############################
#Ubuntu 如何使用 root 登入 #
############################
# 完成修改 root 密碼
sudo passwd root
#登入root
sudo -i
#####################################
# How to install gnupg on Ubuntu #
# https://howtoinstall.co/en/gnupg #
# #
#####################################
#Install gnupg
#Installing gnupg package on Ubuntu is as easy as running the following command on terminal:
sudo apt-get install gnupg
#####################################
# How to install curl & net-tools #
# https://www.cyberciti.biz/faq/how-to-install-curl-command-on-a-ubuntu-linux/ #
# #
#####################################
sudo apt install curl
sudo apt install net-tools
####################################################################
# Install VMware tools on Ubuntu 22.04 step by step instructions #
####################################################################
sudo apt install open-vm-tools #UBUNTU 22.04 SERVER
sudo apt install open-vm-tools-desktop open-vm-tools #UBUNTU 22.04 DESKTOP
reboot
lsmod | grep vmw
########################################################
#(x) How to Install RPM package directly on Ubuntu 22.04 #
########################################################
# sudo apt install alien - y
# sudo alien -i firefox.rpm
# sudo dpkg -i firefox_78.4.1-2_amd64.deb
#######################
#(x) Ubuntu 中文顯示設定 #
#######################
sudo locale-gen zh_TW
sudo locale-gen zh_TW.UTF-8
sudo dpkg-reconfigure locales # 拉到最下面選 zh_TW.UTF8
sudo update-locale LANG="zh_TW.UTF-8" LANGUAGE="zh_TW"
##########################
# UBUNTU Static IP 設定 #
##########################
# 一般來說在安裝系統時如果有使用到網路,
# 在 /etc/netplan 目錄下就應該會有基本的
# 設定檔,若完全沒有任何設定檔,可以使用
# 以下指令自動產生預設的設定檔:
sudo netplan generate
# 網路介面設定檔
sudo nano /etc/netplan/01-netcfg.yaml
sudo nano /etc/netplan/0-netcfg.yaml
#內容----------------------------------------
network:
version: 2
renderer: networkd # 選擇使用 networkd 網路 daemon
ethernets:
eno4: # 指定網路卡
addresses: [ 192.168.12.34/24 ] # IP 位址與網路遮罩
gateway4: 192.168.12.254 # 預設閘道
nameservers:
search: [ your.domain.tw ] # 搜尋網域
addresses: [ 8.8.8.8, 8.8.4.4 ] # DNS 伺服器
#--------------------------------------------------------
#測試並套用網路介面設定檔
sudo netplan try
################################################
# Install Elasticsearch 8 on Ubuntu 20.04 LTS #
# #
# Elasticsearch : #
# 為所有類型的數據提供近乎實時的搜索和分析。 #
# 無論您擁有結構化或非結構化文本、數字數據還是 #
# 地理空間數據,Elasticsearch 都可以以支持快速 #
# 搜索的方式高效地存儲和索引這些數據。 #
# #
################################################
# 參考連結: https://www.fosstechnix.com/how-to-install-elasticsearch-8-on-ubuntu
## 先決條件
# 帶有 20.04/18.04/16.04 LTS 的 Ubuntu 服務器
# Java 8 或更高版本
# 2 個 CPU 和 4 GB 內存
# 打開端口 9200
##
# Step-1 : 更新系統包
sudo apt update
# Step-2 : 安裝 apt-transport-https 包以通過 HTTPS 訪問存儲庫
sudo apt install apt-transport-https
# Step-3 : 在 Ubuntu 上安裝 OpenJDK
sudo apt install openjdk-11-jdk
#--<驗證java版本 : 輸出>---
# openjdk 11.0.14.1 2022-02-08
# OpenJDK Runtime Environment (build 11.0.14.1+1-Ubuntu-0ubuntu1.20.04)
# OpenJDK 64-Bit Server VM (build 11.0.14.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
#--------------------------
java --version
# Step-4 : 設置JAVA_HOME環境變量
##1:打開以下文件
sudo nano /etc/environment
##2:將以下變量粘貼到文件中
# JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64"
##3:加載環境變量
source /etc/environment
##4:驗證 JAVA_HOME 變量 => 輸出:/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
# Sreo-5 : 安裝 ElasticSearch 8
##1.下載並安裝公共簽名密鑰
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
##2.將存儲庫定義保存到 /etc/apt/sources.list.d/elastic-8.x.list
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
##3. 下命令安裝 Elasticsearch
sudo apt-get update
sudo apt-get install elasticsearch
##4. Start elacticsearch services
sudo systemctl start elasticsearch
##5. Enable elacticsearch at system startup
sudo systemctl enable elasticsearch
##6. To check the status of elasticsearch
sudo systemctl status elasticsearch
##----<< Output: >>------------------------------------------------------------------
elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-04-21 06:57:31 UTC; 9s ago
Docs: https://www.elastic.co
Main PID: 17266 (java)
Tasks: 68 (limit: 4693)
Memory: 2.3G
CGroup: /system.slice/elasticsearch.service
├─17266 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.neg>
└─17539 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Apr 21 06:57:12 ip-172-31-4-2 systemd[1]: Starting Elasticsearch...
