cacti Cacti Examples CentOS Grep Linux RedHad WPA

Install and Configure Cacti Network Graphing Tool on RedHat / CentOS

How do I install and configure common options to collect SNMP data and various other data (such as system load, network link status, hard disk space, logged in users etc) into an RRD?

From the official project site:

Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG.

Cacti is a network graphing tool which uses MRTG.

Required software

You need to install the following software on RHEL / Fedora / CentOS Linux:

  1. MySQL Server : Store cacti data.
  2. NET-SNMP server – SNMP (Simple Network Management Protocol) is a protocol used for network management.
  3. PHP with net-snmp module – Access SNMP data using PHP.
  4. Apache / lighttpd / ngnix webserver : Web server to display graphs created with PHP and RRDTOOL.

Install the software

Login as root user and type the following command to install mysql, apache and php:
# yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTP php-mysql httpd

Configure MySQL server

First, set root password:
# mysqladmin -u root password NEWPASSWORD

Create cacti MySQL database

Create a database called cacti, enter:
# mysql -u root -p -e 'create database cacti'

Create a user called cacti with a password called cactipass (or one of your choosing), enter:
# mysql -u root -p

mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'cactipass';
mysql> FLUSH privileges;
mysql> q

Install snmpd

Type the following command to install net-snmpd
# yum install net-snmp-utils php-snmp net-snmp-libs

Configure snmpd, open /etc/snmp/snmpd.conf
# vi /etc/snmp/snmpd.conf

Append / modify it as follows (see snmpd.conf man page for details):

com2sec local     localhost           public
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
view all included .1 80
access MyRWGroup "" any noauth exact all all none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)
pass . /usr/bin/ucd5820stat

Save and close the file. Turn on snmpd service:
# /etc/init.d/snmpd start
# chkconfig snmpd on

Make sure you are getting information from snmpd:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Sample ouptut:

IP-MIB::ipAdEntIfIndex. = INTEGER: 2
IP-MIB::ipAdEntIfIndex.67.yy.zz.eee = INTEGER: 3
IP-MIB::ipAdEntIfIndex. = INTEGER: 1

Install cacti

First, make sure EPEL repo is enabled. Type the following command to install cacti:
# yum install cacti

Install cacti tables

Type the following command to find out cacti.sql path:
# rpm -ql cacti | grep cacti.sql

Sample output:


Type the following command to install cacti tables (you need to type the cacti user password):
# mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.7d/cacti.sql

Configure cacti

Open /etc/cacti/db.php file, enter:
# vi /etc/cacti/db.php

Make the following changes:

/* make sure these values refect your actual database/host/user/password */
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cacti";
$database_password = "cactipass";
$database_port = "3306";

Save and close the file.

Configure httpd

Open /etc/httpd/conf.d/cacti.conf file, enter:
# vi /etc/httpd/conf.d/cacti.conf

You need to update allow from line. Either set to ALL or your LAN subnet to allow access to cacti:

# Cacti: An rrd based graphing tool
Alias /cacti /usr/share/cacti

Order Deny,Allow
Deny from all
Allow from


Another option is create /usr/share/cacti/.htaccess file and password protect the directory. Finally, restart httpd:
# service httpd restart

Setup cacti cronjob

Open /etc/cron.d/cacti file, enter:
# vi /etc/cron.d/cacti

Uncomment the line:

*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

Save and close the file.

Run cacti installer

Now cacti is ready to install. Fire a webbrowser and type the url:


Just follow on screen instructions. The default username and password for cacti is admin / admin. Upon first login, you will be force to change the default password.

How do I configure SNMP data collection?

SNMP can be used to monitor server traffic. Once installed login to cacti.
=> Click on Devices
=> Select Localhost
=> Make sure SNMP options are selected as follows:

Fig.01: SNMP configuration

Fig.01: SNMP configuration

Finally, click on Save button.

How do I create SNMP graphs?

