Skip to content

Instantly share code, notes, and snippets.

@2xyo

2xyo/install.md

Created July 28, 2015 14:16
Show Gist options
  • Save 2xyo/135a6935eadd55324d54 to your computer and use it in GitHub Desktop.
Save 2xyo/135a6935eadd55324d54 to your computer and use it in GitHub Desktop.
Download ZIP
Malware Information Sharing Platform MISP - Debian 8 - nginx
Raw
install.md

INSTALLATION INSTRUCTIONS

for debian 8

1/ Minimal ubuntu install

Install a minimal Debian 8 (debian-8.1.0-amd64-netinst.iso) system with the software:

  • SSH Server
  • Standard system utilities

Login as root

apt install postfix

  • Postfix Configuration: Satellite system

2/ Dependencies *

Once the system is installed you can perform the following steps as root:

Because vim is just so practical

apt install vim

Install the dependencies:

apt install zip php-pear git redis-server make python-dev python-pip libxml2-dev libxslt-dev zlib1g-dev php5-dev php5-fpm php5-mysql nginx-full curl sudo pear install Crypt_GPG # we need version >1.3.0 pear install Net_GeoIP

3/ MISP code

Download MISP using git in the /var/www/ directory.

cd /var/www/ git clone https://github.com/MISP/MISP.git

Make git ignore filesystem permission differences

cd /var/www/MISP git config core.filemode false

Upgrade pip - See pypa/pip#2686

python -m pip install --upgrade --force setuptools python -m pip install --upgrade --force pip

install Mitre's STIX and its dependencies by running the following commands:

cd /var/www/MISP/app/files/scripts

/usr/local/bin/pip install git+git://github.com/CybOXProject/[email protected]#egg=cybox /usr/local/bin/pip install git+git://github.com/STIXProject/[email protected]#egg=stix

4/ CakePHP

CakePHP is now included as a submodule of MISP, execute the following commands to let git fetch it:

cd /var/www/MISP git submodule init git submodule update

Once done, install CakeResque along with its dependencies if you intend to use the built in background jobs:

cd /var/www/MISP/app curl -s https://getcomposer.org/installer | php php composer.phar require kamisama/cake-resque:4.1.2 php composer.phar config vendor-dir Vendor php composer.phar install

CakeResque normally uses phpredis to connect to redis, but it has a (buggy) fallback connector through Redisent. It is highly advised to install phpredis

pecl install redis apt install php5-redis

After installing it, enable it in your php.ini file

echo "extension=redis.so" >> /etc/php5/fpm/php.ini

To use the scheduler worker for scheduled tasks, do the following:

cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php

5/ Set the permissions

Check if the permissions are set correctly using the following commands as root:

chown -R www-data:www-data /var/www/MISP chmod -R 750 /var/www/MISP chmod -R g+ws /var/www/MISP/app/tmp chmod -R g+ws /var/www/MISP/app/files chmod -R g+ws /var/www/MISP/app/files/scripts/tmp

Install database

apt install mariadb-server

configure root password

6/ Create a database and user

Enter the mysql shell

mysql -u root -p

MariaDB [(none)]> create database misp; MariaDB [(none)]> grant usage on . to misp@localhost identified by 'XXXXXXXXX'; MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ; MariaDB [(none)]> exit

cd /var/www/MISP

Import the empty MySQL database from MYSQL.sql

mysql -u misp -p misp < INSTALL/MYSQL.sql #enter the password you set previously

7/ nginx/PHP configuration -----------------------# Now configure your apache server with the DocumentRoot /var/www/MISP/app/webroot/

cp /var/www/MISP/INSTALL/apache.misp /etc/apache2/sites-available/misp.conf

cat << EOF > /etc/nginx/sites-available/misp.conf server { listen 80;

root /var/www/MISP/app/webroot/;
index index.php index.html index.htm;

server_name _;

location / {
        try_files \$uri \$uri/ /index.php;
}

location ~ \.php$ {
        try_files \$uri =404;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php5-fpm.sock;

