Install Server

Steps

Step 1 - Setup Server & Firewall

Step 2 - Install Software

Step 3 - Setup Admin Account

Step 4 - Set general server settings

Step 5 - Integrate your email server (optional)

Step 6 - Configure Alert Channel(s) (optional)

Step 7 - Hardening Check List


Setup Server & Firewall

Requirements

HardwareMinimumRecommended
Operating System64-bit intel linux with docker installed64-bit intel Ubuntu Server LTS
CPU2 core4 core
Memory2GB8GB (+4GB per 10K requests/hour)
Hard Drive30GB50GB (~10GB per 7 day log retention)
Trusted SSL Certificate on ServerInstall CA certificates in Ubuntu serverinstructons
Web Portal BrowserAny modern browserChrome, Edge, Firefox



Open ports when running in a dmz or public cloud

  • UDP 51871 (wireguard vpn)
  • 443 (required for mobile push multi-factored authentication)
  • 22 (optional - allows remote support by mamorio.io)
sudo ufw allow 51871/udp comment "wireguard port"
sudo ufw allow 443 comment "https"
sudo ufw allow 22 comment "ssh"
sudo ufw allow from (PLANNED MAMORI WIREGUARD PRIVATE IP)/24
sudo ufw enable
sudo ufw status
When configuring mamori wireguard you will assign a private IP to the mamori server and a subnet mask.

Common private IP addresses are 10.0.0.1,10.100.0.1 172.0.0.1, 192.168.0.1, etc

Please ensure that this does not conflict with any existing subnets you plan to expose via mamori.

Open ports when accessed inside a firewall

  • 22,443,80
  • Desired Database Proxy ports (optional)
    • 1122 (SSH Proxy)
    • 5432 (Postgres)
    • 1433 (SQL Server)
    • 3306 (MySQL)
    • 1521 (Oracle)
    • 28017 (Mongo)
    • 1527 (Other JDBC)
sudo ufw allow 22 comment "standard SSH"
sudo ufw allow 443 comment "https"
sudo ufw allow 1122 comment "SSH Proxy"
sudo ufw allow 5432 comment "Postgres Proxy"
sudo ufw allow 1433 comment "MSSQL Proxy"
sudo ufw allow 3306 comment "MySQL Proxy"
sudo ufw allow 1521 comment "Oracle Proxy"
sudo ufw allow 28017 comment "Mongo Proxy"
sudo ufw allow 1527 comment "Mamori JDBC"
sudo ufw enable
sudo ufw status

Confirm IP access for desired integrations

From your mamori server confirm you can access

Email - your SMTP server

LDAP/AD - your AD/LDAP server

Mobile Push 2FA - https://fcm.googleapis.com/fcm/send

Other - your target databases and servers


Install Statement

#!/bin/bash

sudo docker pull iomamori/mamori-all-in-one:latest
sudo docker create \
        --network host \
        --restart always \
        --privileged \
    --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
    -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori iomamori/mamori-all-in-one:latest /sbin/my_init

sudo docker start mamori

#!/bin/bash

sudo docker image load < mamori_mon_docker.tgz

sudo docker create \
        --network host \
        --restart always \
        --privileged \
    --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori mamori-all-in-one /sbin/my_init

sudo docker start mamori


Setup Server SSL Certificate

To setup the certificate for the mamori server you need to copy the cert and key file into the nginx directory and then restart nginx. Use the commands below. If you have an extracted PEM file (begins with -----BEGIN PRIVATE KEY-----), then you that cp that file into nginx.key.

docker cp new.crt mamori:/etc/nginx/ssl/nginx.crt
docker cp new.key mamori:/etc/nginx/ssl/nginx.key
docker exec -it mamori sv restart nginx

If you have a PEM file, then you can extract your key and cert files with the commands below. Please confirm that your PEM file doesn't not begin with "-----BEGIN PRIVATE KEY-----".
openssl rsa -outform der -in your-file.pem -out private.key
openssl x509 -outform der -in your-file.pem -out your-file.crt


Setup Admin Account

Login

Login to the mamori portal with the bootstrap login

url : https://[mamori server ip address]

username : root password : Mamori2021

Create admin user

Click Users

Click

Next, enter details in user dialog

details - login id, email, password and select administrator user profile

Click Create

Set 2FA - Click on edit authentication and set multi-factor authentication

Test Login

Logout & log in as new user

Disable Bootstrap Admin Account

Click Server Settings > Authentication Providers

Click for admin provider in list

Edit dialog options

Account Status Enabled - set to false

Click Update


Set General Server Settings

To set the general mamori server properties

Click Server Settings >

Click General

Next, enter details

FieldDescription
Public IP Addressthe address or DNS name users will use to access the mamori server
Log Retention PeriodPeriod to keep detailed logs
Modules MenusEnable/Disable the sever module menus

Integrate email server

Integrating an email server will enable the following features

  • Email alerts
  • User login account emails
  • User remote access key emails

If you don't have an email server, then sendgrid.com offers a free plan. Click here to register

To integrate your email server

Click Server Settings

Click SMTP Settings

Next, enter SMTP server details

FieldDescription
Mamori Server URLdefaults to https://[your mamori server ip]
From Addressdefaults to no-reply@mamori.com
Server Hostnameyour smtp server
Server Portdefaults to 587
Use SSLdefaults to false
Server Credentials
Logo FileLogo attached to the bottom of an email.
Defaults to mamori logo

Click Update Settings

Click Send Test Email


Configure 2FA Providers

Mamori server ships with 2 built-in 2FA providers

  • pushmobile - Uses the mamori mobile app and Apple/Android notification services which require the mamori server to acces https://fcm.googleapis.com/fcm/send
  • pushtotp - Uses a web browser, one time tokens and works without internet access.

