install_ntopng_on_so_16

#!/bin/bash

#
# install_ntopng_on_so
# Script to install the latest ntopng on SO 16.04 sensor systems.
# by Kevin Branch (kevin@branchnetconsulting.com)
#

# Confirm this script is being run as root
if [ "`whoami`" != "root" ]; then
echo "This installer must be run as root."
exit
fi

# Confirm this is an SO sensor
IFACES=`echo \`grep -v "^#" /etc/nsm/sensortab 2> /dev/null | cut -f1 | sed 's/.*-\([^-]\+\)/\1/g'\` | sed 's/ /,/g'`
if [ "$IFACES" == ""  ]; then
echo "This system does not appear to be a Security Onion sensor."
exit
fi

# Confirm the Sensor is running on Ubuntu 16.04
if [[ ! `grep "16\.04" /etc/lsb-release` ]]; then
        echo "This installer only works with Security Onion running on Ubuntu 16.04."
        exit
fi

# Stop ntopng if it is already running
if [[ `service ntopng status | grep "ntopng running"` ]]; then
        service ntopng stop
fi

# Announce start of installation process
        echo -e "\n*\n* Starting install/upgrade of ntopng\n*\n"

# Confirm reachability of official ntop repo and collect the package lists
rm -rf /tmp/_ntop
mkdir /tmp/_ntop
cd /tmp/_ntop
curl https://packages.ntop.org/apt-stable/16.04/x64/Packages.gz 2> /dev/null | gunzip 2> /dev/null > /tmp/_ntop/package_list_1
curl https://packages.ntop.org/apt-stable/16.04/all/Packages.gz 2> /dev/null | gunzip 2> /dev/null > /tmp/_ntop/package_list_2
if [[ ! `grep "Package: ntopng" /tmp/_ntop/package_list_1` || ! `grep "Package: ntopng-data" /tmp/_ntop/package_list_2` ]]; then
        echo "The official ntop repository is unreachable or broken.  Installation cannot proceed."
        exit
fi

#
# At least temporarily allow the deb rolled with PF_RING 6.6.0 dependency to be used with SO which is still on PF_RING 6.4.1.
# It does not seem to be breaking anything
#
# Determine the currently running SO PF_RING version, and the version included in the ntopng stable repo.  They must match.
#SO_PFRING_VERSION=`grep "PF_RING Version" /proc/net/pf_ring/info | sed 's/.*: \([^ ]\+\) .*/\1/'`
#NTOP_PFRING_VERSION=`grep "\/pfring_6\."  /tmp/_ntop/package_list_1 | tail -n1 | sed 's/.*pfring_\([^-]\+\)-.*/\1/'`
#if [ "$NTOP_PFRING_VERSION" != "$SO_PFRING_VERSION" ]; then
#       echo "The currently running securityonion-pfring version is $SO_PFRING_VERSION but the one in the stable ntop repo for ntopng is $NTOP_PFRING_VERSION.  These must be the same.  You might try running \"sudo soup\" to see if a newer securityonion-pfring version is available. "
#       exit
#fi

# Note is there is already an ntopng.conf file in place so that we do not overwrite it with stock content later in this script
if [ -f /etc/ntopng/ntopng.conf ]; then
        PRESERVE_CONF=yes
fi

# Install dependencies

add-apt-repository -y ppa:maxmind/ppa
apt-get update &> /dev/null
sudo apt-get -y install libzmq5 libnetfilter-queue1 libmnl0 libpgm-5.2-0 libnetfilter-conntrack3 \
fonts-dejavu fonts-dejavu-extra libjemalloc1 librrd4 librdkafka1 libzstd0 libnetfilter-queue1 \
redis-server redis-tools ttf-dejavu ttf-dejavu-core ttf-dejavu-extra librdkafka1 bridge-utils libmaxminddb0 \
libradcli4 n2n geoipupdate libzstd1

# Fetch needed deb packages from ntop repo and confirm all were acquired
NTOPNG_DEB="https://packages.ntop.org/apt-stable/16.04/x64/"`grep "Filename: .*\/ntopng_" /tmp/_ntop/package_list_1 | sed 's/.*\/\(ntopng_.*\)/\1/'`
NTOPNGDATA_DEB="https://packages.ntop.org/apt-stable/16.04/all/"`grep "Filename: .*\/ntopng-data_" /tmp/_ntop/package_list_2 | sed 's/.*\/\(ntopng-data_.*\)/\1/'`
PFRING_DEB="https://packages.ntop.org/apt-stable/16.04/x64/"`grep "Filename: .*\/pfring_" /tmp/_ntop/package_list_1 | sed 's/.*\/\(pfring_.*\)/\1/'`
echo -e "\n*\n* Downloading packages needed for ntopng installation...\n*\n"
wget $NTOPNG_DEB $NTOPNGDATA_DEB
md5sum *.deb | cut -d" " -f1 > md5sums
if [ "`grep -f md5sums package_list_? | wc -l`" != "2" ]; then
        echo "One or more ntopng related packages did not download correctly or otherwise failed verification."
        exit
fi

