anywhere             anywhere             tcp dpt:http LOG level warning prefix \"IPTABLES_IN_80 \"\n    1    52 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http\n   98  5096 LOG        tcp  --  any    any     anywhere             anywhere             tcp dpt:https LOG level warning prefix \"IPTABLES_IN_443 \"\n   98  5096 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https\n    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh\n    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:4049\n...<\/em>\n<\/code><\/pre>\n\n\n\n<p>Nous n&rsquo;irons pas plus loin sur iptables car l&rsquo;objectif n&rsquo;est pas de montrer le fonctionnement de ce dernier.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II_IPSET\"><\/span>II IPSET<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II1_Presentation\"><\/span>II.1 Pr\u00e9sentation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Lorsqu&rsquo;il faut bloquer plusieurs milliers d&rsquo;adresses IP iptables trouve ses limites :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>dans la performance \u00e0 traiter ces r\u00e8gles,<\/li><li>dans le lecture du fichier de configuration ou la table des r\u00e8gles (iptable -L -v).<\/li><\/ul>\n\n\n\n<p>Pour cela il existe IPSET qui permettant de peupler des tables sp\u00e9cifiques et \u00e0 la vol\u00e9e. Les performances de traitement sont meilleures car il utilise des tables de hashage pour stocker puis r\u00e9cup\u00e9rer les adresses IP \u00e0 bannir, ce qui est plus rapide que la lecture s\u00e9quentielle des r\u00e8gles via iptables.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II2_Installation\"><\/span>II.2 Installation <span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install ipset<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II3_Commandes_IPSET_utiles\"><\/span>II.3 Commandes IPSET utiles<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pour cr\u00e9er une liste :<\/p>\n\n\n\n<p>Il existe diff\u00e9rente table \u00e0 utiliser qui prennent en compte @IP, @MAC, notation CIDR, sp\u00e9cification d&rsquo;un port ou pas, interface sp\u00e9cifique, etc.<\/p>\n\n\n\n<p>La liste \u00e9tant la suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    list:set\t\t3\tskbinfo support\n    list:set\t\t2\tcomment support\n    list:set\t\t1\tcounters support\n    list:set\t\t0\tInitial revision\n    hash:mac\t\t0\tInitial revision\n    hash:ip,mac\t\t0\tInitial revision\n    hash:net,iface\t7\tskbinfo and wildcard support\n    hash:net,iface\t6\tskbinfo support\n    hash:net,iface\t5\tforceadd support\n    hash:net,iface\t4\tcomment support\n    hash:net,iface\t3\tcounters support\n    hash:net,iface\t2\t\/0 network support\n    hash:net,iface\t1\tnomatch flag support\n    hash:net,iface\t0\tInitial revision\n    hash:net,port\t7\tskbinfo support\n    hash:net,port\t6\tforceadd support\n    hash:net,port\t5\tcomment support\n    hash:net,port\t4\tcounters support\n    hash:net,port\t3\tnomatch flag support\n    hash:net,port\t2\tAdd\/del range support\n    hash:net,port\t1\tSCTP and UDPLITE support\n    hash:net,port,net\t2\tskbinfo support\n    hash:net,port,net\t1\tforceadd support\n    hash:net,port,net\t0\tinitial revision\n    hash:net,net\t2\tskbinfo support\n    hash:net,net\t1\tforceadd support\n    hash:net,net\t0\tinitial revision\n    hash:net\t\t6\tskbinfo support\n    hash:net\t\t5\tforceadd support\n    hash:net\t\t4\tcomment support\n    hash:net\t\t3\tcounters support\n    hash:net\t\t2\tnomatch flag support\n    hash:net\t\t1\tAdd\/del range support\n    hash:net\t\t0\tInitial revision\n    hash:ip,port,net\t7\tskbinfo support\n    hash:ip,port,net\t6\tforceadd support\n    hash:ip,port,net\t5\tcomment support\n    hash:ip,port,net\t4\tcounters support\n    hash:ip,port,net\t3\tnomatch flag support\n    hash:ip,port,net\t2\tAdd\/del range support\n    hash:ip,port,net\t1\tSCTP and UDPLITE support\n    hash:ip,port,ip\t5\tskbinfo support\n    hash:ip,port,ip\t4\tforceadd support\n    hash:ip,port,ip\t3\tcomment support\n    hash:ip,port,ip\t2\tcounters support\n    hash:ip,port,ip\t1\tSCTP and UDPLITE support\n    hash:ip,mark\t2\tskbinfo support\n    hash:ip,mark\t1\tforceadd support\n    hash:ip,mark\t0\tinitial revision\n    hash:ip,port\t5\tskbinfo support\n    hash:ip,port\t4\tforceadd support\n    hash:ip,port\t3\tcomment support\n    hash:ip,port\t2\tcounters support\n    hash:ip,port\t1\tSCTP and UDPLITE support\n    hash:ip\t\t4\tskbinfo support\n    hash:ip\t\t3\tforceadd support\n    hash:ip\t\t2\tcomment support\n    hash:ip\t\t1\tcounters support\n    hash:ip\t\t0\tInitial revision\n    bitmap:port\t\t3\tskbinfo support\n    bitmap:port\t\t2\tcomment support\n    bitmap:port\t\t1\tcounters support\n    bitmap:port\t\t0\tInitial revision\n    bitmap:ip,mac\t3\tskbinfo support\n    bitmap:ip,mac\t2\tcomment support\n    bitmap:ip,mac\t1\tcounters support\n    bitmap:ip,mac\t0\tInitial revision\n    bitmap:ip\t\t3\tskbinfo support\n    bitmap:ip\t\t2\tcomment support\n    bitmap:ip\t\t1\tcounters support\n    bitmap:ip\t\t0\tInitial revision\n<\/code><\/pre>\n\n\n\n<p>Dans notre cas nous allons utiliser une table de type \u00ab\u00a0hash:ip\u00a0\u00bb.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Cr\u00e9ation l&rsquo;une liste :<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ipset create blacklist hash:ip<\/code><\/pre>\n\n\n\n<p>Par d\u00e9faut cette liste ne pourra pas contenir plus de 65536 entr\u00e9e.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Visualiser les listes g\u00e9r\u00e9es par IPSET :<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong><span class=\"has-inline-color has-vivid-purple-color\">sudo ipset list<\/span><\/strong>\n\nName: blacklist\nType: hash:ip\nRevision: 4\nHeader: family inet hashsize 1024 maxelem 65536\nSize in memory: 200\nReferences: 0\nNumber of entries: 0\nMembers:\n\nName: blacklist2\nType: hash:ip\nRevision: 4\nHeader: family inet hashsize 1024 maxelem 128000\nSize in memory: 200\nReferences: 0\nNumber of entries: 0\nMembers:\n\n<\/code><\/pre>\n\n\n\n<p>Ici nous voyons 2 listes dont celle que nous venons de cr\u00e9er.<\/p>\n\n\n\n<p>On pr\u00e9f\u00e9rera \u00e0 termes les options suivantes :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ipset list -t  #Affiche les listes avec ent\u00eates sans les @IP\nsudo ipset list -n  #Affiche que les noms des listes<\/code><\/pre>\n\n\n\n<p>Pour voir les r\u00e8gles d&rsquo;une liste particuli\u00e8re :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ipset list blacklist  # Les options -t ou -n restent valables<\/code><\/pre>\n\n\n\n<p>Enfin il existe des options de sortie sous diff\u00e9rent format tel que le xml par ex. A voir dans le man d&rsquo;iptables<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Suppression d&rsquo;une liste :<\/span><\/p>\n\n\n\n<p>Pour supprimer une liste il faut utiliser l&rsquo;option \u00ab\u00a0destroy\u00a0\u00bb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ipset destroy blacklist<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration: underline;\">Peupler une liste :<\/span><\/p>\n\n\n\n<p>Le principe est d&rsquo;ajouter dans une liste existante l&rsquo;adresse ip voulue<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ipset add blacklist 192.168.1.10    # ajoute une adresse IP\nsudo ipset add blacklist 192.168.2.0\/24  # va ajouter toutes les adresses IP de la classe<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration: underline;\">Vider une liste :<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ipset flush blacklist<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II4_IPSET_avec_IPTABLES\"><\/span>II.4 IPSET avec IPTABLES<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Apr\u00e8s avoir cr\u00e9er nos listes d&rsquo;adresses IP,  il faut indiquer \u00e0 iptables comment les utiliser (bien faire attention \u00e0 son emplacement suivant la politique choisie).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$IPTABLES -A INPUT   <span class=\"has-inline-color has-vivid-purple-color\">-m set --match-set blacklist<\/span> src -j LOG --log-prefix 'LOG_IPTABLES_DROP_BLACKLIST '\n$IPTABLES -A INPUT   <span class=\"has-inline-color has-vivid-purple-color\">-m set --match-set blacklist<\/span> src -j DROP\n\n$IPTABLES -A OUTPUT   <span class=\"has-inline-color has-vivid-purple-color\">-m set --match-set blacklist<\/span> dst -j LOG --log-prefix 'LOG_IPTABLES_DROP_BLACKLIST '\n$IPTABLES -A OUTPUT   <span class=\"has-inline-color has-vivid-purple-color\">-m set --match-set blacklist<\/span> dst -j DROP<\/code><\/pre>\n\n\n\n<p>Nous avons appliquer ici un filtrage tant pour les flux entrants que sortant.<\/p>\n\n\n\n<p>Maintenant les listes peuvent \u00eatre peupl\u00e9es \u00e0 part avec IPSET, et ce, de mani\u00e8re dynamique !