Apr 21 06:57:31 ip-172-31-4-2 systemd[1]: Started Elasticsearch.
##--------------------------------------------------------------------------------
# Step-6 : 配置 Elasticsearch
##1. 更改配置文件
sudo nano /etc/elasticsearch/elasticsearch.yml
##-----------------------------
# ...Network
network.host: 0.0.0.0
discovery.seed_hosts: [ ]
xpack.security.enabled: false
##-----------------------------
# Step-7 : 訪問 ElasticSearch
curl -X GET "localhost:9200"
# Step-8 : 卸載 Elasticsearch
https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-22.04/arkime_4.2.0-1_amd64.deb
################################################
# Install Arkime 4.2.0 on Ubuntu 20.04 LTS #
# https://arkime.com/downloads #
# #
# Arkime : #
# 以前稱為 Moloch)是一種大型、開源、索引 #
# 數據包捕獲和搜索工具 #
# #
################################################
sudo wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-22.04/arkime_4.2.0-1_amd64.deb
sudo apt install ./arkime_4.2.0-1_amd64.deb
sudo apt --fix-broken install
sudo '/opt/arkime/bin/Configure'
##--<輸出>-------------------------------------------
Found interfaces: lo;ens33
Semicolon ';' seperated list of interfaces to monitor [eth1] ens33
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] yes
/usr/bin/java
Password to encrypt S2S and other things, don't use spaces [no-default] abcd1234
Arkime - Creating configuration files
Installing sample /opt/arkime/etc/config.ini
Arkime - Downloading and installing demo OSS version of Elasticsearch
--2023-03-15 11:45:58-- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.10.2-amd64.deb
正在查找主機 artifacts.elastic.co (artifacts.elastic.co)... 34.120.127.130, 2600:1901:0:1d7::
正在連接 artifacts.elastic.co (artifacts.elastic.co)|34.120.127.130|:443... 連上了。
已送出 HTTP 要求,正在等候回應... 200 OK
長度: 230801884 (220M) [application/octet-stream]
儲存到:‘elasticsearch-oss-7.10.2-amd64.deb’
elasticsearch-oss-7.10.2-amd64.deb 100%[=================================================================================================>] 220.11M 9.05MB/s 於 22s
2023-03-15 11:46:22 (9.85 MB/s) - 已儲存 ‘elasticsearch-oss-7.10.2-amd64.deb’ [230801884/230801884]
選取了原先未選的套件 elasticsearch-oss。
dpkg: 關於包含 elasticsearch-oss 的 elasticsearch-oss-7.10.2-amd64.deb:
elasticsearch-oss 衝突於 elasticsearch
elasticsearch(版本 8.6.2)已存在且 安裝完畢。
dpkg: error processing archive elasticsearch-oss-7.10.2-amd64.deb (--install):
套件衝突 - 不會安裝 elasticsearch-oss
處理時發生錯誤:
elasticsearch-oss-7.10.2-amd64.deb
Arkime - Installing /etc/security/limits.d/99-arkime.conf to make core and memlock unlimited
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] yes
Arkime - Downloading GEO files
2023-03-15 11:46:49 URL:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv [23331/23331] -> "/tmp/tmp.5PdyEucg7C" [1]
2023-03-15 11:46:50 URL:https://raw.githubusercontent.com/wireshark/wireshark/master/manuf [2111137/2111137] -> "/tmp/tmp.eG2qOG3aNe" [1]
Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt
4) The Configure script can install OpenSearch/Elasticsearch for you or you can install yourself
5) Initialize/Upgrade OpenSearch/Elasticsearch Arkime configuration
a) If this is the first install, or want to delete all data
/opt/arkime/db/db.pl http://ESHOST:9200 init
b) If this is an update to an Arkime package
/opt/arkime/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
/opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
8) Look at log files for errors
/opt/arkime/logs/viewer.log
/opt/arkime/logs/capture.log
9) Visit http://arkimeHOST:8005 with your favorite browser.
