Install Server

Installation Steps

Step 1 - Setup Server

Step 2 - Setup Server Firewall

Step 3 - Install Software

Step 4 - Setup Public Firewall

Step 5 - Login To Portal & Set General Settings

Step 6 - Disable Bootstrap Account (Important)

Next Step - Common Configuration & Hardening

Need Help?
If you would like a managed Mamori server or have questions about your server installation, then please send an email to support@mamori.io.


Setup Server

Windows Server

The Mamori server runs on the Linux operating system. If you have a Windows server, then enable HyperV and create a linux ubuntu image for the Mamori server installation.

Requirements

HardwareMinimumRecommended
Operating System64-bit intel linux with docker installed64-bit intel Ubuntu Server LTS
CPU2 core4 core
Memory2GB8GB (+4GB per 10K requests/hour)
Hard Drive50GB
Please ensure /var has at least 15GB
100GB (~10GB per 7 day log retention).
Trusted SSL Certificate on ServerInstall CA certificates in server manually or via Mamori portalmanual instructons
Web Portal BrowserAny modern browserChrome, Edge, Firefox

Setup Server Firewall

If the Mamori server is directly exposed to the internet, then harden SSH access by:
  • disabling root password authentication or setting it to a 32 length strong password
  • change the SSH port from 22 to something else

Required Ports

The required ports to manage a Mamori server.

sudo ufw allow 443 comment "https"
sudo ufw allow 22 comment "ssh"
sudo ufw enable
sudo ufw status

IP Access (WireGuard)

Port required for IP resource access controls

sudo ufw allow 51871/udp comment "wireguard port"
sudo ufw allow from 172.0.0.0/16  comment "Your virtual wireguard network"
sudo ufw enable
sudo ufw status

Proxy Ports

Port required by database and HTTP/S proxy

sudo ufw allow 1122 comment "SSH Proxy"
sudo ufw allow 5432 comment "Postgres Proxy"
sudo ufw allow 1433 comment "MSSQL Proxy"
sudo ufw allow 3306 comment "MySQL Proxy"
sudo ufw allow 1521 comment "Oracle Proxy"
sudo ufw allow 28017 comment "Mongo Proxy"
sudo ufw allow 8089 comment "HTTP/S Proxy"
sudo ufw allow 1527 comment "Mamori JDBC"
sudo ufw enable
sudo ufw status

Confirm IP access for desired integrations

From your Mamori server confirm you can access

Email - your SMTP server

LDAP/AD - your AD/LDAP server

Mobile Push 2FA requires HTTPS send and receive from:

fcm.googleapis.com/*

oauth2.googleapis.com/*

accounts.google.com/*

Other - your target databases and servers


Install Software

Install Docker

sudo curl https://get.docker.com | sh

Add SWAP

If the server doesn't already have a swap memory file, then add 4GB. This must be run as sudo.

sudo bash
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
exit

Install Statement

#!/bin/bash

sudo docker pull iomamori/mamori-all-in-one:latest
sudo docker create \
        --network host \
        --restart always \
        --privileged \
        --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -e TZ=`cat /etc/timezone` \
        --name mamori iomamori/mamori-all-in-one:latest /sbin/my_init

sudo docker start mamori

#!/bin/bash

sudo docker image load < mamori_mon_docker.tgz

sudo docker create \
        --network host \
        --restart always \
        --privileged \
        --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -e TZ=`cat /etc/timezone` \
        --name mamori mamori-all-in-one /sbin/my_init

sudo docker start mamori

Upgrade Script

Create upgrade.sh with the script below.

#!/bin/bash

# clean up any system logs that are filling the disk
journalctl --vacuum-size=10M

# tag the current mamori image so we can delete is later
docker image tag iomamori/mamori-all-in-one mamori-old

sudo docker pull iomamori/mamori-all-in-one:latest
RC=$?
if [ $RC -ne 0 ]; then
        echo "docker load failed :("
        exit $RC
fi

NOW=`date +%s`
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW

sudo docker create \
        --network host \
        --restart always \
        --privileged \
        --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -e TZ=`cat /etc/timezone` \
        --name mamori iomamori/mamori-all-in-one:latest /sbin/my_init

sudo docker start mamori

sudo docker rm mamori-$NOW
docker rmi `docker image ls -a | grep mamori-old | awk '{print $3}'`
#!/bin/bash

# clean up any system logs that are filling the disk
journalctl --vacuum-size=10M

# tag the current mamori image so we can delete is later
docker image tag mamori-all-in-one mamori-old

sudo docker image load < mamori_mon_docker.tgz
RC=$?
if [ $RC -ne 0 ]; then
        echo "docker load failed :("
        exit $RC
fi

NOW=`date +%s`
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW

sudo docker create \
        --network host \
        --restart always \
        --privileged \
        --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/var/lib/influxdb \
        -v mamori-influxdb-conf:/etc/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -e TZ=`cat /etc/timezone` \
        --name mamori mamori-all-in-one /sbin/my_init

sudo docker start mamori

docker rm mamori-$NOW
docker rmi `docker image ls -a | grep mamori-old | awk '{print $3}'`

Setup Public Firewall

Remote web portal access

To provide remote web portal access do the following:

Do you have a unique public IP for the Mamori server?

Yes - Forward port 443 to 443 of the internal IP of the Mamori server.

No - Forward port 1443 or another port to 443 of the internal IP of the Mamori server.


Remote IP resource access

To provide remote IP resource access do the following:

  • Forward port 51871/udp to 51871/udp of the internal IP of the Mamori server.
  • Ensure your firewall allows WireGuard VPN access

Remote internal HTTP/S resource access

To provide remote access internal web resources do the following:

  • Forward port 8089 to 8089 of the internal IP of the Mamori server.

Enable Mamori mobile push notifications

The Mamori mobile app requires access to the Mamori server via HTTPS.

This access will automatically be available for configurations that provide remote web portal access. However, for configurations that do not, such as "Air Gap" environments, then do the following :

  • In Server Settings > General set the server public IP address to the internal IP
  • In Server Settings > Authentication Providers -> pushmobile set the url to the public IP and port.
  • Forward Public 443 or 1443 to a server with Nginx
  • From the relay Nginx server route /websocket to the Mamori server. Deny all other traffic.
  • Define a Mamori connection policy that blocks all external IP addresses that are not the Mamori mobile app.

The Mamori mobile app is restricted to only call a limited subset of operations.


Login to confirm access

Login

Login to the Mamori portal with the bootstrap login

url : https://[mamori server ip address]

username : root password : Mamori2021

Set General Server Settings

To set the general Mamori server properties

Click Server Settings >

Click General

Next, enter details

FieldDescription
Public IP AddressThe IP or DNS name users will use to access the Mamori server

If a custom port is being used, then enter SERVER:PORT

If internal access only, then enter the internal IP
Log Retention PeriodPeriod to keep detailed logs
Modules MenusEnable/Disable the features that will be used

Disable web root account

It's critical that you follow the instructions below and disable the root web user. Otherwise, your are leaving your Mamori server vulnerable to attacks.

Create recovery user

Create an administrator user with an extra long strong password, and store the password in an external password vault. This login will be your recovery account in the event that all other admin accounts with multi-factor authentication are unable to login.

Click Users

Click

Next, enter details in user dialog

details - login id, email, password and select administrator user profile

Click Create

Test Login

Logout & log in as new user

Disable web root account

Click Server Settings > Authentication Providers

Click for admin provider in list

Edit dialog options

Account Status Enabled - set to false

Click Update


Helpful Scripts

Upgrade Clean Up Script

Removes backup Mamori containers and images.

Always run cleanup after you have verified your upgrade. If you don't run the clean up and reboot the server, then multiple Mamori services will start.
cleanup.sh
#!/bin/bash

FOUND_CONTAINER=`docker ps -a -f "name=mamori-[0-9]+" -q 2> /dev/null`
if [[ $FOUND_CONTAINER == "" ]]; then
    echo "No old mamori containers found"
else
    echo Found old Mamori containers: $FOUND_CONTAINER
    docker rm $FOUND_CONTAINER
fi

FOUND_IMAGE=`docker images -f "reference=mamori-[0-9]*" -q 2> /dev/null`
echo $FOUND_IMAGE
if [[ $FOUND_IMAGE == "" ]]; then
    echo "No old mamori images found"
else
    echo Found old Mamori images: $FOUND_IMAGE
    docker image rm -f $FOUND_IMAGE
fi

Uninstall

uninstall.sh
#!/bin/bash

sudo docker kill mamori
sudo docker kill mamori-wireguard

sudo docker rm mamori mamori-wireguard
sudo docker rmi iomamori/mamori-all-in-one mamori-wireguard mamori-alpine-boringtun
sudo docker volume rm \
        mamori-var \
        mamori-nginx-conf \
        mamori-data \
        mamori-pg-conf \
        mamori-influxdb \
        mamori-influxdb-data \
        mamori-influxdb-conf \
        mamori-grafana
Edit this page on GitHub Updated at Sun, Jul 14, 2024