<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Exemple de script d&rsquo;automatisation de mise en oeuvre d&rsquo;une blacklist :<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\nwget -O \/home\/xavior\/scripts\/bl_all.txt https:\/\/lists.blocklist.de\/lists\/all.txt <span class=\"has-inline-color has-vivid-green-cyan-color\"># t\u00e9l\u00e9chargement black list : derni\u00e8re attaque connue -24h tout port confondu<\/span>\nipset -exist create blacklist hash:ip <span class=\"has-inline-color has-vivid-green-cyan-color\"># cr\u00e9ation de la liste \"blacklist\"<\/span>\nipset flush blacklist <span class=\"has-inline-color has-vivid-green-cyan-color\"># vide la table<\/span>\n\n<span class=\"has-inline-color has-vivid-green-cyan-color\"># parcours fichier et int\u00e9gration dans ipset<\/span>\nwhile read line  \ndo\n        ipset add blacklist $line\ndone &lt; \/home\/xavior\/scripts\/bl_all.txt<\/code><\/pre>\n\n\n\n<p>Pour plus d&rsquo;information sur cette liste aller voir le site suivant : <a href=\"https:\/\/www.blocklist.de\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.blocklist.de<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III_Conntrack\"><\/span>III Conntrack<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III1_Loutil_conntrack\"><\/span>III.1 L&rsquo;outil conntrack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Conntrack permet de suivre les connexions de netfilter.  Je l&rsquo;ai utiliser\u00e9our voir si des connexions rdp \u00e9taient \u00e9tablies entre le serveur \u00ab\u00a0broker\u00a0\u00bb et les instances Windows \u00e0 lier.<\/p>\n\n\n\n<p>Mais cet outil permet de manipuler directement les r\u00e8gles. Ce que nous ne verrons pas ici. <\/p>\n\n\n\n<p>Pour visualiser la table, sous ubuntu, il faut passer par l&rsquo;outil \u00ab\u00a0Conntrack-tools\u00a0\u00bb, Les fichiers nf_conntrack ou ip_conntrack dans \/proc\/net\/ n&rsquo;\u00e9tant plus disponibles.<\/p>\n\n\n\n<p>Pour l&rsquo;installer :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install conntrack<\/code><\/pre>\n\n\n\n<p>Afin de voir la table des connexions il faut taper la commande suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong><span class=\"has-inline-color has-vivid-purple-color\">sudo conntrack -L<\/span><\/strong>\ntcp      6 51 TIME_WAIT src=192.168.2.136 dst=146.88.232.72 sport=40740 dport=80 src=146.88.232.72 dst=192.168.2.136 sport=80 dport=40740 &#91;ASSURED] mark=0 use=1\nunknown  2 346 src=192.168.2.233 dst=224.0.0.251 &#91;UNREPLIED] src=224.0.0.251 dst=192.168.2.233 mark=0 use=1\nudp      17 27 src=192.168.2.1 dst=255.255.255.255 sport=55870 dport=7437 &#91;UNREPLIED] src=255.255.255.255 dst=192.168.2.1 sport=7437 dport=55870 mark=0 use=1\ntcp      6 99 TIME_WAIT src=192.168.2.136 dst=35.232.111.17 sport=52762 dport=80 src=35.232.111.17 dst=192.168.2.136 sport=80 dport=52762 &#91;ASSURED] mark=0 use=1\ntcp      6 36 TIME_WAIT src=192.168.2.136 dst=146.88.232.72 sport=40738 dport=80 src=146.88.232.72 dst=192.168.2.136 sport=80 dport=40738 &#91;ASSURED] mark=0 use=1\ntcp      6 431991 ESTABLISHED src=192.168.2.136 dst=192.168.1.10 sport=52644 dport=445 src=192.168.1.10 dst=192.168.2.136 sport=445 dport=52644 &#91;ASSURED] mark=0 use=1\nunknown  2 593 src=192.168.2.1 dst=224.0.0.1 &#91;UNREPLIED] src=224.0.0.1 dst=192.168.2.1 mark=0 use=1\ntcp      6 431998 ESTABLISHED src=192.168.2.136 dst=159.89.97.13 sport=55536 dport=443 src=159.89.97.13 dst=192.168.2.136 sport=443 dport=55536 &#91;ASSURED] mark=0 use=1\ntcp      6 431991 ESTABLISHED src=192.168.2.136 dst=192.168.1.10 sport=52642 dport=445 src=192.168.1.10 dst=192.168.2.136 sport=445 dport=52642 &#91;ASSURED] mark=0 use=1\ntcp      6 431742 ESTABLISHED src=192.168.2.136 dst=35.155.82.30 sport=58496 dport=443 src=35.155.82.30 dst=192.168.2.136 sport=443 dport=58496 &#91;ASSURED] mark=0 use=1\ntcp      6 96 TIME_WAIT src=192.168.2.136 dst=146.88.232.72 sport=40742 dport=80 src=146.88.232.72 dst=192.168.2.136 sport=80 dport=40742 &#91;ASSURED] mark=0 use=1\ntcp      6 431991 ESTABLISHED src=192.168.2.136 dst=192.168.1.10 sport=52640 dport=445 src=192.168.1.10 dst=192.168.2.136 sport=445 dport=52640 &#91;ASSURED] mark=0 use=1\nconntrack v1.4.5 (conntrack-tools): 12 flow entries have been shown.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III2_Le_service_Conntrackd\"><\/span>III.2 Le service Conntrackd<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Ces quelques lignes pour juste  le mentionner. Ce service permet de r\u00e9pliquer l&rsquo;\u00e9tat de suivi des connexions sur plusieurs serveurs. Cela sert notemment lorsque l&rsquo;on veut monter un firewall en cluster et ainsi parer  \u00e0 une panne. Ayant le suivi de connexion, le passage d&rsquo;un serveur \u00e0 un autre permettra de ne pas perdre les sessions des utilisateurs. Mais attention, conntrackd ne fait que de la r\u00e9plication de suivi de connexion. Il faudra ajouter des services suppl\u00e9mentaires pour g\u00e9rer les adresses IP virtuelles par exemple.