Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

MRTG Quickstart on CentOS 5.5 (x86)

Published: 04/09/2011

Sometimes all we want to do is see how much traffic is flowing through our routing interfaces - a pretty graph that explains the big picture in a single second. You don't want NetFlow data or deep packet analysis. Just a nice image that immediately tells you whether someone is playing Bandwidth Hog yet again on your network. And you need to set something up within half an hour. MRTG is our old standby for the task.

This guide (an updated variance of the original install documentation) is designed as a quick-and-dirty way to allow a quick copy / paste of the necessary commands to get MRTG up and running on a minimal CentOS 5.5 (32-bit) system. And by minimal, this means when the OS installed, no packages are selected within the Customize option. Everything is unchecked. This article may not result in a secure setup as the SNMP data travels in cleartext, but it's a start to quickly getting visibility on your infrastructure devices.

So after you install the OS and boot the system for the first time, create a non-root user for normal use and then get some essential packages. Then add the user to the sudoers list and update your NTP and syslog conf file to point to the appropriate servers, assuming you host any internal log / time server(s). You'll also need to set SSH to not allow root logins and not permit empty passwords (replace everything in red with values which pertain to your environment):

# useradd joe-user
# passwd joe-user

# yum -y install sudo wget ntp gcc perl make httpd vixie-cron

# visudo

	joe-user 	ALL=(ALL)       ALL

# vi /etc/ntp.conf

	server my-ntp-server-address

# vi /etc/ssh/sshd_config

	PermitRootLogin no
	PermitEmptyPasswords no

# vi /etc/syslog.conf

	*.*	@my-syslog-server-address

Configure several services to start / not start automatically at boot. Patch the system and reboot since a kernel update is inevitable:

# chkconfig ntpd on
# chkconfig httpd on
# chkconfig netfs off
# service ntpd start

# yum -y update

# reboot

Now let's get down to business. Go into our source directory, download some packages, and set MRTG up. Note that at the time of this writing, some of these packages weren't available through the direct links listed here, so you may need to check Sourceforge for them. Adjust your commands to reflect the version numbers of the packages:

# cd /usr/local/src

# wget
# tar xzvf zlib-1.2.5.tar.gz
# mv zlib-1.2.5 zlib
# cd zlib

# ./configure
# make
# make install

# cd ..

# wget
# tar xzvf libpng-1.5.2.tar.gz
# mv libpng-1.5.2 libpng
# cd libpng

# env CFLAGS="-O3 -fPIC" ./configure --prefix=$INSTALL_DIR 
# make
# make install

# cd ..

# wget
# tar xzvf gd-2.0.33.tar.gz
# mv gd-2.0.33 gd
# cd gd

# env CPPFLAGS="-I../zlib -I../libpng" LDFLAGS="-L../zlib -L../libpng" ./configure --disable-shared --without-freetype --without-jpegmake
# make install
# cp .libs/* .

# cd ..

# wget
# tar xzvf mrtg-2.17.2.tar.gz
# cd mrtg-2.17.2

# ./configure --prefix=/usr/local/mrtg-2 --with-gd=/usr/local/src/gd --with-z=/usr/local/src/zlib --with-png=/usr/local/src/libpng

# make
# make install

The hard part's over. Now just set a directory within Apache to host our report files and use MRTG's cfgmaker to create configuration files which will allow MRTG to chat with our router / firewall / etc. via SNMP:

# mkdir -p /var/www/html/mrtg/cfg

# /usr/local/mrtg-2/bin/cfgmaker --global 'WorkDir: /var/www/html/mrtg' --global 'Options[_]: bits,growright' --output /var/www/html/mrtg/cfg/mrtg.cfg mycommunitystring@my-router-address

If your device is a Cisco ASA:

my-firewall(config)# snmp-server host inside my-mrtg-server-address community mycommunitystring

and be sure to check your ACLs to allow UDP 161 access from your MRTG system. Then back on your MRTG system, set up cron to check the device every five minutes:

# crontab -e

*/5 * * * * env LANG=C /usr/local/mrtg-2/bin/mrtg /var/www/html/mrtg/cfg/mrtg.cfg --logging /var/log/mrtg.log

Now point your web browser to http://my-mrtg-server-address/mrtg/ and see the reports pile up over time. You should ensure that iptables is running and that the ports you need are open:

# service iptables start
# iptables -F
# iptables -A INPUT -s my-router-address -d my-mrtg-server-address -p udp --sport 161 -j ACCEPT
# iptables -A INPUT -s my-dns-server-address -d my-mrtg-server-address -p udp --sport 53 -j ACCEPT
# iptables -A INPUT -s my-ntp-server-address -d my-mrtg-server-address -p udp --sport 123 -j ACCEPT
# iptables -A INPUT -s my-admin-box-address -d my-mrtg-server-address -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -s my-admin-box-address -d my-mrtg-server-address -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -s my-admin-box-address -d my-mrtg-server-address -p icmp -j ACCEPT
# iptables -A INPUT -d my-mrtg-server-address -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -P INPUT DROP
# service iptables save

Go back to the main articles list.