Click on “Create Graphs for this Host” link on top right side.
Select SNMP – Interface Statistics
Select a graph type (such as In/Out bytes with total bandwidth)
Finally, click on Create button.

How do I view graphs?

To view graphs click on Graphs tab. Here is sample graph from one my own box:

Fig.02: Cacti in Action - Memory, CPU and Network Usage

Fig.02: Cacti in Action – Memory, CPU and Network Usage

(Fig.02: Cacti in action)

Fig.03: Cacti in Action Disk, Load average and User stats

Fig.03: Cacti in Action Disk, Load average and User stats

See also Multi-CPU Utilization Graphing in Cacti.

CentOS Grep IPTables Linux NetFilter RedHad SSH

CentOS / Redhat Iptables Firewall Configuration Tutorial

How do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?

Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:

  • /etc/sysconfig/iptables – The system scripts that activate the firewall by reading this file.

Task: Display Default Rules

Type the following command:

iptables --line-numbers -n -L

Sample outputs:

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all --

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all --

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all --
2 ACCEPT icmp -- icmp type 255
3 ACCEPT udp -- udp dpt:5353
4 ACCEPT udp -- udp dpt:53
6 ACCEPT tcp -- state NEW tcp dpt:22
7 ACCEPT tcp -- state NEW tcp dpt:53
8 REJECT all -- reject-with icmp-host-prohibited

Task: Turn On Firewall

Type the following two commands to turn on firewall:

chkconfig iptables on
service iptables start
# restart the firewall
service iptables restart
# stop the firewall

service iptables stop

Understanding Firewall

There are total 4 chains:

  1. INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as
  2. OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
  3. FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
  4. RH-Firewall-1-INPUT – This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Packet Matching Rules

  1. Each packet starts at the first rule in the chain .
  2. A packet proceeds until it matches a rule.
  3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Target Meanings

  1. The target ACCEPT means allow packet.
  2. The target REJECT means to drop the packet and send an error message to remote host.
  3. The target DROP means drop the packet and do not send an error message to remote host or sending host.


Edit /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables

You will see default rules as follows:

:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Drop All Traffic

Find lines:


Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:


Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:

-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP "

Log And Drop All Traffic

Find the lines:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Update it as follows:

-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP

Open Port

To open port 80 (Http server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open port 53 (DNS Server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT

To open port 443 (Https server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open port 25 (smtp server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

Only allow SSH traffic From

-A RH-Firewall-1-INPUT -s -m state --state NEW -p tcp --dport 22 -j ACCEPT

Enable Printing Access For

-A RH-Firewall-1-INPUT -s -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 631 -j ACCEPT

Allow Legitimate NTP Clients to Access the Server

-A RH-Firewall-1-INPUT -s -m state --state NEW -p udp --dport 123 -j ACCEPT

Open FTP Port 21 (FTP)

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Save and close the file. Edit /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config

Make sure ftp module is loaded with the space-separated list of modules:


To restart firewall, type the following commands:
# service iptables restart
# iptables -vnL --line-numbers

Edit /etc/sysctl.conf For DoS and Syn Protection

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:

et.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

See previous FAQ, “Linux Kernel /etc/sysctl.conf Security Hardening” for more details.

Alternate Configuration Option

You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows:

# A sample firewall shell script
# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1
echo "Starting IPv4 Firewall..."
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# load modules
modprobe ip_conntrack
[ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}")
# interface connected to the Internet
#Unlimited traffic for loopback
# DROP all incomming traffic
if [ -f "${BLOCKEDIPS}" ];
# create a new iptables list
for ipblock in $BADIPS
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG "
$IPT -A $SPAMLIST -s $ipblock -j DROP
# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
# Block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Allow full outgoing connection but no incomming stuff
# Allow ssh
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT
# Allow http / https (open port 80 / 443)
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT
# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open port 110 (pop3) / 143
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT
##### Add your rules below ######
##### END your rules ############
# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
# log everything else and drop
exit 0