user: admin
password: THEPASSWORD from step #6
If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmind
Any configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#arkime-is-not-working for issues
Additional information can be found at:
* https://arkime.com/faq
* https://arkime.com/settings
##-------------------------------------------------------------------------------------------
#...........................................
# 4) ~ 9) 說明整理後得指令 如下
#
sudo /opt/arkime/db/db.pl http://127.0.0.1:9200 init
sudo /opt/arkime/db/db.pl http://127.0.0.1:9200 upgrade
sudo /opt/arkime/bin/arkime_add_user.sh admin "Admin User" abcd1234 --admin
sudo systemctl start arkimecapture.service
sudo systemctl start arkimeviewer.service
################################################
# 將現有的PCAP檔案Upload到Arkime
################################################
# -----------------------------------------------------------
# 將/opt/arkime/etc/config.ini檔案中, uploadCommand 前的#取消
#
# -----------------------------------------------------------
sudo nano /opt/arkime/etc/config.ini
sudo systemctl status arkimecapture.service arkimeviewer.service
sudo systemctl restart arkimecapture.service arkimeviewer.service
--------------------------------------------
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
sudo systemctl status elasticsearch
sudo systemctl start arkimecapture.service
sudo systemctl start arkimeviewer.service
sudo systemctl status arkimecapture.service arkimeviewer.service
sudo systemctl restart arkimecapture.service arkimeviewer.service
# http://arkimeHOST:8005
################################################
# Wireshark 安裝使用 for ubuntu
################################################
sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt-get update
sudo apt-get install wireshark
###############################################
#
### Arkime/db/db.pl 可執行的功能
#
###############################################
# db.pl
#
#==============================================================
## 如何重置 Arkime
# 1.讓 OpenSearch/Elasticsearch 保持運行。
# 2.關閉所有正在運行的查看器或捕獲進程,以便不記錄新數據。
# 3.要刪除存儲在 OpenSearch/Elasticsearch 中的所有 SPI 數據,
# 請使用 db.pl帶有init或 wipe命令的腳本。這兩個命令之間的
# 唯一區別是wipe保留已添加的用戶,這樣他們就不需要重新添加。
#
sudo /opt/arkime/db/db.pl http://ESHOST:9200 wipe
#.......................
## 4. 刪除 PCAP 文件。PCAP 文件以原始格式存儲在文件系統中。
# 您需要在所有捕獲機器上執行此操作。
sudo /bin/rm -f /opt/arkime/raw/*
#==============================================================
## 如何啟用 OpenSearch/Elasticsearch 複製
# 打開復制將消耗節點上兩倍的磁盤空間並增加節點之間的網絡帶寬,因此請確保您確實需要復制。
#.....................................
# a) 要更改未來的日期,請運行以下命令:
sudo db/db.pl <http://ESHOST:9200> upgrade --replicas 1
#.....................................
# b) 要更改過去的日期而不是當前的日期,請運行以下命令:
# PS:我們推薦第二種方案,因為它允許將當前流量寫入
# OpenSearch/Elasticsearch 一次,並且在非高峰
# 期間將復制前一天的流量。
db/db.pl <http://ESHOST:9200> expire <type> <num> --replicas 1
> sudo /data/moloch/db/db.pl
#==<< 指令說明 >>====
/opt/arkime/db/db.pl [Global Options] <ESHOST:ESPORT> <command> [<command arguments>]
Global Options:
-v - Verbose, multiple increases level
--prefix <prefix> - Prefix for OpenSearch/Elasticsearch index names
--clientkey <keypath> - Path to key for client authentication. Must not have a passphrase.
