Install Server
Steps
Step 1 - Setup Server & Firewall
Step 2 - Install Software
Step 3 - Setup Admin Account
Step 4 - Integrate your email server (optional)
Step 5 - Configure 2FA providers
Step 6 - Configure Alert Channel(s)
Step 7 - Hardening Check List
Setup Server & Firewall
Requirements
Hardware | Minimum | Recommended |
---|---|---|
Operating System | 64-bit intel linux with docker installed | 64-bit intel Ubuntu Server LTS |
CPU | 2 core | 4 core |
Memory | 4GB | 8GB (+4GB per 10K requests/hour) |
Hard Drive | 5GB (installer) | 20GB (~10GB per 7 day log retention) |
Trusted SSL Certificate on Server | Install CA certificates in Ubuntu server | instructons |
Web Portal Browser | Any modern browser | Chrome, Edge, Firefox |
Open ports when running in a dmz or public cloud
- UDP 51871 (wireguard vpn)
- 443 (required for mobile push multi-factored authentication)
- 22 (optional - allows remote support by mamorio.io)
sudo ufw allow 51871/udp comment "wireguard port"
sudo ufw allow 443 comment "https"
sudo ufw allow 22 comment "ssh"
sudo ufw allow from (PLANNED MAMORI WIREGUARD PRIVATE IP)/24
sudo ufw enable
sudo ufw status
Open ports when accessed inside a firewall
- 22,443,80
- Desired Database Proxy ports (optional)
- 1122 (SSH Proxy)
- 5432 (Postgres)
- 1433 (SQL Server)
- 3306 (MySQL)
- 1521 (Oracle)
- 28017 (Mongo)
- 1527 (Other JDBC)
sudo ufw allow 22 comment "standard SSH"
sudo ufw allow 443 comment "https"
sudo ufw allow 1122 comment "SSH Proxy"
sudo ufw allow 5432 comment "Postgres Proxy"
sudo ufw allow 1433 comment "MSSQL Proxy"
sudo ufw allow 3306 comment "MySQL Proxy"
sudo ufw allow 1521 comment "Oracle Proxy"
sudo ufw allow 28017 comment "Mongo Proxy"
sudo ufw allow 1527 comment "Mamori JDBC"
sudo ufw enable
sudo ufw status
Confirm IP access for desired integrations
From your mamori server confirm you can access
Email - your SMTP server
LDAP/AD - your AD/LDAP server
Mobile Push 2FA - https://fcm.googleapis.com/fcm/send
Other - your target databases and servers
Install Statement
#!/bin/bash
sudo docker pull iomamori/mamori-all-in-one:latest
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/opt/mamori/influxdb \
-v mamori-influxdb-data:/var/lib/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
--name mamori iomamori/mamori-all-in-one:latest /sbin/my_init
sudo docker start mamori
#!/bin/bash
sudo docker image load < mamori_mon_docker.tgz
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/opt/mamori/influxdb \
-v mamori-influxdb-data:/var/lib/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
--name mamori mamori-all-in-one /sbin/my_init
sudo docker start mamori
Setup Admin Account
Login
Login to the mamori portal with the bootstrap login
url : https://[mamori server ip address]
username : root password : Mamori2021
Create admin user
Click Users
Click
Next, enter details in user dialog
details - login id, email, password and select administrator user profile
Click Create
Set 2FA - Click on edit authentication and set multi-factor authentication
Test Login
Logout & log in as new user
Disable Bootstrap Admin Account
Click Server Settings > Authentication ProvidersClick for admin provider in list
Edit dialog options
Account Status Enabled - set to false
Click Update
Integrate email server
Integrating an email server will enable the following features
- Email alerts
- User login account emails
- User remote access key emails
If you don't have an email server, then sendgrid.com offers a free plan. Click here to register
To integrate your email server
Click Server Settings
Click SMTP Settings
Next, enter SMTP server details
Field Description Mamori Server URL defaults to https://[your mamori server ip] From Address defaults to no-reply@mamori.com Server Hostname your smtp server Server Port defaults to 587 Use SSL defaults to false Server Credentials Logo File Logo attached to the bottom of an email.
Defaults to mamori logoClick Update Settings
Click Send Test Email
Configure 2FA Providers
Mamori server ships with 2 built-in 2FA providers
- pushmobile - Uses the mamori mobile app and Apple/Android notification services which require the mamori server to acces https://fcm.googleapis.com/fcm/send
- pushtotp - Uses a web browser, one time tokens and works without internet access.
To enable the providers you edit them and set their Service URL property.
