Networking Azure

ntopng on Ubuntu 24.04 on Azure User Guide

| Product: ntopng on Ubuntu 24.04 LTS on Azure

Overview

ntopng is a high speed, web based network traffic monitor: the next generation of the original ntop. It captures traffic directly from a network interface, identifies applications and protocols with deep packet inspection (nDPI), and presents per host and per flow statistics, top talkers, alerts and historical trends through an interactive web dashboard. It can also act as a flow collector for NetFlow, sFlow and IPFIX exported by routers, switches and firewalls. The cloudimg image serves the ntopng community edition (GPL-3.0) on a hardened, fully patched Ubuntu 24.04 LTS base, with its mandatory Redis backing store already installed and wired up, so the dashboard is monitoring traffic the moment the VM boots.

The image is secure by default. A stock ntopng install ships with the well known admin / admin login; the cloudimg image does not. No usable credential is baked into the image, and a one shot first boot service generates a unique administrator password on every VM's first boot and records it on the VM for you. Backed by 24/7 cloudimg support.

What is included:

  • ntopng community edition (GPL-3.0), installed from the official ntop apt repository, managed by systemd
  • The web UI on :3000 (HTTP; front it with a reverse proxy and TLS for production)
  • Redis as the mandatory in-memory backing store on 127.0.0.1:6379
  • No default admin / admin login: a unique admin password is generated on first boot
  • Deep packet inspection (nDPI) for Layer-7 application and protocol detection
  • Real time and historical per host and per flow traffic analysis, top talkers and alerts
  • Flow collection for NetFlow, sFlow and IPFIX
  • redis-server.service and ntopng.service as enabled systemd units
  • ntopng-firstboot.service that rotates the admin password per VM
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for busier links or larger flow volumes. NSG inbound: allow 22/tcp from your management network and 3000/tcp for the web UI. Restrict 3000/tcp to trusted networks in production, since it is the administrative interface, and place TLS in front of it for encrypted access.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for ntopng by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), then add a custom rule for 3000. Review the defaults, then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name ntopng \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Then open the web UI port:

az vm open-port --resource-group <your-rg> --name ntopng --port 3000 --priority 900

Step 3 - Confirm the services are running

SSH in as azureuser and confirm that Redis and ntopng are active. ntopng requires Redis as its backing store, so both run as enabled systemd units; ntopng listens on port 3000 and Redis on loopback port 6379.

systemctl is-active redis-server ntopng ntopng-firstboot
sudo ss -tlnp | grep -E ':3000 |:6379 ' | awk '{print $1, $4}'

The redis-server, ntopng and ntopng-firstboot services active, with ntopng listening on port 3000 and Redis on loopback port 6379

Step 4 - Retrieve your per-VM admin password

The cloudimg image ships with no usable login. On the first boot of every VM, ntopng-firstboot.service generates a unique administrator password, stores it in Redis and records it in a root only credentials file. Read it with sudo:

sudo cat /root/ntopng-credentials.txt

The file records the username (admin), the generated password, the port and the URL that points at this VM's own address. Keep it safe, and change the password from the UI once you are signed in if you prefer.

The per-VM ntopng credentials file (0600, root only) showing the admin username, the generated password redacted, the port and the instance URL

Step 5 - Sign in to the traffic dashboard

Browse to http://<vm-public-ip>:3000/ and sign in as admin with the password from the credentials file. ntopng opens on its traffic dashboard: top flow talkers, top local and remote hosts, top applications and a live traffic classification, all updating in real time from the monitored interface.

The ntopng traffic dashboard showing top flow talkers, top hosts, top applications and traffic classification updating in real time

Step 6 - Explore the host inventory

Open Hosts from the left navigation to see every host ntopng has observed on the monitored interface, with per host traffic totals, throughput, the applications each host is using and an activity breakdown. Select any host to drill into its flows, ports, protocols and historical activity.

The ntopng hosts inventory listing every observed host with per host traffic, throughput and application breakdown

Step 7 - Inspect live flows with Layer-7 detection

Open Flows to watch active connections in real time. Each flow shows the client and server, the Layer-7 application detected by nDPI (for example TCP:SSH or TCP:HTTP), a risk score, duration and throughput. Use the filters at the top to narrow by host, protocol, application or traffic type.

The ntopng live flows table showing active connections with nDPI application detection, risk scores, duration and throughput

Step 8 - Review interface statistics

Open Interface to see the monitored interface's overall statistics: packet and byte counters, traffic distribution by protocol, throughput over time and interface level charts. This is the top down view of everything crossing the interface ntopng is watching.

The ntopng interface statistics view showing packet and byte counters, protocol distribution and throughput charts for the monitored interface

Step 9 - Verify the stack

Confirm the ntopng community version, that the binary reports its build, and that the Redis backing store answers:

dpkg-query -W -f='${Version}\n' ntopng
ntopng --version | head -3
redis-cli ping

The installed ntopng community version, the ntopng build banner and the Redis backing store answering PONG

Step 10 - Confirm the secure-by-default login

You can prove from the command line that only your per-VM credential works and that the stock admin / admin login has been disabled. The per-VM password authenticates against the ntopng REST API and returns 200; the default admin / admin is rejected and redirects to the login page (302):

curl -s -o /dev/null -w 'per-VM admin -> HTTP %{http_code}\n' -u 'admin:<ADMIN_PASSWORD>' http://127.0.0.1:3000/lua/rest/v2/get/ntopng/interfaces.lua
curl -s -o /dev/null -w 'default admin/admin -> HTTP %{http_code}\n' -u admin:admin http://127.0.0.1:3000/lua/rest/v2/get/ntopng/interfaces.lua

The per-VM admin credential authenticating against the ntopng REST API with HTTP 200, and the default admin/admin login rejected with HTTP 302

Step 11 - Choose the monitored interface (optional)

By default ntopng monitors the VM's primary network interface. To change which interface or interfaces it watches, edit /etc/ntopng/ntopng.conf (the -i= line), then restart the service:

sudo systemctl restart ntopng

To collect flows exported by other devices instead of, or in addition to, live capture, add a collector interface such as -i=tcp://0.0.0.0:6343 for sFlow or a zmq endpoint, and open the corresponding NSG port.

Security notes

  • The web UI serves on port 3000 over plain HTTP. Restrict 3000/tcp in the NSG to trusted networks, place a reverse proxy with TLS in front of it for encrypted access, and consider putting the UI behind your own VPN.
  • The image ships with no usable login. A unique admin password is generated on first boot and stored in the root only file /root/ntopng-credentials.txt; the stock admin / admin login is disabled. Change the password from the UI after first sign in, and create additional per user accounts as needed.
  • ntopng captures traffic on the interface it monitors. Deploy it where it can see the traffic you care about (for example a mirrored or SPAN port, or as a flow collector), and be mindful of the privacy implications of packet inspection on your network.
  • Keep the VM patched. The image ships fully patched with unattended security upgrades enabled.

Support

cloudimg images come with 24/7 support. If you have any questions about this ntopng image or need help with your deployment, contact us through the cloudimg website.