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV_Metrologie_Munin\"><\/span>IV M\u00e9trologie Munin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Nous allons utiliser Munin pour monitorer les acc\u00e8s r\u00e9seaux via les log Iptables. Cet outil fait bien plus bien entendu &#8230;<\/p>\n\n\n\n<p>Munin est compos\u00e9 de 2 briques principales :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>la partie serveur qui r\u00e9colterera les donn\u00e9es clientes et fera les \u00e9tats de surveillance,<\/li><li>la partie cliente (\u00e0 installer sur les autres serveurs) qui butinera les donn\u00e9es.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV1_Munin_serveur\"><\/span>IV.1 Munin serveur<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV11_Installation_et_presentation_rapide\"><\/span>IV.1.1 Installation et pr\u00e9sentation rapide<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Installation :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install munin<\/code><\/pre>\n\n\n\n<p>Cela installe la partie serveur et \u00e9galement la partie noeud ou \u00ab\u00a0node\u00a0\u00bb<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV12_Architecture_generale\"><\/span>IV.1.2 Architecture g\u00e9n\u00e9rale<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Peut bien comprendre ce que fait Munin, ci dessous un image g\u00e9n\u00e9rale pr\u00e9sentant l&rsquo;architecture :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"471\" height=\"527\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-Architecture.png\" alt=\"\" class=\"wp-image-2486\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-Architecture.png 471w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-Architecture-268x300.png 268w\" sizes=\"auto, (max-width: 471px) 100vw, 471px\" \/><\/figure>\n\n\n\n<p>Les fichiers de configuration se situent sur \/etc\/munin\/* :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\n\u251c\u2500\u2500 apache24.conf\n\u251c\u2500\u2500 munin.conf\n\u251c\u2500\u2500 munin-conf.d\n\u251c\u2500\u2500 munin-node.conf\n\u251c\u2500\u2500 plugin-conf.d\n\u251c\u2500\u2500 plugins\n\u251c\u2500\u2500 static\n\u2514\u2500\u2500 templates<\/code><\/pre>\n\n\n\n<p>Par d\u00e9faut les fichiers suivant se trouvent ici sous ubuntu :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>dbdir \/var\/lib\/munin<\/li><li>htmldir \/var\/cache\/munin\/www<\/li><li>logdir \/var\/log\/munin<\/li><li>rundir \/var\/run\/munin<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV13_Activation_application_web\"><\/span>IV.1.3 Activation application web<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Un exemple de configuration d&rsquo;apache pour le serveur web est consultable dans le fichier \u00ab\u00a0apache24.conf\u00a0\u00bb.<\/p>\n\n\n\n<p>Exemple pour un apache (d\u00e9j\u00e0 install\u00e9) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/etc\/munin\/\nsudo cp apache24.conf \/etc\/apache2\/sites-available\/apache_munin.conf\ncd \/etc\/apache2\/sites-enabled\/\nsudo ln -s ..\/sites-available\/apache_munin.conf\nsudo systemctl restart apache2<\/code><\/pre>\n\n\n\n<p>Une fois copi\u00e9 (et adapt\u00e9 \u00e0 son infrastructure) nous devons avoir ceci pour la partie web (http:\/\/127.0.0.1\/munin) :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"658\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-1024x658.png\" alt=\"\" class=\"wp-image-2478\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-1024x658.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-300x193.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin-768x494.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin.png 1073w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>On peut remarquer que des donn\u00e9es sont d\u00e9j\u00e0 pr\u00e9sentes car le client est install\u00e9 sur le serveur.<\/p>\n\n\n\n<p>Pour optimiser la partie web ou utiliser ce service via NGINX par exemple, il est recommand\u00e9 de lire le README situ\u00e9 dans le r\u00e9pertoire \u00ab\u00a0\/usr\/share\/doc\/munin\u00a0\u00bb.