Install Server

Steps

Step 1 - Setup Server & Firewall

Step 2 - Install Software

Step 3 - Setup Admin Account

Step 4 - Set general server settings

Step 5 - Integrate your email server (optional)

Step 6 - Configure Alert Channel(s) (optional)

Step 7 - Hardening Check List

Setup Server & Firewall

Requirements

Hardware	Minimum	Recommended
Operating System	64-bit intel linux with docker installed	64-bit intel Ubuntu Server LTS
CPU	2 core	4 core
Memory	2GB	8GB (+4GB per 10K requests/hour)
Hard Drive	30GB	50GB (~10GB per 7 day log retention)
Trusted SSL Certificate on Server	Install CA certificates in Ubuntu server	instructons
Web Portal Browser	Any modern browser	Chrome, Edge, Firefox

Open ports when running in a dmz or public cloud

UDP 51871 (wireguard vpn)
443 (required for mobile push multi-factored authentication)
22 (optional - allows remote support by mamorio.io)

sudo ufw allow 51871/udp comment "wireguard port"
sudo ufw allow 443 comment "https"
sudo ufw allow 22 comment "ssh"
sudo ufw allow from (PLANNED MAMORI WIREGUARD PRIVATE IP)/24
sudo ufw enable
sudo ufw status

When configuring mamori wireguard you will assign a private IP to the mamori server and a subnet mask.

Common private IP addresses are 10.0.0.1,10.100.0.1 172.0.0.1, 192.168.0.1, etc

Please ensure that this does not conflict with any existing subnets you plan to expose via mamori.

Open ports when accessed inside a firewall

22,443,80
Desired Database Proxy ports (optional)
- 1122 (SSH Proxy)
- 5432 (Postgres)
- 1433 (SQL Server)
- 3306 (MySQL)
- 1521 (Oracle)
- 28017 (Mongo)
- 1527 (Other JDBC)

sudo ufw allow 22 comment "standard SSH"
sudo ufw allow 443 comment "https"
sudo ufw allow 1122 comment "SSH Proxy"
sudo ufw allow 5432 comment "Postgres Proxy"
sudo ufw allow 1433 comment "MSSQL Proxy"
sudo ufw allow 3306 comment "MySQL Proxy"
sudo ufw allow 1521 comment "Oracle Proxy"
sudo ufw allow 28017 comment "Mongo Proxy"
sudo ufw allow 1527 comment "Mamori JDBC"
sudo ufw enable
sudo ufw status

Confirm IP access for desired integrations

From your mamori server confirm you can access

Email - your SMTP server

LDAP/AD - your AD/LDAP server

Mobile Push 2FA - https://fcm.googleapis.com/fcm/send

Other - your target databases and servers

Install Statement

#!/bin/bash

sudo docker pull iomamori/mamori-all-in-one:latest
sudo docker create \
        --network host \
        --restart always \
        --privileged \
    --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
    -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori iomamori/mamori-all-in-one:latest /sbin/my_init

sudo docker start mamori

#!/bin/bash

sudo docker image load < mamori_mon_docker.tgz

sudo docker create \
        --network host \
        --restart always \
        --privileged \
    --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori mamori-all-in-one /sbin/my_init

sudo docker start mamori

Setup Server SSL Certificate

To setup the certificate for the mamori server you need to copy the cert and key file into the nginx directory and then restart nginx. Use the commands below. If you have an extracted PEM file (begins with -----BEGIN PRIVATE KEY-----), then you that cp that file into nginx.key.

docker cp new.crt mamori:/etc/nginx/ssl/nginx.crt
docker cp new.key mamori:/etc/nginx/ssl/nginx.key
docker exec -it mamori sv restart nginx

If you have a PEM file, then you can extract your key and cert files with the commands below. Please confirm that your PEM file doesn't not begin with "-----BEGIN PRIVATE KEY-----".

openssl rsa -outform der -in your-file.pem -out private.key
openssl x509 -outform der -in your-file.pem -out your-file.crt

Setup Admin Account

Login to the mamori portal with the bootstrap login

url : https://[mamori server ip address]

username : root password : Mamori2021

Create admin user

Click Users

Click

Next, enter details in user dialog

details - login id, email, password and select administrator user profile

Click Create

Set 2FA - Click on edit authentication and set multi-factor authentication

Test Login

Logout & log in as new user

Disable Bootstrap Admin Account

Click Server Settings > Authentication Providers

Click for admin provider in list

Edit dialog options

Account Status Enabled - set to false

Click Update

Set General Server Settings

To set the general mamori server properties

Click Server Settings >

Click General

Next, enter details

Field Description
Public IP Address the address or DNS name users will use to access the mamori server
Log Retention Period Period to keep detailed logs
Modules Menus Enable/Disable the sever module menus