To enable the providers you edit them and set their Service URL property.

Push Mobile

Click Server Settings > Authentication Providers

Edit the pushmobile provider

Fill in these fields in the dialog:

FieldDescription
Mamori Service URLEnter your mamori server url
e.g., https://mymamori.com or https://10.0.0.2
2FA TimeoutHow long a user has to respond.
Defaults to 180 seconds
2FA Cache TimeHow long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Push TOTP

Click Server Settings > Authentication Providers

Edit the pushtotp provider

Fill in these fields in the dialog:

FieldDescription
Mamori Service URLEnter your mamori server url
e.g., https://mymamori.com or https://10.0.0.2
2FA TimeoutHow long a user has to respond.
Defaults to 180 seconds
2FA Cache TimeHow long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Configure Alert Channel

Intrusion

Click Server Settings > Alerts

Click

Next, enter the details

FieldDescription
Alert Nameintrusion
Alert Typeemail
Email addressenter a comma separated list of email addresses
Email SubjectMamori Alert! Device Blocked {{username}}
Email Bodyuser : {{username}}
client ip: {{source}}
device name : {{device}}

Click to add another alert in the channel

Click Create to save the channel

Policy Request

Click Server Settings > Alerts

Click

Next, enter the details

FieldDescription
Alert Namerequest
Alert Typeemail
Email addressenter a comma separated list of email addresses
Email SubjectAccess Request from {{applicant}} for {{procedure}}
Email Bodyapplicant : {{applicant}}
message: {{applicant_message}}
policy: {{procedure}}
status: {{status}}

Click to add another alert in the channel

Click Create to save the channel

See the link below for instructions on how to send alerts to Slack, Line or another service.

Information on Alert Channels

Hardening Check List

Ensure all items are completed before deploying to production.

Steps

Step 1 - Disable the bootstrap mamori admin account

Step 2 - Enable the mamori server firewall and open only used ports

Step 3 - Enforce 2FA for all logins

Step 4 - Executed the hardening guide for your mamori server OS.
Click for basic hardening guide


Helpful Scripts

Upgrade

#!/bin/bash

NOW=`date +%s`
sudo docker tag iomamori/mamori-all-in-one:latest mamori-$NOW
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW

sudo docker pull iomamori/mamori-all-in-one:latest


sudo docker create \
        --network host \
        --restart always \
        --privileged \
    --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
    -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori iomamori/mamori-all-in-one:latest /sbin/my_init

sudo docker start mamori

sudo docker rm mamori-$NOW
sudo docker rmi mamori-$NOW
#!/bin/bash

NOW=`date +%s`
sudo docker tag mamori-all-in-one:latest mamori-$NOW
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW

sudo docker image load < mamori_mon_docker.tgz

sudo docker create \
        --network host \
        --restart always \
        --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/var/lib/influxdb \
        -v mamori-influxdb-conf:/etc/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori mamori-all-in-one /sbin/my_init

sudo docker start mamori

docker rm mamori-$NOW
docker rmi mamori-$NOW

Upgrade Clean Up Script

Removes backup mamori containers and images.

Always run cleanup after you have verified your upgrade. If you don't run the clean up and reboot the server, then multiple mamori services will start.
cleanup.sh
#!/bin/bash

FOUND_CONTAINER=`docker ps -a -f "name=mamori-[0-9]+" -q 2> /dev/null`
if [[ $FOUND_CONTAINER == "" ]]; then
    echo "No old mamori containers found"
else
    echo Found old Mamori containers: $FOUND_CONTAINER
    docker rm $FOUND_CONTAINER
fi

FOUND_IMAGE=`docker images -f "reference=mamori-[0-9]*" -q 2> /dev/null`
echo $FOUND_IMAGE
if [[ $FOUND_IMAGE == "" ]]; then
    echo "No old mamori images found"
else
    echo Found old Mamori images: $FOUND_IMAGE
    docker image rm -f $FOUND_IMAGE
fi

Uninstall

uninstall.sh
#!/bin/bash

sudo docker kill mamori
sudo docker kill mamori-wireguard

sudo docker rm mamori mamori-wireguard
sudo docker rmi iomamori/mamori-all-in-one mamori-wireguard mamori-alpine-boringtun
sudo docker volume rm \
        mamori-var \
        mamori-nginx-conf \
        mamori-data \
        mamori-pg-conf \
        mamori-influxdb \
        mamori-influxdb-data \
    mamori-influxdb-conf \
        mamori-grafana

High Availability

Steps

Step 1 - Setup PG Cluster

Step 2 - Install Metric DB & MQTT Server

Step 3 - Install Mamori Base with HA Option

Step 4 - Install & Configure Load Balancer

Edit this page on GitHub Updated at Fri, Sep 9, 2022