#
# ntopng-3 no longer depends on {libntapi,libntos}.so, so skip this step...
#
# Manually extract library dependencies from the pfring deb file and put the needed files in place
#mkdir scratch
#dpkg-deb -x pfring_*deb scratch
#if [ "`ls -1 scratch/usr/local/lib/{libntapi,libntos}.so | wc -l`" != "2" ]; then
#       echo "Failed to extract necessary library files from the ntop pfring package.  Aborting..."
#       exit
#fi
#cp scratch/usr/local/lib/{libntapi,libntos}.so /usr/local/lib/
#ldconfig

# Create a stub pfring package so that apt-get don't keep barking about a missing dependency we've already met.
mkdir -p pfring-stub/DEBIAN
PFVER=`echo $PFRING_DEB | sed 's/.*pfring_\([^_]\+\)_.*/\1/'`
echo "Package: pfring" > pfring-stub/DEBIAN/control
echo "Version: $PFVER" >> pfring-stub/DEBIAN/control
echo "Section: user/hidden" >> pfring-stub/DEBIAN/control
echo "Priority: optional" >> pfring-stub/DEBIAN/control
echo "Architecture: amd64" >> pfring-stub/DEBIAN/control
echo "Installed-Size: 0" >> pfring-stub/DEBIAN/control
echo "Maintainer: Kevin Branch <kevin@branchnetconsulting.com>" >> pfring-stub/DEBIAN/control
echo "Description: This is an empty stub package created to satisfy a dependency in the ntopng debs from the ntop repo.  These dependencies are actually met by the securityonion-pfring-* and securityonion-ntopng packages."  >> pfring-stub/DEBIAN/control
dpkg-deb -b pfring-stub
dpkg -i pfring-stub.deb

# Install/upgrade the ntopng and ntopng-data packages from the ntop repo
dpkg --force-all -i ntopng*.deb

# Generate /etc/ntopng/ntopng.conf if missing (parent dir is created by deb)
echo -e "#\n# Here is a reasonable starting configuration for ntopng.  Review the ntopng man page and customize this file to suit your specific needs.\n#" > /etc/ntopng/ntopng.conf.dist
echo '--http-port=0' >> /etc/ntopng/ntopng.conf.dist
echo '--https-port=3000' >> /etc/ntopng/ntopng.conf.dist
echo '--data-dir=/usr/local/ntopng' >> /etc/ntopng/ntopng.conf.dist
echo '--local-networks="192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"' >> /etc/ntopng/ntopng.conf.dist
echo "--interface=$IFACES" >> /etc/ntopng/ntopng.conf.dist
echo '--dns-mode=1' >> /etc/ntopng/ntopng.conf.dist
echo '--community' >> /etc/ntopng/ntopng.conf.dist
echo '--daemon' >> /etc/ntopng/ntopng.conf.dist
echo '-G=/var/tmp/ntopng.pid' >> /etc/ntopng/ntopng.conf.dist
if [ ! "$PRESERVE_CONF" == "yes" ]; then
        echo "Generating /etc/ntopng/ntopng.conf for the first time.  Consult ntopng man page for customization options. "
        echo "The default login credentials for ntopng are: admin/admin"
        cp /etc/ntopng/ntopng.conf.dist /etc/ntopng/ntopng.conf
else
        echo "Did not overwrite pre-existing /etc/ntopng/ntopng.conf file.  Consider consulting /etc/ntopng/ntopng.conf.dist and copying across changes as desired."
fi

# create /etc/ntopng/ntopng.start if missing
if [ ! -f /etc/ntopng/ntopng.start ]; then
        touch /etc/ntopng/ntopng.start
fi

# create /usr/local/ntopng dir if missing, plus set ownership
if [ ! -d /usr/local/ntopng ]; then
        mkdir /usr/local/ntopng
fi
chown -R ntopng:root /usr/local/ntopng

# Open ntopng port in ufw if needed
if [[ ! `ufw status | grep "3000/tcp"` && ! -f /etc/ntopng/no_touch_ufw ]]; then
        echo -e "\n*\n* Adding 3000/tcp to ufw open ports.\n* If this is not desired, manually delete the new ufw rules and then create an empty file '/etc/ntopng/no_touch_ufw' to prevent future ntopng installer updates from modifying ufw.\n*\n"
        ufw allow 3000/tcp
fi

# Enable and start redis-server and then ntopng (redis most likely already running)
systemctl enable redis-server &> /dev/null
systemctl enable ntopng &> /dev/null
systemctl start redis-server &> /dev/null
systemctl start ntopng &> /dev/null

DG_IFACE=`route -n | grep '^0.0.0.0' | awk '{print $8}' | tail -n1`
MGT_IP=`ifconfig | grep $DG_IFACE -A1 | tail -n1 | cut -d: -f2 | awk '{print $1}'`
echo -e "\n*\n* The ntopng should now be running.  Surf to https://$MGT_IP:3000 to reach it.\n*\n"