Step-by-Step nfsRadar Installation and Best PracticesnfsRadar is a network flow analysis and intrusion-detection tool designed to monitor traffic, identify anomalies, and help network administrators detect threats quickly. This guide provides a detailed, practical walkthrough for installing nfsRadar, configuring it for production use, and applying operational best practices to maximize effectiveness and minimize false positives.
Table of Contents
- Prerequisites and Environment Planning
- System Requirements and Supported Platforms
- Installation Options (Package, Docker, From Source)
- Initial Configuration and Secure Defaults
- Integrating with Your Network (Sensors, Collectors, and Agents)
- Rule Tuning and Threat Intelligence Feeds
- Logging, Storage, and Retention Policies
- Monitoring, Alerting, and Dashboards
- Performance Tuning and Scaling Strategies
- Backup, Upgrades, and Disaster Recovery
- Security Best Practices
- Troubleshooting Common Issues
- Example Deployment Scenarios
- Appendix: Useful Commands and Config Snippets
1. Prerequisites and Environment Planning
Before installing nfsRadar, outline your goals: threat detection, historical traffic analysis, compliance auditing, or all three. Decide where you’ll deploy—on-premises, cloud, or hybrid—and how it will integrate with existing SIEM, ticketing, and monitoring systems.
Key planning tasks:
- Identify data sources (NetFlow, sFlow, IPFIX, packet capture) and volume estimates (flows/sec).
- Determine retention requirements for raw flows and aggregated metadata.
- Establish network placement for collectors (ingress/egress, core, DMZ).
- Plan for high availability (HA) and disaster recovery (DR).
2. System Requirements and Supported Platforms
nfsRadar performance depends on flow ingestion rates, storage backend, and analysis complexity.
Minimum recommended specs for small deployments:
- CPU: 4 cores
- RAM: 8 GB
- Disk: 200 GB SSD (RAID recommended)
- OS: Ubuntu 22.04 LTS or CentOS 8/Stream
Medium to large deployments should size according to expected flows:
- CPU: 8–32 cores
- RAM: 32–256 GB
- Disk: NVMe SSDs with high IOPS; consider separate volumes for logs and databases
Networking:
- Dedicated interfaces for flow collection
- High throughput (1–10 Gbps) links between sensors/collectors and storage
Supported platforms:
- Linux (Debian/Ubuntu, Red Hat/CentOS/AlmaLinux)
- Containerized via Docker and Kubernetes
- Cloud VM images (AWS, Azure, GCP) — verify instance types for network performance
3. Installation Options
nfsRadar offers three common installation methods. Choose based on your environment and operational model.
A. Package-based Installation (Deb/RPM)
-
Add nfsRadar repository to your package manager.
-
Update package lists and install:
# Debian/Ubuntu example sudo apt update sudo apt install nfsradar -
Start and enable service:
sudo systemctl enable --now nfsradar
B. Docker Compose
- Create a docker-compose.yml defining nfsRadar, database, and any dependent services (e.g., Redis, Elasticsearch).
- Example docker-compose snippet: “`yaml version: ‘3.8’ services: nfsradar: image: nfsradar/nfsradar:latest ports:
- "8080:8080"volumes:
- ./config:/etc/nfsradar - ./data:/var/lib/nfsradarenvironment:
- NFSRADAR_DB=postgres://nfs:nfs@db:5432/nfsradardb: image: postgres:15 environment:
- POSTGRES_USER=nfs - POSTGRES_PASSWORD=nfs - POSTGRES_DB=nfsradarvolumes:
- ./pgdata:/var/lib/postgresql/data”`
- Start services:
docker-compose up -d
C. From Source
- Clone the repository and install build dependencies.
- Build and install:
git clone https://github.com/nfsradar/nfsradar.git cd nfsradar make deps make build sudo make install - Configure systemd service as provided in repo.
4. Initial Configuration and Secure Defaults
After installation, configure nfsRadar with secure defaults.
Essential settings:
- Admin credentials: change default password immediately.
- TLS: enable HTTPS for the web interface using certbot or your CA-issued certificates.
- Firewall: restrict access to the management interface to trusted IPs.
- Authentication: enable LDAP/AD or SSO (SAML/OIDC) if available.
- Database: use a dedicated DB user with least privilege; enable encryption at-rest for stored data.
Example HTTPS enable (nginx reverse proxy):
server { listen 80; server_name nfsradar.example.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name nfsradar.example.com; ssl_certificate /etc/letsencrypt/live/nfsradar.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/nfsradar.example.com/privkey.pem; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } 5. Integrating with Your Network (Sensors, Collectors, and Agents)
nfsRadar can ingest flows from various exporters and packet capture appliances.
Steps:
- Configure network devices (routers, switches, firewalls) to export flows (NetFlow v5/v9, IPFIX).
- Deploy collectors close to traffic sources to minimize packet loss.
- For encrypted or east-west traffic, consider deploying inline taps or host-based agents.
- Verify flow formats and adjust parsing templates as needed.
Verification:
- Use the nfsRadar UI or CLI to confirm active collectors and flow rates.
- Sample check:
nfsradar-cli collectors list nfsradar-cli flows stats
6. Rule Tuning and Threat Intelligence Feeds
Start with built-in detection rules, then tune to reduce false positives.
Tuning process:
- Baseline: run in detect-only mode to collect alerts without blocking.
- Whitelist: create exclusions for known benign hosts and services.
- Threshold adjustments: increase thresholds for noisy environments (e.g., DMZ).
- Seasonal tuning: review rules after major network changes (cloud migrations, mergers).
Threat intelligence:
- Integrate external TI feeds (STIX/TAXII, CSV, MISP).
- Map TI to nfsRadar rule engine fields (IP, domain, ASN).
- Schedule regular feed updates and monitor for feed quality.
7. Logging, Storage, and Retention Policies
Plan storage for both short-term hot data and longer-term cold archives.
Recommendations:
- Hot storage (recent flows/alerts): SSDs with daily backups.
- Cold storage (long-term retention): object storage (S3-compatible) with lifecycle rules to move old data to cheaper tiers.
- Retention: balance compliance vs. cost—common retention windows are 90 days (hot) and 1–2 years (cold).
Retention policy example:
- Keep raw flows 30–90 days
- Keep aggregated metadata 1–2 years
- Retain critical alerts indefinitely in compressed archive
8. Monitoring, Alerting, and Dashboards
Set up observability for nfsRadar components and flows.
Metrics to monitor:
- Flow ingestion rate (flows/sec)
- Collector packet loss
- CPU, memory, disk I/O
- Alerting rate (alerts/day)
Integrations:
- Export metrics to Prometheus + Grafana for dashboards.
- Configure alerting rules (PagerDuty, Slack, email) for high-priority events.
Example Prometheus scrape config:
- job_name: 'nfsradar' static_configs: - targets: ['nfsradar.example.com:9100'] 9. Performance Tuning and Scaling Strategies
Scale horizontally by adding collectors and analysis nodes.
Tips:
- Distribute collectors geographically and by traffic type.
- Use load balancers for web/API traffic.
- Shard databases by time ranges or tenant for multi-tenant environments.
- Use asynchronous processing and batching for heavy rule evaluation.
Common optimizations:
- Increase database connection pool sizes.
- Tune JVM (if applicable) or GC settings for analysis services.
- Optimize disk I/O with partition alignment and RAID configurations.
10. Backup, Upgrades, and Disaster Recovery
Backups:
- Regularly backup configuration, databases, and rule sets.
- Test restores quarterly.
Upgrades:
- Read release notes for breaking changes.
- Use a staging environment to validate upgrades.
- Rolling upgrades for clustered deployments to minimize downtime.
Disaster recovery:
- Document RTO/RPO targets.
- Maintain offsite copies of backups and configs.
- Automate rebuilds with IaC (Terraform, Ansible).
11. Security Best Practices
Harden nfsRadar and its environment:
- Patch OS and nfsRadar components promptly.
- Use MFA for admin accounts.
- Encrypt data at rest and in transit.
- Apply network segmentation; isolate collectors from management plane.
- Regularly audit user activity and access controls.
12. Troubleshooting Common Issues
Symptom: No flows showing
- Verify exporter configuration and IP/port.
- Check firewall rules.
- Confirm collector service is running and listening.
Symptom: High false positives
- Review recent config changes.
- Increase detection thresholds; add whitelists.
Symptom: High disk usage
- Check retention settings; run cleanup jobs.
- Offload old data to cold storage.
Useful commands:
systemctl status nfsradar nfsradar-cli health journalctl -u nfsradar -f 13. Example Deployment Scenarios
Small office:
- Single VM with Docker-compose, 4 cores, 16 GB RAM, 500 GB SSD.
- NetFlow from edge router, 30-day retention.
Enterprise:
- Multi-region collectors, central analysis cluster, Postgres cluster, S3 cold storage.
- HA for collectors, role-based access controls, LDAP SSO.
Cloud-native:
- Kubernetes deployment with StatefulSets for databases, DaemonSets for collectors on nodes, and Ingress + TLS.
14. Appendix: Useful Commands and Config Snippets
Configuration file locations:
- /etc/nfsradar/nfsradar.conf
- /var/lib/nfsradar/data
Example PostgreSQL connection string:
- postgres://nfs:[email protected]:5432/nfsradar
Health check curl:
curl -k https://nfsradar.example.com/api/v1/health This guide gives a comprehensive, practical roadmap to install, secure, and operate nfsRadar in a variety of environments. Follow the step-by-step installation method that matches your infrastructure, start with detect-only tuning, and enforce strong security and backup practices for a resilient deployment.
Leave a Reply