--clientcert <certpath> - Path to cert for client authentication
--insecure - Disable certificate verification for https calls
-n - Make no db changes
--timeout <timeout> - Timeout in seconds for ES, default 60
--esuser <user>[:<password>] - ES User and Password
--esapikey <key> - Same key as elasticsearchAPIKey in your Arkime config file
General Commands:
info - Information about the Arkime cluster
repair - Try and repair a corrupted Arkime cluster
init [<init opts>] - Delete ALL previous OpenSearch/Elasticsearch Arkime data and create the mappings
--shards <shards> - Number of shards for sessions, default is the number of data nodes
--replicas <num> - Number of replicas for sessions, default 0
--refresh <num> - Number of seconds the sessions indices use for refresh interval, default 60
--shardsPerNode <shards> - Number of shards per node or use "null" to let OpenSearch/Elasticsearch decide, default shards*replicas/nodes
--hotwarm - Set 'hot' for 'node.attr.molochtype' on new indices, warm on non sessions indices
--ilm - Use ilm (Elasticsearch) to manage
--ism - Use ism (OpenSearch) to manage
wipe [<init opts>] - Same as init, but leaves user index untouched (與 init 相同,但保持用戶索引不變)
upgrade [<init opts>] - Upgrade Arkime's mappings from a previous version or use to change settings
expire <type> <num> [<opts>] - Perform daily OpenSearch/Elasticsearch maintenance and optimize all indices, not needed with ILM
type - Same as rotateIndex in ini file = hourly,hourlyN,daily,weekly,monthly
num - Number of indices to keep
--replicas <num> - Number of replicas for older sessions indices, default 0
--nooptimize - Do not optimize session indices during this operation
--history <num> - Number of weeks of history to keep, default 13 (要保留的歷史週數,默認為 13)
--segments <num> - Number of segments to optimize sessions to, default 1
--segmentsmin <num> - Only optimize indices with at least <num> segments, default is <segments>
--reverse - Optimize from most recent to oldest
--shardsPerNode <shards> - Number of shards per node or use "null" to let OpenSearch/Elasticsearch decide, default shards*replicas/nodes
--warmafter <wafter> - Set molochwarm on indices after <wafter> <type>
--optmizewarm - Only optimize warm green indices
optimize - Optimize all Arkime indices in OpenSearch/Elasticsearch
--segments <num> - Number of segments to optimize sessions to, default 1
optimize-admin - Optimize only admin indices in OpenSearch/Elasticsearch, use with ILM
disable-users <days> - Disable user accounts that have not been active
days - Number of days of inactivity (integer)
set-shortcut <name> <userid> <file> [<opts>]
name - Name of the shortcut (no special characters except '_')
userid - UserId of the user to add the shortcut for
file - File that includes a comma or newline separated list of values
--type <type> - Type of shortcut = string, ip, number, default is string
--shareRoles <roles> - Share to roles (comma separated list of roles)
--shareUsers <users> - Share to specific users (comma seprated list of userIds)
--description <description>- Description of the shortcut
--locked - Whether the shortcut is locked and cannot be modified by the web interface
shrink <index> <node> <num> - Shrink a session index
index - The session index to shrink
node - The node to temporarily use for shrinking
num - Number of shards to shrink to
--shardsPerNode <shards> - Number of shards per node or use "null" to let OpenSearch/Elasticsearch decide, default 1
ilm <force> <delete> - Create ILM profile for Elasticsearch
force - Time in hours/days before (moving to warm) and force merge (number followed by h or d)
delete - Time in hours/days before deleting index (number followed by h or d)
--hotwarm - Set 'hot' for 'node.attr.molochtype' on new indices, warm on non sessions indices
--segments <num> - Number of segments to optimize sessions to, default 1
--replicas <num> - Number of replicas for older sessions indices, default 0
--history <num> - Number of weeks of history to keep, default 13
ism <force> <delete> - Create ISM profile for OpenSearch
Same options as ilm command above
reindex <src> [<dst>] - Reindex OpenSearch/Elasticsearch indices
--nopcap - Remove fields having to do with pcap files
