Permalink
Fetching contributors…
Cannot retrieve contributors at this time
194 lines (135 sloc) 5.9 KB

Table of Contents

  1. Requirements
  2. Install Dependencies
  3. Installation
  4. Security considerations
  5. Configuration

Please report any errors you encounter at https://github.com/certtools/intelmq/issues

Requirements

The following instructions assume the following requirements:

  • IntelMQ is already installed
  • IntelMQ and IntelMQ Manager will be installed on same machine
  • a supported operating system

Supported and recommended operating systems are:

  • Debian 8
  • OpenSUSE Leap 42.2
  • Ubuntu: 14.04 and 16.04 LTS

Partly supported are:

Install Dependencies

If you are using native packages, you can simply skip this section as all dependencies are installed automatically.

Ubuntu 14.04 / Debian 8

apt-get install git apache2 php5 libapache2-mod-php5

Ubuntu 16.04

apt-get install git apache2 php libapache2-mod-php7.0

Ubuntu 18.04

apt-get install git apache2 php libapache2-mod-php

CentOS 7

yum install epel-release
yum install git httpd httpd-tools php

openSUSE Leap 42.2

yum install git apache2 apache2-utils apache2-mod_php7

Installation

Native packages

Get the install instructions for your operating system here: https://software.opensuse.org/download.html?project=home%3Asebix%3Aintelmq&package=intelmq-manager

Currently, these operating systems are supported by the packages:

  • CentOS 7, install epel-release first
  • RHEL 7, install epel-release first
  • Debian 8 and Debian 9 (install php-json too)
  • Fedora 25, 26 and Rawhide
  • openSUSE Leap 42.2 and Leap 42.3
  • openSUSE Tumbleweed
  • Ubuntu 16.04 and Ubuntu 17.04, install php-json too

The package is always called intelmq-manager.

For Debian and Ubuntu you need to make the configuration files writable by the group:

chmod 664 /etc/intelmq/*.conf /etc/intelmq/manager/positions.conf

Manually

Clone the repository and copy the files in the subfolder intelmq-manager to the webserver directory (can also be /srv/www/htdocs/ depending on the used system):

git clone https://github.com/certtools/intelmq-manager.git /tmp/intelmq-manager
cp -R /tmp/intelmq-manager/intelmq-manager/* /var/www/html/
chown -R www-data.www-data /var/www/html/

Add the webserver user (www-data, wwwrun, apache or nginx) to the intelmq group and give write permissions for the configuration files:

usermod -a -G intelmq www-data
mkdir /opt/intelmq/etc/manager/
touch /opt/intelmq/etc/manager/positions.conf
chgrp www-data /opt/intelmq/etc/*.conf /opt/intelmq/etc/manager/positions.conf
chmod g+w /opt/intelmq/etc/*.conf /opt/intelmq/etc/manager/positions.conf

Give webserver user (www-data, wwwrun, apache or nginx) permissions to execute intelmqctl as intelmq user. Edit the /etc/sudoers file and add the adapted following line:

www-data ALL=(intelmq) NOPASSWD: /usr/local/bin/intelmqctl

The default way of accessing intelmqctl program is by command sudo -u intelmq /usr/local/bin/intelmqctl. If that does not suit you, you may set an environmental variable INTELMQ_MANGER_CONTROLER_CMD to I.E. ~/.local/bin/intelmqctl or sudo -u intelmq ~/.local/bin/intelmqctl or whereever you need.

Notes on CentOS / RHEL

The manager does currently not work with selinux enabled, you need to deactivate it. Also, stopping bots does currently not work, see also https://github.com/certtools/intelmq-manager/issues/103

If you can help to fix these issues, please join us!

Security considerations

Never ever run intelmq-manager on a public webserver without SSL and proper authentication.

The way the current version is written, anyone can send a POST request and change intelmq's configuration files via sending a HTTP POST request to save.php. Intelmq-manager will reject non JSON data but nevertheless, we don't want anyone to be able to reconfigure an intelmq installation.

Therefore you will need authentication and SSL.

In addition, intelmq currently stores plaintext passwords in its configuration files. These can be read via intelmq-manager.

Never ever allow unencrypted, unauthenticated access to intelmq-manager.

Configuration

Basic Authentication

Packages

In DEB-based distributions you will be asked for the password during installation.

In RPM-based distributions, the file will be placed under /etc/intelmq-manager.htusers automatically. To set a user-password combination do:

htpasswd /etc/intelmq-manager.htusers intelmqadmin

In both cases the webserver is already configured to use this file for authentication.

Manually

To create the authentication file:

htpasswd -c <password file path> <username>

To edit an existing one do:

htpasswd <password file path> <username>

on IntelMQ Manager edit the httpd.conf and insert

AuthType basic
AuthName "IntelmMQ Manager"

AuthBasicProvider file
AuthUserFile <password file path>
Require valid-user

After this is done you'll have to put the user/pass combination you have created with htpasswd to access the web pages of IntelMQ Manager. To use other authentication methods visit: http://httpd.apache.org/docs/2.4/howto/auth.html

Content-Security-Policy Headers

Manually

It is recommended to set these two headers for all requests:

Content-Security-Policy: script-src 'self'
X-Content-Security-Policy: script-src 'self'