Push Mobile
Click Server Settings > Authentication ProvidersEdit the pushmobile provider
Fill in these fields in the dialog:
Field Description Mamori Service URL Enter your mamori server url
e.g.,https://mymamori.com
orhttps://10.0.0.2
2FA Timeout How long a user has to respond.
Defaults to 180 seconds2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.Click Update Provider
Push TOTP
Click Server Settings > Authentication ProvidersEdit the pushtotp provider
Fill in these fields in the dialog:
Field Description Mamori Service URL Enter your mamori server url
e.g.,https://mymamori.com
orhttps://10.0.0.2
2FA Timeout How long a user has to respond.
Defaults to 180 seconds2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.Click Update Provider
Configure Alert Channel
Intrusion
Click Server Settings > AlertsClick
Next, enter the details
Field Description Alert Name intrusion Alert Type Email address enter a comma separated list of email addresses Email Subject Mamori Alert! Device Blocked {{username}} Email Body user : {{username}}
client ip: {{source}}
device name : {{device}}Click to add another alert in the channel
Click Create to save the channel
Policy Request
Click Server Settings > AlertsClick
Next, enter the details
Field Description Alert Name request Alert Type Email address enter a comma separated list of email addresses Email Subject Access Request from {{applicant}} for {{procedure}} Email Body applicant : {{applicant}}
message: {{applicant_message}}
policy: {{procedure}}
status: {{status}}Click to add another alert in the channel
Click Create to save the channel
Information on Alert Channels
Hardening Check List
Ensure all items are completed before deploying to production.
Steps
Step 1 - Disable the bootstrap mamori admin account
Step 2 - Enable the mamori server firewall and open only used ports
Step 3 - Enforce 2FA for all logins
Step 4 - Executed the hardening guide for your mamori server OS.
Click for basic hardening guide
Helpful Scripts
Upgrade
#!/bin/bash
NOW=`date +%s`
sudo docker tag iomamori/mamori-all-in-one:latest mamori-$NOW
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW
sudo docker pull iomamori/mamori-all-in-one:latest
sudo docker create \
--network host \
--restart always \
--privileged \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/opt/mamori/influxdb \
-v mamori-influxdb-data:/var/lib/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
--name mamori iomamori/mamori-all-in-one:latest /sbin/my_init
sudo docker start mamori
sudo docker rm mamori-$NOW
sudo docker rmi mamori-$NOW
#!/bin/bash
NOW=`date +%s`
sudo docker tag mamori-all-in-one:latest mamori-$NOW
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW
sudo docker image load < mamori_mon_docker.tgz
sudo docker create \
--network host \
--restart always \
--log-opt max-size=10m --log-opt max-file=10 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v mamori-var:/opt/mamori/var \
-v mamori-nginx-conf:/etc/nginx \
-v mamori-data:/var/lib/postgresql \
-v mamori-pg-conf:/etc/postgresql \
-v mamori-influxdb:/var/lib/influxdb \
-v mamori-influxdb-conf:/etc/influxdb \
-v mamori-grafana:/opt/mamori/grafana \
-v /proc:/host/proc:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
--name mamori mamori-all-in-one /sbin/my_init
sudo docker start mamori
docker rm mamori-$NOW
docker rmi mamori-$NOW
Upgrade Clean Up Script
Removes backup mamori containers and images.
#!/bin/bash
FOUND_CONTAINER=`docker ps -a -f "name=mamori-[0-9]+" -q 2> /dev/null`
if [[ $FOUND_CONTAINER == "" ]]; then
echo "No old mamori containers found"
else
echo Found old Mamori containers: $FOUND_CONTAINER
docker rm $FOUND_CONTAINER
fi
FOUND_IMAGE=`docker images -f "reference=mamori-[0-9]*" -q 2> /dev/null`
echo $FOUND_IMAGE
if [[ $FOUND_IMAGE == "" ]]; then
echo "No old mamori images found"
else
echo Found old Mamori images: $FOUND_IMAGE
docker image rm -f $FOUND_IMAGE
fi
Uninstall
#!/bin/bash
sudo docker kill mamori
sudo docker kill mamori-wireguard
sudo docker rm mamori mamori-wireguard
sudo docker rmi iomamori/mamori-all-in-one mamori-wireguard mamori-alpine-boringtun
sudo docker volume rm \
mamori-var \
mamori-nginx-conf \
mamori-data \
mamori-pg-conf \
mamori-influxdb \
mamori-influxdb-data \
mamori-influxdb-conf \
mamori-grafana
High Availability
Steps
Step 1 - Setup PG Cluster
Step 2 - Install Metric DB & MQTT Server
Step 3 - Install Mamori Base with HA Option
Step 4 - Install & Configure Load Balancer