Backup and Restore Commands:
backup <basename> <opts> - Backup everything but sessions/history; filenames created start with <basename>
--gz - GZip the files
restore <basename> [<opts>] - Restore everything but sessions/history; filenames restored from start with <basename>
--skipupgradeall - Do not upgrade Sessions
export <index> <basename> - Save a single index into a file, filename starts with <basename>
import <filename> - Import single index from <filename>
users-export <filename> - Save the users info to <filename>
users-import <filename> - Load the users info from <filename>
File Commands:
mv <old fn> <new fn> - Move a pcap file in the database (doesn't change disk)
rm <fn> - Remove a pcap file in the database (doesn't change disk)
rm-missing <node> - Remove from db any MISSING files on THIS machine for the named node
add-missing <node> <dir> - Add to db any MISSING files on THIS machine for named node and directory
sync-files <nodes> <dirs> - Add/Remove in db any MISSING files on THIS machine for named node(s) and directory(s), both comma separated
Field Commands:
field disable <exp> - Disable a field from being indexed
field enable <exp> - Enable a field from being indexed
Node Commands:
rm-node <node> - Remove from db all data for node (doesn't change disk)
add-alias <node> <hostname> - Adds a hidden node that points to hostname
hide-node <node> - Hide node in stats display
unhide-node <node> - Unhide node in stats display
OpenSearch/Elasticsearch maintenance
set-replicas <pat> <num> - Set the number of replicas for index pattern
set-shards-per-node <pat> <num> - Set the number of shards per node for index pattern
set-allocation-enable <mode> - Set the allocation mode (all, primaries, new_primaries, none, null)
allocate-empty <node> <index> <shard> - Allocate a empty shard on a node, DATA LOSS!
unflood-stage <pat> - Mark index pattern as no longer flooded
###############################################
#
### ${install_dir}/bin/capture 可執行的功能
#
###############################################
# capture
#
> sudo /opt/arkime/bin/capture -h
#==<< 指令說明 >>====
Usage:
capture [OPTION?] - capture
Help Options:
-h, --help Show help options
Application Options:
-c, --config Config file name, default '/opt/arkime/etc/config.ini' (配置文件名,默認'/opt/arkime/etc/config.ini')
-r, --pcapfile Offline pcap file (離線pcap文件)
-R, --pcapdir Offline pcap directory, all *.pcap files will be processed (離線pcap目錄,所有*.pcap文件都會被處理)
-m, --monitor Used with -R option monitors the directory for closed files (與 -R 選項一起使用監視關閉文件的目錄)
--packetcnt Number of packets to read from each offline file (從每個離線文件中讀取的數據包數)
--delete In offline mode delete files once processed, requires --copy (在離線模式下刪除處理後的文件,需要--copy)
-s, --skip Used with -R option and without --copy, skip files already processed (與 -R 選項一起使用,不與 --copy 一起使用,跳過已處理的文件)
--reprocess In offline mode reprocess files, use the same files table entry (在離線模式下重新處理文件,使用相同的文件表條目)
--recursive When in offline pcap directory mode, recurse sub directories (在離線 pcap 目錄模式下,遞歸子目錄)
-n, --node Our node name, defaults to hostname. Multiple nodes can run on same host (我們的節點名稱,默認為主機名。 多個節點可以在同一主機上運行)
--host Override hostname, this is what remote viewers will use to connect (覆蓋主機名,這是遠程查看器將用來連接的主機名)
-t, --tag Extra tag to add to all packets, can be used multiple times (添加到所有數據包的額外標籤,可以多次使用)
-F, --filelist File that has a list of pcap file names, 1 per line (包含 pcap 文件名列表的文件,每行 1 個)
--op FieldExpr=Value to set on all session, can be used multiple times (FieldExpr=設置所有會話的值,可以多次使用)
-o, --option Key=Value to override config.ini (Key=Value 覆蓋 config.ini)
-v, --version Show version number (顯示版本號)
-d, --debug Turn on all debugging (打開所有調試)
-q, --quiet Turn off regular logging (關閉常規日誌記錄)
--copy When in offline mode copy the pcap files into the pcapDir from the config file (在離線模式下將 pcap 文件從配置文件複製到 pcapDir)
--dryrun dry run, nothing written to databases or filesystem (空運行,沒有寫入數據庫或文件系統)
--flush In offline mode flush streams between files (在離線模式下刷新文件之間的流)
--insecure Disable certificate verification for https calls (禁用 https 調用的證書驗證)
--nolockpcap Don't lock offline pcap files (ie., allow deletion) (不要鎖定脫機 pcap 文件(即允許刪除)
沒有留言:
張貼留言