Joseph Jude

Consult . Code . Coach

Installing MozDef on AWS


tech . mozdef . aws

Mozilla Defense Platform (MozDef), is an open source platform created by Mozilla with a goal to automate security incident handling. Under the hood, it is a collection of tools like nginx, rabbitmq, elasticsearch and so on. So installing MozDef means installing each of these components and configuring them to talk to each other. This is laborious and if you are on an unreliable bandwidth infrastructure as in India, it is frustrating.

Thankfully, MozDef team has dockerized the platform. They have also posted instructions to install it on AWS. I tried and it went smooth. I'm detailing the same installation process with images. Hopefully it is helpful for others.

The installation process can be divided into the following steps:

  1. Choose an AMI
  2. Create security rules
  3. Create ssh keys for login
  4. Install dockerized MozDef

1. Choose an AMI

The installation instructions indicated an Ubuntu base image for MozDef. You could search for an image from AWS EC2 dashboard. But Ubuntu Cloud Image Locator is much more user-friendly. It allows you filter the list of images with various parameters like version, architecture and type. You can click on the AMI-ID from the search results to navigate to AWS console and proceed to launch the VM.

Ubuntu Cloud Image Locator

MozDef has many memory-intensive tools. It requires at least t2.small to run smoothly (I tried t2.micro as it comes within free-tier. Though installation was smooth, it threw 'out of memory' error for every command).

Choose AMI Type

2. Create security rules

When you click, 'Review and launch', AWS console will take you to a screen to select security groups. The default security group opens all ports to public. This is ok for quick testing for few minutes. For anything longer than 10 minutes, you should define inbound rules. Create a security group that defines security rules for SSH login and for MozDef components--kibana, REST api, meteor and ES.

AWS Security Rules

Define four 'Custom TCP Rule', one for each MozDef component. The ports are 9090, 3000, 9200 and 8081. Select 'Anywhere' for source. This will populate ip address as 0.0.0.0/0.

Define a SSH type rule for SSH login. Select 'Custom IP' as source. You need to provide the IP from which you will login. Find your public ip and enter it there. If you are on home broadband network, your public ip changes everytime you connect to internet. If so, you need to update this SSH rule everytime.

3. Create SSH keys

Create SSH keys for password-less login. If you already have SSH keys for other AWS EC2 instances, you can use that too.

AWS SSH Keypair

For ease of rememberance, I copy this file to ~/.ssh (on Mac). Change the access permission to this file, chmod 400 awskey.pem, where awskey.pem is the filename.

Now 'Launch' this instance.

4. Install dockerized MozDef

Once the instance is launched, you can login into it to install MozDef. SSH into the instance from terminal, using the SSH key you downloaded from the earlier step.

ssh -i ~/.ssh/awskey.pem [email protected]

Use the full path to the private key file. I have stored it at ~/.ssh. ubuntu is the name of the instance, followed by the ip address of the instance. Public ip of the instance is displayed when you select the instance.

Once you have successfully SSHed into the AWS instance, issue the following commands one by one.

sudo apt-get update
sudo apt-get install git
git clone https://github.com/jeffbryner/MozDef.git

Docker details of mozdef is now in /home/ubuntu/MozDef directory

You need change the settings.js file to match your install: vim /home/ubuntu/MozDef/docker/conf/settings.js. My settings.js looks like this:

mozdef = {
  rootURL: "http://54.69.176.69",
  port: "3000",
  rootAPI: "http://54.69.176.69:8081",
  kibanaURL: "http://54.69.176.69:9090",
  enableBlockIP: true,
  enableClientAccountCreation: true
 }

Now you need to install docker. Refer, Docker Installation for Ubuntu, for detailed instruction.

sudo apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

Add docker repository:

sudo vim /etc/apt/sources.list.d/docker.list

Add this.

deb https://apt.dockerproject.org/repo ubuntu-trusty main.

This is for ubuntu-trusty. If you used other versions, refer the docker installation guide for the repository detail. Save & close the file (Esc, :wq).

Now install docker by issuing these commands:

sudo apt-get update
sudo apt-cache policy docker-engine
sudo apt-get update
sudo apt-get install linux-image-generic-lts-trusty
sudo reboot

Now docker is installed. It's time to install MozDef docker image. Install these commands one by one.

cd MozDef/docker
sudo apt-get install make
sudo make build

This installation will take some time as it retrieves every package and installs. But it won't take days as needed when you are installing on your laptop.

At the end you should see a message like: Successfully built e8e075e66d8d (the last docker image id might change for you).

You need to install dkenter to enter into the docker image to control services and change settings. Issue these commands.

sudo apt-get install gcc
cd /tmp
curl https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz | tar -zxf-
cd util-linux-2.24
./configure --without-ncurses
make nsenter
sudo cp nsenter /usr/local/bin

Modify the dkenter config file.

sudo vim /usr/local/bin/dkenter

Enter this.

#!/bin/bash
CNAME=$1
CPID=$(docker inspect --format '{{ .State.Pid }}' $CNAME)
nsenter --target $CPID --mount --uts --ipc --net --pid

Save and close the file.

Change the access permission. sudo chmod +x /usr/local/bin/dkenter.

Now get into docker and start all the services.

cd && cd MozDef/docker/
screen
sudo make run

Once inside the container, issue this command.

/etc/init.d/supervisor start

Now all the services are up. From within your host machine (Mac), browse to, http://your_ami_instance_ipaddress:3000 (for me it was, http://54.69.176.69:3000).

If all went well, now you will see the MozDef screen. Go defend your systems.


Like the post? Retweet it. Got comments? Reply.

Installing #MozDef on AWS by @jjude: https://t.co/1R40u1YtfG

— Joseph Jude (@jjude) December 17, 2016
Share this on: Twitter / /

Comments

comments powered by Disqus