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV2_Munin_client\"><\/span>IV.2 Munin client<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV21_Installation\"><\/span>IV.2.1 Installation<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Si munin a \u00e9t\u00e9 install\u00e9 alors il n&rsquo;est pas n\u00e9cessaiere d&rsquo;installer le client. En revanche, sur un autre serveur il faut installer le client Munin nomm\u00e9 \u00ab\u00a0munin-node\u00a0\u00bb :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install munin-node<\/code><\/pre>\n\n\n\n<p>Ensuite il faut configurer l&rsquo;autorisation d&rsquo;acc\u00e8s via le fichier conf \/etc\/munin\/munin-node.conf pour authoriser le serveur \u00e0 collecter les donn\u00e9es :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># A list of addresses that are allowed to connect.  This must be a\n# regular expression, since Net::Server does not understand CIDR-style\n# network notation unless the perl module Net::CIDR is installed.  You\n# may repeat the allow line as many times as you'd like\n\n<span class=\"has-inline-color has-vivid-purple-color\">allow ^127\\.0\\.0\\.1$\nallow ^::1$<\/span><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV22_Pluggin_Munin\"><\/span>IV.2.2 Pluggin Munin<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p><\/p>\n\n\n\n<p>Les pluggins sont plac\u00e9s dans le r\u00e9pertoire suivant :\u00a0\u00bb<strong>\/etc\/munin\/plugins<\/strong>\u00ab\u00a0. Ce sont des liens symbolique pointant vers des plugins situ\u00e9 dans \u00ab\u00a0\/usr\/share\/munin\/plugins\/\u00a0\u00bb.<\/p>\n\n\n\n<p>Donc pour d\u00e9sactiver un plugin, il suffit d&rsquo;enlever le lien symbolique. Extrait du r\u00e9pertoire :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/munin\/plugins$ ls -als\ntotal 8\n4 drwxr-xr-x 2 root root 4096 mai    9 11:58 .\n4 drwxr-xr-x 7 root root 4096 mai    9 11:58 ..\n0 lrwxrwxrwx 1 root root   29 mai    9 11:58 acpi -&gt; \/usr\/share\/munin\/plugins\/acpi\n0 lrwxrwxrwx 1 root root   28 mai    9 11:58 cpu -&gt; \/usr\/share\/munin\/plugins\/cpu\n0 lrwxrwxrwx 1 root root   33 mai    9 11:58 cpuspeed -&gt; \/usr\/share\/munin\/plugins\/cpuspeed\n0 lrwxrwxrwx 1 root root   27 mai    9 11:58 df -&gt; \/usr\/share\/munin\/plugins\/df\n0 lrwxrwxrwx 1 root root   33 mai    9 11:58 df_inode -&gt; \/usr\/share\/munin\/plugins\/df_inode\n0 lrwxrwxrwx 1 root root   34 mai    9 11:58 diskstats -&gt; \/usr\/share\/munin\/plugins\/diskstats\n0 lrwxrwxrwx 1 root root   32 mai    9 11:58 entropy -&gt; \/usr\/share\/munin\/plugins\/entropy\n0 lrwxrwxrwx 1 root root   30 mai    9 11:58 forks -&gt; \/usr\/share\/munin\/plugins\/forks\n0 lrwxrwxrwx 1 root root   37 mai    9 11:58 fw_conntrack -&gt; \/usr\/share\/munin\/plugins\/fw_conntrack<\/code><\/pre>\n\n\n\n<p>Le r\u00e9pertoire \u00ab\u00a0<code>\/etc\/munin\/plugin-conf.d<\/code>\u00a0\u00bb  contient les fichiers de configuration des pluggins. On trouvera le fichier \u00ab\u00a0munin-node\u00a0\u00bb qui permet d&rsquo;indiquer quel compte utiliser pour quel type de service \u00e0 utiliser sur la machine \u00e0 monitorer (ex : apache, conntrack, etc).<\/p>\n\n\n\n<p>Il existe la commande qui permet de lister les plugin actifs et non actifs ou de voir si certains sont fonctionnels ou pas avec la raison : \u00ab\u00a0<strong>munin-node-configure<\/strong>\u00ab\u00a0<\/p>\n\n\n\n<p>Exemple :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/munin$ sudo <span class=\"has-inline-color has-vivid-purple-color\">munin-node-configure --suggest<\/span>\n\nPlugin                     | Used | Suggestions                            \n------                     | ---- | -----------                            \nacpi                       | yes  | yes                                    \namavis                     | no   | no &#91;command logtail or file \/var\/log\/mail.info not found]\napache_accesses            | no   | no &#91;Port 80: Can't connect to pc-xavior:443 (certificate verify failed)]\napache_processes           | no   | no &#91;Port 80: Can't connect to pc-xavior:443 (certificate verify failed)]\napache_volume              | no   | no &#91;Port 80: Can't connect to pc-xavior:443 (certificate verify failed)]\napc_envunit_               | no   | no &#91;no units to monitor]               \nbonding_err_               | no   | no &#91;No \/proc\/net\/bonding]              \ncourier_mta_mailqueue      | no   | no &#91;spooldir not found]                \ncourier_mta_mailstats      | no   | no &#91;could not find executable]         \ncourier_mta_mailvolume     | no   | no &#91;could not find executable]         \ncps_                       | no   | no &#91;ipvsadm not found]                 \ncpu                        | yes  | yes                                    \ncpuspeed                   | yes  | yes                                    \ncupsys_pages               | no   | no &#91;logfile not found]   \n...<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV23_Personnalisation_Pluggin_Munin\"><\/span>IV.2.3 Personnalisation Pluggin Munin<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Il est possible de personnaliser les valeurs Warning et Critical pour la remont\u00e9 d&rsquo;information. Pour cela il faut modifier, suivant le type de pluggin, soit :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>le fichier \/etc\/munin\/plugin-conf.d\/munin-node ou autres fichiers dans ce r\u00e9pertoire ;<\/li><li>le fichier \/etc\/munin\/munin.conf en surchangeant certaines valeurs dans le groupe de serveur audit\u00e9 ;<\/li><li>dans le pire des cas, le script.<\/li><\/ul>\n\n\n\n<p>Pour le cas du module \u00ab\u00a0df\u00a0\u00bb, les variables \u00ab\u00a0globales\u00a0\u00bb telle que la valeur  par defaut de Warning se modifie dans le fichier \/etc\/munin\/plugin-conf.d\/munin-node. Ci-dessous on passe le warning \u00e0 80% pour toutes les mesures d&rsquo;espace occup\u00e9e pour tous les disques trouv\u00e9s.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;cps*]\nuser root\n\n&#91;df*]\n<span class=\"has-inline-color has-vivid-purple-color\"><strong>env.warning 80<\/strong><\/span>\nenv.critical 98\nenv.exclude_re ^\/run\/user\n\n&#91;exim_mailqueue]\ngroup adm, (Debian-exim)\n<\/code><\/pre>\n\n\n\n<p>Il est possible de sp\u00e9cifier des valeurs pour des disques sp\u00e9cifiques. Ceci se d\u00e9f\u00e9nit dans le fichier \/etc\/munin\/munin.conf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># a simple host tree\n&#91;localhost.localdomain]\n    address 127.0.0.1\n    use_node_name yes\n    <strong><span class=\"has-inline-color has-vivid-purple-color\">df._dev_sda5.warning 70<\/span><\/strong><\/code><\/pre>\n\n\n\n<p>Pour la prise en compte des modifications des valeurs, il faut relancer le service \u00ab\u00a0munin-node\u00a0\u00bb :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart munin-node<\/code><\/pre>\n\n\n\n<p>Pour voir les valeurs qui peuvent \u00eatre modifi\u00e9es, elles sont consultables dans les rapports, comme ci-dessous :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_valeurs-1-1024x673.png\" alt=\"\" class=\"wp-image-2509\" width=\"708\" height=\"465\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_valeurs-1-1024x673.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_valeurs-1-300x197.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_valeurs-1-768x505.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_valeurs-1.png 1068w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/figure>\n\n\n\n<p>Il est \u00e9galement possible de voir les valeurs via ligne de commande avec la commande \u00ab\u00a0munin-run\u00a0\u00bb : <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong><span class=\"has-inline-color has-vivid-purple-color\">sudo munin-run df<\/span><\/strong>\n<em>_dev_sda5.value 85.6973293995805\n_dev_shm.value 0\n_run.value 0.228940200721419\n_run_lock.value 0.078125\n_sys_fs_cgroup.value 0\n_dev_sda7.value 15.229950042718<\/em><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV24_Munin_et_Iptables\"><\/span>IV.2.4 Munin et Iptables<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Il existe \u00e0 l&rsquo;installation de Munin des rapports d\u00e9j\u00e0 existants tel que les connexions du parefeu (pluggin fw conntrack), l&rsquo;etat de la bande passante (pluggin \u00ab\u00a0fw packets\u00a0\u00bb), etc ..<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Exemple de graphe :<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_conntrack.png\" alt=\"\" class=\"wp-image-2514\" width=\"479\" height=\"367\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_conntrack.png 657w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/df_conntrack-300x230.png 300w\" sizes=\"auto, (max-width: 479px) 100vw, 479px\" \/><\/figure>\n\n\n\n<p>Dans notre cas, nous souhaitons avoir un graphe sur les LOG d&rsquo;iptables. Par d\u00e9faut il n&rsquo;existe pas d&rsquo;\u00e9tat pr\u00e9configur\u00e9 pour ce cas d&rsquo;usage.<\/p>\n\n\n\n<p>Nous allons utiliser un pluggin existant qui permet de faire des recherches dans les fichiers log et compter suivant un pattern de recherche. Le pluggin utilis\u00e9 sera \u00ab\u00a0<strong>loggrep<\/strong>\u00ab\u00a0.<\/p>\n\n\n\n<p>Dans un premier temps il faut l&rsquo;activer :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/etc\/munin\/pluggins\nsudo ln -s  \/usr\/share\/munin\/plugins\/loggrep loggrep<\/code><\/pre>\n\n\n\n<p>Ensuite nous allons cr\u00e9er un fichier de configuration dans le r\u00e9pertoire \u00ab\u00a0\/etc\/munin\/plugin-conf.d\u00a0\u00bb.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>touch loggrep<\/code><\/pre>\n\n\n\n<p>Le contenu sera le suivant qui va reprendre le groupe de log d\u00e9fini dans le script de configuration d&rsquo;iptables en de d\u00e9but de page :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;loggrep]\ngroup adm\nenv.logfile \/var\/log\/syslog \n\nenv.regex_iptablesTotal IPTABLES*\nenv.label_iptablesTotal iptables total\n\nenv.regex_iptablesDrop IPTABLES_IN_DROP\nenv.label_iptablesDrop iptables drop\n\nenv.regex_iptablesOut IPTABLES_OUT\nenv.label_iptablesOut iptable out\n\nenv.regex_iptablesDropInBL IPTABLES_DROP_IN_BL\nenv.label_iptablesDropInBL iptable drop in black list\n\nenv.regex_iptablesDropOutBL IPTABLES_DROP_OUT_BL\nenv.label_iptablesDropOutBL iptable drop out black list\n\nenv.regex_iptablesIN443 IPTABLES_IN_443\nenv.label_iptablesIN443 iptable entr\u00e9e 443\n\nenv.regex_iptablesIN80 IPTABLES_IN_80\nenv.label_iptablesIN80 iptable entr\u00e9e 80\n\nenv.title Surveillance IPTABLES LOG<\/code><\/pre>\n\n\n\n<p>Dans les lignes \u00ab\u00a0regex\u00a0\u00bb il est tout \u00e0 fait possible de mettre des expressions r\u00e9guli\u00e8res. Pas besoin dans ce cas mais c&rsquo;est tr\u00e8s utile car le travail de l&rsquo;expression r\u00e9guli\u00e8re peut se faire en ligne commande &#8230;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>journalctl  -f <span class=\"has-inline-color has-vivid-purple-color\">-g \"IPTABLES.*OUT= .*DPT=443\"<\/span><\/strong>\n-- Logs begin at Tue 2020-12-15 18:00:00 CET. --\n\nmai 13 18:44:28 PC-XAVIOR kernel: <strong>IPTABLES_IN_443 IN=wlp2s0 <span class=\"has-inline-color has-vivid-purple-color\">OUT= <\/span>MAC=48:51:b7:5b:bb:c0:80:86:f2:91:5f:5a:08:00 SRC=192.168.2.105 DST=192.168.2.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=65274 DF PROTO=TCP SPT=57156 <span class=\"has-inline-color has-vivid-purple-color\">DPT=443<\/span><\/strong> WINDOW=64240 RES=0x00 SYN URGP=0 \nmai 13 18:44:28 PC-XAVIOR kernel: IPTABLES_IN_443 IN=wlp2s0 OUT= MAC=48:51:b7:5b:bb:c0:80:86:f2:91:5f:5a:08:00 SRC=192.168.2.105 DST=192.168.2.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=65281 DF PROTO=TCP SPT=57157 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 \n<\/code><\/pre>\n\n\n\n<p>&#8230;puis une fois valid\u00e9 un simple copier\/coller dans le fichier de configuration du pluggin est \u00e0 faire.<\/p>\n\n\n\n<p>Une fois fait, il faudra tester ce pluggin par la commande \u00ab\u00a0munin-run\u00a0\u00bb. Si pas d&rsquo;erreur le r\u00e9sultat devrait ressembler \u00e0 celui-ci :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong><span class=\"has-inline-color has-vivid-purple-color\">sudo munin-run loggrep<\/span><\/strong>\n<em>iptablesOut.value 63705\niptablesTotal.value 66439\niptablesIN443.value 18\niptablesDropOutBL.value 0\niptablesDrop.value 231\niptablesDropInBL.value 0\niptablesIN80.value 0<\/em><\/code><\/pre>\n\n\n\n<p>Enfin on red\u00e9marre le service munin-node :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart muni-node<\/code><\/pre>\n\n\n\n<p>On peut rev\u00e9fier la pr\u00e9sence du module par la commande \u00ab\u00a0munin-node-configure\u00a0\u00bb :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>munin-node-configure \nPlugin                     | Used | Extra information                      \n------                     | ---- | -----------------                      \nacpi                       | yes  |                                        \namavis                     | no   |                                        \n...                                      \n<strong>loggrep                    | <span class=\"has-inline-color has-vivid-purple-color\">yes<\/span>  | <\/strong>\n...<\/code><\/pre>\n\n\n\n<p>Conseil : changer le nom du lien symbolique pour avoir une lecture plus claire de la fonction du module (ex : loggrep_iptables)<\/p>\n\n\n\n<p>Puis attendre quelques minutes et le graphe apparaitra dans l&rsquo;interface web. Ces graphes sont associ\u00e9s \u00e0 la cat\u00e9gorie \u00ab\u00a0other\u00a0\u00bb qui ne peut \u00eatre chang\u00e9 sans toucher au code du pluggin. Exemple de r\u00e9sultat ci-dessous :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin_loggrep.png\" alt=\"\" class=\"wp-image-2515\" width=\"659\" height=\"358\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin_loggrep.png 963w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin_loggrep-300x163.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/05\/Munin_loggrep-768x417.png 768w\" sizes=\"auto, (max-width: 659px) 100vw, 659px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV3_Log\"><\/span>IV.3 Log<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Il est toujours interessant de voir les logs.<\/p>\n\n\n\n<p>Dans systemctl nous verrons les logs d&rsquo;execution de munin. En revanche il est interessant de voir ceux de munin pour la partie serveur et client.<\/p>\n\n\n\n<p>Les logs sont situ\u00e9es dans \/var\/log\/munin :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -als\ntotal 1812\n  4 drwxr-xr-x  2 munin    adm      4096 mai   14 00:00 .\n  4 drwxrwxr-x 20 root     syslog   4096 mai   14 00:00 ..\n  0 -rw-r-----  1 www-data adm         0 mai    9 11:58 munin-cgi-graph.log\n  0 -rw-r-----  1 www-data adm         0 mai    9 11:58 munin-cgi-html.log\n  0 -rw-rw-r--  1 munin    munin       0 mai    9 12:00 munin-graph.log\n224 -rw-r-----  1 munin    adm    224971 mai   14 10:12 munin-html.log\n100 -rw-r-----  1 munin    adm     95628 mai   14 10:12 munin-limits.log\n  8 -rw-r--r--  1 root     root     4554 mai    9 11:58 munin-node-configure.log\n304 -rw-r--r--  1 root     root   306050 mai   14 11:04 munin-node.log\n348 -rw-r-----  1 munin    adm    349346 mai   14 11:04 munin-update.log<\/code><\/pre>\n\n\n\n<p>Exemple pour trouver les dysfonctionnements :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/var\/log\/munin\/munin-node.log | grep Error\n2021\/05\/14-00:00:07 &#91;1164743] Error output from lpstat:\n2021\/05\/14-00:00:07 &#91;1164743] Error output from lpstat:\n...\n2021\/05\/14-00:26:07 &#91;1179610] Error output from lpstat:\n<span class=\"has-inline-color has-vivid-purple-color\">2021\/05\/14-00:27:06 &#91;<strong>1180174<\/strong>] Error output from fw_conntrack:<\/span>\n2021\/05\/14-00:27:07 &#91;1180174] Error output from lpstat:\n...<\/code><\/pre>\n\n\n\n<p>Et connaitre le d\u00e9tail pour une connexion particuli\u00e8re :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/var\/logmunin-node.log | grep <span class=\"has-inline-color has-vivid-purple-color\"><strong>1180174<\/strong><\/span>\n2021\/05\/14-00:27:06 &#91;1180174] Error output from fw_conntrack:\n2021\/05\/14-00:27:06 &#91;1180174] \tcat: \/proc\/sys\/net\/nf_conntrack_max: Cannot allocate memory\n2021\/05\/14-00:27:07 &#91;1180174] Error output from lpstat:\n2021\/05\/14-00:27:07 &#91;1180174] \tlpstat: No destinations added.\n2021\/05\/14-00:27:07 &#91;1180174] \tlpstat: No destinations added.\n2021\/05\/14-00:27:07 &#91;1180174] Error output from lpstat:\n2021\/05\/14-00:27:07 &#91;1180174] \tlpstat: No destinations added.\n2021\/05\/14-00:27:07 &#91;1180174] \tlpstat: No destinations added.\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V_Pour_aller_plus_loin\"><\/span>V Pour aller plus loin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Tr\u00e8s bon article pour entrer dans les entrailles d&rsquo;Iptables pour tout flux entrants : <a href=\"https:\/\/geekeries.org\/2017\/12\/configuration-avancee-du-firewall-iptables\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/geekeries.org\/2017\/12\/configuration-avancee-du-firewall-iptables\/<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Article en cours &#8230; Voir : Munin : voir les actions \/ mails I Iptables I.1 Exemple de script (simple) pour configuration d&rsquo;un firewall Exemple de script de configuration (\u00e0 am\u00e9liorer) : 1.2 V\u00e9rifier la prise en compte Pour v\u00e9rifier<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2423","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/2423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2423"}],"version-history":[{"count":67,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/2423\/revisions"}],"predecessor-version":[{"id":2541,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/2423\/revisions\/2541"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}