Toujours en partant d'une fresh install de Debian 11 64 Bits Installation Arkime
apt-get install curl wget gnupg2 wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.2.0-1_amd64.deb apt install ./arkime_3.2.0-1_amd64.deb
Installation Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elastic.gpg echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list apt update apt install elasticsearch -y
Démarrer le service Elasticsearch
systemctl enable --now elasticsearch
Test Elasticsearch
curl http://localhost:9200
Configuration Arkime
/opt/arkime/bin/Configure
Selectionner l'interface à sniffer
Found interfaces: lo;enp0s3;enp0s8 Semicolon ';' seperated list of interfaces to monitor [eth1] enp0s8
Sélectionner l'instance Elasticsearch (ici nous serons sur le même serveur) et poursuivre la procédure de configuration
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no [or SIMPLY PRESS ENTER] Elasticsearch server URL [http://localhost:9200] ENTER Password to encrypt S2S and other things [no-default] votre_mdp ... Moloch - Creating configuration files Installing systemd start files, use systemctl Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited Download GEO files? (yes or no) [yes] yes Moloch - Downloading GEO files ... Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt
4) The Configure script can install elasticsearch for you or you can install yourself systemctl start elasticsearch.service 5) Initialize/Upgrade Elasticsearch Arkime configuration a) If this is the first install, or want to delete all data /opt/arkime/db/db.pl http://ESHOST:9200 init b) If this is an update to a moloch/arkime package /opt/arkime/db/db.pl http://ESHOST:9200 upgrade 6) Add an admin user if a new install or after an init
Initialiser Elasticsearch pour les pré-requis Arkime
/opt/arkime/db/db.pl http://ESHOST:9200 init
Créer l'utilisateur/administrateur Arkime/Moloch
/opt/arkime/bin/arkime_add_user.sh admin "Arkime SuperAdmin" votre_mdp --admin
Démarrer les services Arkime/Moloch Adapter les services Arkime/Moloch afin de démarrer une fois le service Elasticsearch disponible (Ex : Après un redémarrage de la machine)
sed -i 's/network.target/network.target elasticsearch.service/' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service sed -i '/After=/a Requires=network.target elasticsearch.service' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service systemctl daemon-reload
Pour la capture réseau
systemctl enable --now arkimecapture systemctl start arkimecapture
Pour l'interface Web
systemctl enable --now arkimeviewer systemctl start arkimeviewer
Aller plus loin Les fichiers de logs sont disponible ici
/opt/arkime/logs/viewer.log /opt/arkime/logs/capture.log /var/log/elasticsearch/* La configuration d'Arkime/Moloch est ici
/opt/arkime/etc/config.ini Accès à l'interface
http://ARKIMEHOST:8005
J'utilise pour ma part un Reverse proxy Nginx afin d'y acceder en https via un nom de domaine.
Configuration Reverse-Proxy Nginx
server { if ($host = arkime.nadus.fr) { return 301 https://$host$request_uri; } listen 80; listen [::]:80; server_name arkime.nadus.fr; return 404; } server { listen [::]:443 ssl; listen 443 ssl; server_name arkime.nadus.fr; access_log /var/log/nginx/arkime.nadus.fr/access.log; error_log /var/log/nginx/arkime.nadus.fr/error.log; location / { proxy_pass http://X.X.X.X:8005; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } ssl_certificate /etc/letsencrypt/live/arkime.nadus.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/arkime.nadus.fr/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; }
Problème rencontré et correction Sur la machine physique (Proxmox) et sur l'interface physique sur lequel nous envoyons le traffic.
apt-get install ethtool ethtool -K INTERFACE tx off sg off gro off gso off lro off tso off
Elasticsearch Effacer toutes les données
curl -X DELETE 'http://localhost:9200/_all'
Résoudre le problème de data exessives
curl -X PUT http://localhost:9200/_settings -H 'Content-Type: application/json' -d '{"index": {"blocks": {"read_only_allow_delete": "false"}}}'
Sources
https://kifarunix.com/install-arkime-moloch-full-packet-capture-tool-on-debian/
https://arkime.com/ Aller encore plus loin
https://www.netresec.com/?page=Blog&month=2020-12&post=Capturing-Decrypted-TLS-Traffic-with-Arkime