Install Server
Installation Steps
Step 1 - Setup Server
Step 2 - Setup Server Firewall
Step 3 - Install Software
Step 4 - Setup Public Firewall
Step 5 - Login To Portal & Set General Settings
Step 6 - Disable Bootstrap Account (Important)
Next Step - Common Configuration & Hardening
Need Help?
If you would like a managed Mamori server or have questions about your server installation, then please send an email to support@mamori.io.
Setup Server
The Mamori server runs on the Linux operating system. If you have a Windows server, then enable HyperV and create a linux ubuntu image for the Mamori server installation.
Requirements
| Hardware | Minimum | Recommended |
|---|---|---|
| Operating System | 64-bit intel linux with docker installed | 64-bit intel Ubuntu Server LTS |
| CPU | 2 core | 4 core |
| Memory | 2GB | 8GB (+4GB per 10K requests/hour) |
| Hard Drive | 50GB Please ensure /var has at least 15GB | 100GB (~10GB per 7 day log retention). |
| Trusted SSL Certificate on Server | Install CA certificates in server manually or via Mamori portal | manual instructons |
| Web Portal Browser | Any modern browser | Chrome, Edge, Firefox |
Setup Server Firewall
- disabling root password authentication or setting it to a 32 length strong password
- change the SSH port from 22 to something else
Required Ports
The required ports to manage a Mamori server.
sudo ufw allow 443 comment "https"
sudo ufw allow 22 comment "ssh"
sudo ufw enable
sudo ufw status
IP Access (WireGuard)
Port required for IP resource access controls
sudo ufw allow 51871/udp comment "wireguard port"
sudo ufw allow from 172.0.0.0/16 comment "Your virtual wireguard network"
sudo ufw enable
sudo ufw status
Proxy Ports
Port required by database and HTTP/S proxy
sudo ufw allow 1122 comment "SSH Proxy"
sudo ufw allow 5432 comment "Postgres Proxy"
sudo ufw allow 1433 comment "MSSQL Proxy"
sudo ufw allow 3306 comment "MySQL Proxy"
sudo ufw allow 1521 comment "Oracle Proxy"
sudo ufw allow 28017 comment "Mongo Proxy"
sudo ufw allow 8089 comment "HTTP/S Proxy"
sudo ufw allow 1527 comment "Mamori JDBC"
sudo ufw enable
sudo ufw status
Confirm IP access for desired integrations
From your Mamori server confirm you can access
Email - your SMTP server
LDAP/AD - your AD/LDAP server
Mobile Push 2FA requires HTTPS send and receive from:
fcm.googleapis.com/*
oauth2.googleapis.com/*
accounts.google.com/*
Other - your target databases and servers
Install Software
Install Docker
sudo curl https://get.docker.com | sh
Add SWAP
If the server doesn't already have a swap memory file, then add 4GB. This must be run as sudo.
sudo bash
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
exit
Install Statement
#!/bin/bash
sudo docker pull iomamori/mamori-all-in-one:latest
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/opt/mamori/influxdb \
-v mamori-influxdb-data:/var/lib/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-e TZ=`cat /etc/timezone` \
--name mamori iomamori/mamori-all-in-one:latest /sbin/my_init
sudo docker start mamori
#!/bin/bash
sudo docker image load < mamori_mon_docker.tgz
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/opt/mamori/influxdb \
-v mamori-influxdb-data:/var/lib/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-e TZ=`cat /etc/timezone` \
--name mamori mamori-all-in-one /sbin/my_init
sudo docker start mamori
Upgrade Script
Create upgrade.sh with the script below.
#!/bin/bash
# clean up any system logs that are filling the disk
journalctl --vacuum-size=10M
# tag the current mamori image so we can delete is later
docker image tag iomamori/mamori-all-in-one mamori-old
sudo docker pull iomamori/mamori-all-in-one:latest
RC=$?
if [ $RC -ne 0 ]; then
echo "docker load failed :("
exit $RC
fi
NOW=`date +%s`
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/opt/mamori/influxdb \
-v mamori-influxdb-data:/var/lib/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-e TZ=`cat /etc/timezone` \
--name mamori iomamori/mamori-all-in-one:latest /sbin/my_init
sudo docker start mamori
sudo docker rm mamori-$NOW
docker rmi `docker image ls -a | grep mamori-old | awk '{print $3}'`
#!/bin/bash
# clean up any system logs that are filling the disk
journalctl --vacuum-size=10M
# tag the current mamori image so we can delete is later
docker image tag mamori-all-in-one mamori-old
sudo docker image load < mamori_mon_docker.tgz
RC=$?
if [ $RC -ne 0 ]; then
echo "docker load failed :("
exit $RC
fi
NOW=`date +%s`
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/var/lib/influxdb \
-v mamori-influxdb-conf:/etc/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-e TZ=`cat /etc/timezone` \
--name mamori mamori-all-in-one /sbin/my_init
sudo docker start mamori
docker rm mamori-$NOW
docker rmi `docker image ls -a | grep mamori-old | awk '{print $3}'`
Setup Public Firewall
Remote web portal access
To provide remote web portal access do the following:
Do you have a unique public IP for the Mamori server?
Yes - Forward port 443 to 443 of the internal IP of the Mamori server.
No - Forward port 1443 or another port to 443 of the internal IP of the Mamori server.
Remote IP resource access
To provide remote IP resource access do the following:
- Forward port 51871/udp to 51871/udp of the internal IP of the Mamori server.
- Ensure your firewall allows WireGuard VPN access
Remote internal HTTP/S resource access
To provide remote access internal web resources do the following:
- Forward port 8089 to 8089 of the internal IP of the Mamori server.
Enable Mamori mobile push notifications
The Mamori mobile app requires access to the Mamori server via HTTPS.
This access will automatically be available for configurations that provide remote web portal access. However, for configurations that do not, such as "Air Gap" environments, then do the following :
- In Server Settings > General set the server public IP address to the internal IP
- In Server Settings > Authentication Providers -> pushmobile set the url to the public IP and port.
- Forward Public 443 or 1443 to a server with Nginx
- From the relay Nginx server route /websocket to the Mamori server. Deny all other traffic.
- Define a Mamori connection policy that blocks all external IP addresses that are not the Mamori mobile app.
The Mamori mobile app is restricted to only call a limited subset of operations.
Login to confirm access
Login
Login to the Mamori portal with the bootstrap login
url : https://[mamori server ip address]
username : root password : Mamori2021
Set General Server Settings
To set the general Mamori server properties
Click Server Settings >
Click General
Next, enter details
Field Description Public IP Address The IP or DNS name users will use to access the Mamori server
If a custom port is being used, then enter SERVER:PORT
If internal access only, then enter the internal IPLog Retention Period Period to keep detailed logs Modules Menus Enable/Disable the features that will be used
Disable web root account
It's critical that you follow the instructions below and disable the root web user. Otherwise, your are leaving your Mamori server vulnerable to attacks.
Create recovery user
Create an administrator user with an extra long strong password, and store the password in an external password vault. This login will be your recovery account in the event that all other admin accounts with multi-factor authentication are unable to login.
Click Users
Click
Next, enter details in user dialog
details - login id, email, password and select administrator user profile
Click Create
Test Login
Logout & log in as new user
Disable web root account
Click Server Settings > Authentication ProvidersClick for admin provider in list
Edit dialog options
Account Status Enabled - set to false
Click Update
Helpful Scripts
Upgrade Clean Up Script
Removes backup Mamori containers and images.
#!/bin/bash
FOUND_CONTAINER=`docker ps -a -f "name=mamori-[0-9]+" -q 2> /dev/null`
if [[ $FOUND_CONTAINER == "" ]]; then
echo "No old mamori containers found"
else
echo Found old Mamori containers: $FOUND_CONTAINER
docker rm $FOUND_CONTAINER
fi
FOUND_IMAGE=`docker images -f "reference=mamori-[0-9]*" -q 2> /dev/null`
echo $FOUND_IMAGE
if [[ $FOUND_IMAGE == "" ]]; then
echo "No old mamori images found"
else
echo Found old Mamori images: $FOUND_IMAGE
docker image rm -f $FOUND_IMAGE
fi
Uninstall
#!/bin/bash
sudo docker kill mamori
sudo docker kill mamori-wireguard
sudo docker rm mamori mamori-wireguard
sudo docker rmi iomamori/mamori-all-in-one mamori-wireguard mamori-alpine-boringtun
sudo docker volume rm \
mamori-var \
mamori-nginx-conf \
mamori-data \
mamori-pg-conf \
mamori-influxdb \
mamori-influxdb-data \
mamori-influxdb-conf \
mamori-grafana