}} EOF

cat << EOF > /etc/php5/fpm/pool.d/misp.conf [misp] listen = /var/run/php5-fpm.sock listen.allowed_clients = 127.0.0.1 listen.owner = www-data listen.group = www-data user = www-data group = www-data

pm = dynamic pm.max_children = 6 pm.start_servers = 3 pm.min_spare_servers = 3 pm.max_spare_servers = 5

pm.max_requests = 500

request_terminate_timeout = 120s request_slowlog_timeout = 5s

slowlog = /var/log/nginx/$pool.log.slow rlimit_files = 4096 rlimit_core = 0 chdir = /var/www/MISP catch_workers_output = yes EOF

rm /etc/nginx/sites-enabled/default rm /etc/php5/fpm/pool.d/www.conf

000-default can be called default based on distribution, in which case run a2dissite default

ln -s /etc/nginx/sites-available/misp.conf /etc/nginx/sites-enabled/misp.conf

systemctl restart php5-fpm.service systemctl restart nginx.service

Restart apache

service apache2 reload

We seriously recommend using only SSL !

Check out the apache.misp.ssl file for an example

8/ MISP configuration

There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied

cd /var/www/MISP/app/Config cp -a bootstrap.default.php bootstrap.php cp -a database.default.php database.php cp -a core.default.php core.php cp -a config.default.php config.php

Configure the fields in the newly created files:

database.php : login, port, password, database

bootstrap.php: uncomment the last 3 lines to enable the background workers (see below)

CakePlugin::loadAll(array('CakeResque' => array('bootstrap' => true)));

To enable the background workers, if you have installed the package required for it in 4/, uncomment the following lines:

in Core.php (if you have just recently updated MISP, just add this line at the end of the file):

require_once dirname(DIR) . '/Vendor/autoload.php';

Important! Change the salt key in /var/www/MISP/app/Config/config.php

The salt key must be an at least 32 byte long string.

The admin user account will be generated on the first login, make sure that the salt is changed before you create that user

If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,

delete the user from mysql and log in again using the default admin credentials ([email protected] / admin)

and make sure the file permissions are still OK

chown -R www-data:www-data /var/www/MISP/app/Config chmod -R 750 /var/www/MISP/app/Config

Generate a GPG encryption key.

mkdir /var/www/MISP/.gnupg chown www-data:www-data /var/www/MISP/.gnupg chmod 700 /var/www/MISP/.gnupg sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key

The email address should match the one set in the config.php configuration file

Make sure that you use the same settings in the MISP Server Settings tool (Described on line 184)

And export the public key to the webroot

sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc

To make the background workers start on boot

chmod +x /var/www/MISP/app/Console/worker/start.sh vim /etc/rc.local

Add the following line before the last line (exit 0). Make sure that you replace www-data with your apache user:

su www-data -c 'bash /var/www/MISP/app/Console/worker/start.sh'

Now log in using the webinterface:

The default user/pass = [email protected]/admin -> Bonjour01!

Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference

It is especially vital that no critical issues remain!

start the workers by navigating to the workers tab and clicking restart all workers

sudo -u www-data MISP/app/Console/worker/start.sh

Don't forget to change the email, password and authentication key after installation.

Once done, have a look at the diagnostics

If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions

you can do this by running the following commands:

chmod -R 750 /var/www/MISP/ chown -R www-data:www-data /var/www/MISP/

Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items

If anything goes wrong, make sure that you check MISP's logs for errors:

/var/www/MISP/app/tmp/logs/error.log

/var/www/MISP/app/tmp/logs/resque-worker-error.log

/var/www/MISP/app/tmp/logs/resque-scheduler-error.log

/var/www/MISP/app/tmp/logs/resque-2015-01-01.log //where the actual date is the current date

Recommended actions

  • By default CakePHP exposes his name and version in email headers. Apply a patch to remove this behavior.

  • You should really harden your OS

  • You should really harden the configuration of Apache

  • You should really harden the configuration of MySQL

  • Keep your software up2date (MISP, CakePHP and everything else)

  • Log and audit

Optional features

MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command

pip install pyzmq

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment