查看“模板:Lucid/NetworkAdmin”的源代码

= Network Monitors =
There are two types of network monitors: those that monitor your own system's network settings and those that monitor network traffic. The latter includes security tools (that can also be used as hackers tools) for exposing security weaknesses in a network. Be aware and be safe! A list of available tools is at [http://www.ubuntu-unleashed.com/2008/06/top-security-tools-in-ubuntu.html Top Ubuntu Security Tools].

=== Netstat ===
[http://www.faqs.org/docs/linux_network/x-087-2-iface.netstat.html Netstat] is the Linux command-line tool to monitor network status and functions. There are many usage parameters. See the manual for help.
 netstat

=== Etherape (Network monitoring) ===
[http://etherape.sourceforge.net/ EtherApe] is a graphical utility that allows you to see (in real-time) where connections are being made on your network, or between your network (or computer) and the Internet. If you are experiencing unexpected network activity on your computer or LAN and wish to see where the activity is occurring, this is an easy tool to use. Both "local" user and "root user" installations are created; in general you must use the root user installation to see all your network traffic.
 sudo apt-get install etherape

=== List open files ===
Sometimes you will see your network slowing and want to know which files are sending data over ports. Use this command:
 lsof -i -n -P

=== Nmap ===
[http://nmap.org/ Nmap] is a free open source utility for network exploration (including showing open ports and running services) and security auditing. Install:
 sudo apt-get install nmap

Scan your own PC:
 nmap localhost

(Once you have found out which ports are open, use a [[#Firewall|firewall]] to close the ones you don't want open.)

==== Nmap GUI ====
Install:
 sudo apt-get install nmapfe

:or you can try Zenmap:
 sudo apt-get install zenmap

=== Nessus ===
[http://www.nessus.org Nessus] is a proprietary comprehensive vulnerability scanning suite that is free for personal, non-enterprise usage. See the website for details.

=== Snort ===
[http://www.snort.org/ Snort] is the de facto open source standard for intrusion detection. Install:
 sudo apt-get install snort

It can be used with an MySQL database (sudo apt-get install snort-mysql) or with a PostgreSQL database (sudo apt-get install snort-pgsql).

==== AcidBase ====
[http://secureideas.sourceforge.net/ AcidBase] is an intrusion detection / basic analysis and security engine that uses Snort. Install:
 sudo apt-get install acidbase

=== Munin ===
[http://munin-monitoring.org/wiki/LinuxInstallation Munin] is a network resource monitoring tool in which a master network node queries other network resources, cataloging and graphically displaying changes. [http://munin-monitoring.org/wiki/LinuxInstallation Install]:
 sudo apt-get install munin

=== AppArmor ===
[http://en.opensuse.org/AppArmor AppArmor] is a set of security enhancements developed by Novell for SUSE Linux. It is installed in (K)ubuntu by default.

==== Disable AppArmor ====
AppArmor can prevent some services from running as expected and cannot be used in conjunction with SELinux. To disable it:
 /etc/init.d/apparmor stop
 update-rc.d -f apparmor remove
 apt-get remove apparmor apparmor-utils

=== SELinux ===
[http://www.nsa.gov/selinux/info/faq.cfm SE Linux] (Security Enhanced Linux) is an NSA (US National Security Administration) recommended set of tools for enhanced security in Linux systems. It enforces strict access controls (privileges) and is meant for mission-critical installations. It is not suitable for the casual desktop user. It was first available in Hardy Heron and is being updated for Intrepid Ibex. It is not compatible with AppArmor (which must first be removed).
 sudo apt-get install selinux

= Network Management =
Monitor your network or datacenter with a framework of utilities. Comparable to IBM Tivoli (which can cost thousands of dollars), these solutions are generally available as either community or enterprise editions. 
*[http://www.hyperic.com/products/open-source-systems-monitoring.html Hyperic] is an open-source network monitoring framework that can be used in either a datacenter or a cloud environment (it is used for Amazon Cloud). Both a free community version and a subscription enterprise version are available.
*[http://www.groundworkopensource.com/community/community-edition.html Groundwork OpenSource] offers a community edition that integrates other packages such as Nagios, Nmap, and others. There is a subscription enterprise version as well. It has its roots in a university setting.
*[http://www.openqrm.com/ OpenQRM] is the GPL-licensed, free open-source community successor to the very popular network monitoring solution Qlusters. It is [http://sourceforge.net/project/showfiles.php?group_id=153504 available] as a Debian/Ubuntu package. See the website for details.
*Canonical offers the [http://www.canonical.com/projects/landscape Landscape] network management service for $150 per node, with a free trial available.
*[http://www.zenoss.com/ Zenoss] is a commercial network monitoring subscription package (about $150/node) with a limited free "core" edition also available.

=== Nagios ===
[http://www.nagios.org/ Nagios] is a free open source network monitoring solution. It is available as a [http://packages.ubuntu.com/search?keywords=nagios&searchon=names&suite=intrepid&section=all package installation in Ubuntu]. It is administered from a web interface (<nowiki>http://localhost/nagios</nowiki>) and is expandable using a large number of available plugins. Install:
 sudo apt-get install nagios3

=== Cacti Monitoring Server ===
[http://www.cacti.net/ Cacti] is a complete, free open source network graphing solution designed to harness the power of [http://oss.oetiker.ch/rrdtool/ RRDTool]’s data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. It uses MySQL and PHP (part of the LAMP server stack). All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices. For more info see [http://www.ubuntugeek.com/install-and-configure-cacti-monitoring-tool-in-ubuntu-810-intrepid-ibex-server.html Cacti Server Setup].

== Enterprise Network Firewall ==
=== IPCop ===
[http://www.ipcop.org IPCop] is a free open source (GPL-licensed) firewall solution for use as an independent appliance (on a dedicated PC) in an enterprise network. It allows remote management and can protect multiple servers, including web and email servers. IPSec-based OpenVPN is supported. The CD image .iso and other files can be downloaded [http://sourceforge.net/project/showfiles.php?group_id=40604&package_id=35093 here]. Installation instructions are on the website.

=== SmoothWall ===
[http://www.smoothwall.org/ SmoothWall Express] is an award-winning, free, open source (with a GPL license) firewall solution for use as an independent appliance (on a dedicated PC) in an enterprise network. Download the installation CD .iso image [http://www.smoothwall.org/get/ here] (server OS included), burn onto a CD, and install on a new, dedicated PC. Many features, however, such as VPN server, database access authentications, and content filtering are only implemented in a commercial version, however, and are not available in the community version.

=== Endian ===
[http://www.endian.com/en/community/about/ Endian] is a very robust, free, open source universal threat management appliance similar to IPCop and Smoothwall. It also incorporates OpenVPN. Like Smoothwall, Dansguardian is used for content filtering (and is included in the community edition). Commercial and hardware versions with some additional features, automatic updates, and professional support are available. See the website for details.

= LTSP (Thin client support) =
[http://www.ltsp.org/ LTSP] (the Linux Terminal Server Project) adds [http://en.wikipedia.org/wiki/Thin_client thin-client] support to Linux servers. The package is free, GPL-licensed, and the client can be used to run programs on either Linux or Windows LTSP servers. There is a module for classroom management (ltsp-controlaula) as well. Installation instructions are [https://help.ubuntu.com/community/UbuntuLTSP/LTSPQuickInstall here]. The alternate LiveCD can also be used to install a terminal server, as indicated in [http://www.ubuntu.com/products/whatisubuntu/serveredition/technologies/ltsp these instructions].
=== LTSP Server ===
Install:
 sudo apt-get install ltsp-server ltsp-manager

=== LTSP Client ===
Install:
 sudo apt-get ltsp-client

=== iTALC (Thin client for Education) ===
[http://italc.sourceforge.net/ iTALC] is a free, open source (GPL-licensed) thin client solution that supports both (K)Ubuntu Linux and Windows XP. It has been used widely in educational settings to monitor, share, and control multiple workstations. See the website for download and installation instructions.

== Internet Cafe software ==
Internet Cafe (or CyberCafe) software is specialized LAN-administration software that includes time usage monitoring, billing, and administration. It can also be used in schools, libraries, and organizations with multiple monitored workstations requiring usage limits.

=== OutKafe ===
[http://outkastsolutions.co.za/outkast/index.php?option=com_openwiki&id=outkafe OutKafe] is a free, open-source, GPL-licensed cybercafe solution based on a postgreSQL database server stack. It is run on hundreds of sites. It is GTK-based but can be run with Kubuntu (KDE).

=== OpenKiosk ===
[http://openkiosk.sourceforge.net/ OpenKiosk] is a free open source multi-platform server/client solution for administering and monitoring groups of workstations, such as in libraries, school labs, and internet cafes. Installation is from source files. See the website for details.

=== CafePilot ===
[http://www.dijitanix.com/ CafePilot] is a free multi-platform Java-based server/client solution for real-time monitoring and billing of Cybercafe workstations. A complete custom Ubuntu-based LiveCD server/multiple-client solution (including OS and many applications for unlimited workstations) is available for $100 [http://www.dijitanix.com/index.php/cucci here].

=== Miscellaneous solutions ===
[http://ask.slashdot.org/story/10/04/11/188217/What-Advice-For-a-Single-Parent-As-Server-Admin?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2FslashdotLinux+%28Slashdot%3A+Linux%29 This thread] discusses several other solutions, including:
*[http://www.untangle.com/ Untangle]
*[http://m0n0.ch/wall/ m0n0wall]
*[http://clearfoundation.com ClearOS]

=== Pessulus (Lockdown Editor) ===
Pessulus is a GTK (Gnome)-based utility that allows an a computer administrator to restrict acccess to several administrative functions, including the command-line Terminal and many other functions. This is useful on public kiosk PCs, for example. Install:
 sudo apt-get install pessulus

= Cluster (cloud) computing =
[http://eucalyptus.cs.ucsb.edu/ Eucalyptus] is a project from University of California Santa Barbara to facilitate cluster computing on Ubuntu servers that have [[#Xen virtual machine host|Xen]] enabled. It has been included in the Lucid Lynx server edition. See the website for details.

=== A warning about distributed computing ===
Cloud computing is often mistaken for remote hosting. While cloud computing using public hosts may be beneficial in "farming out" a few of your non-sensitive computing needs, the recent ease of cloning filesystems and the promiscuity of datacenters has placed a great deal of sensitive data at risk when databases and critical server functions themselves are remotely hosted at a site not under your complete control. Even "trusted" banks and other large businesses routinely trade and sell our sensitive "private" data to multiple partners (sometimes for profit and sometimes unwittingly). Hosted servers are compromised on a daily basis and it is not very easy for an end customer to know how effective are the security practices of a remote hosting service. Therefore, it is almost always more secure to host your own server(s) in house and to limit the traffic and access to your databases and servers to members of your own organization. Learning how to run your own servers is worth the effort, and powerful hardware on which to run them is inexpensive these days.

The Ubuntu cloud computing environment allows you to recruit the multiple computers within your own organization for distributed ("cloud") computing and thereby keep it all "in house" (behind secure firewalls). You do not need to expose your organization to insecure remote public hosts in order to use cloud computing.