Field	Description
Public IP Address	the address or DNS name users will use to access the mamori server
Log Retention Period	Period to keep detailed logs
Modules Menus	Enable/Disable the sever module menus

Integrate email server

Integrating an email server will enable the following features

Email alerts
User login account emails
User remote access key emails

If you don't have an email server, then sendgrid.com offers a free plan. Click here to register

To integrate your email server

Click Server Settings

Click SMTP Settings

Next, enter SMTP server details

Field Description
Mamori Server URL defaults to https://[your mamori server ip]
From Address defaults to no-reply@mamori.com
Server Hostname your smtp server
Server Port defaults to 587
Use SSL defaults to false
Server Credentials
Logo File Logo attached to the bottom of an email.
Defaults to mamori logo

Click Update Settings

Click Send Test Email

Field	Description
Mamori Server URL	defaults to https://[your mamori server ip]
From Address	defaults to no-reply@mamori.com
Server Hostname	your smtp server
Server Port	defaults to 587
Use SSL	defaults to false
Server Credentials
Logo File	Logo attached to the bottom of an email. Defaults to mamori logo

Configure 2FA Providers

Mamori server ships with 2 built-in 2FA providers

pushmobile - Uses the mamori mobile app and Apple/Android notification services which require the mamori server to acces https://fcm.googleapis.com/fcm/send
pushtotp - Uses a web browser, one time tokens and works without internet access.

To enable the providers you edit them and set their Service URL property.

Push Mobile

Click Server Settings > Authentication Providers

Edit the pushmobile provider

Fill in these fields in the dialog:

Field Description
Mamori Service URL Enter your mamori server url
e.g., https://mymamori.com or https://10.0.0.2
2FA Timeout How long a user has to respond.
Defaults to 180 seconds
2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Field	Description
Mamori Service URL	Enter your mamori server url e.g., `https://mymamori.com` or `https://10.0.0.2`
2FA Timeout	How long a user has to respond. Defaults to 180 seconds
2FA Cache Time	How long a session can remain inactive before another 2FA request is issued. Defaults to 15 minutes.

Push TOTP

Click Server Settings > Authentication Providers

Edit the pushtotp provider

Fill in these fields in the dialog:

Field Description
Mamori Service URL Enter your mamori server url
e.g., https://mymamori.com or https://10.0.0.2
2FA Timeout How long a user has to respond.
Defaults to 180 seconds
2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Field	Description
Mamori Service URL	Enter your mamori server url e.g., `https://mymamori.com` or `https://10.0.0.2`
2FA Timeout	How long a user has to respond. Defaults to 180 seconds
2FA Cache Time	How long a session can remain inactive before another 2FA request is issued. Defaults to 15 minutes.

Configure Alert Channel

Intrusion

Click Server Settings > Alerts

Click

Next, enter the details

Field Description
Alert Name intrusion
Alert Type email
Email address enter a comma separated list of email addresses
Email Subject Mamori Alert! Device Blocked {{username}}
Email Body user : {{username}}
client ip: {{source}}
device name : {{device}}

Click to add another alert in the channel

Click Create to save the channel

Field	Description
Alert Name	intrusion
Alert Type	email
Email address	enter a comma separated list of email addresses
Email Subject	Mamori Alert! Device Blocked {{username}}
Email Body	user : {{username}} client ip: {{source}} device name : {{device}}

Policy Request

Click Server Settings > Alerts

Click

Next, enter the details

Field Description
Alert Name request
Alert Type email
Email address enter a comma separated list of email addresses
Email Subject Access Request from {{applicant}} for {{procedure}}
Email Body applicant : {{applicant}}
message: {{applicant_message}}
policy: {{procedure}}
status: {{status}}

Click to add another alert in the channel

Click Create to save the channel

Field	Description
Alert Name	request
Alert Type	email
Email address	enter a comma separated list of email addresses
Email Subject	Access Request from {{applicant}} for {{procedure}}
Email Body	applicant : {{applicant}} message: {{applicant_message}} policy: {{procedure}} status: {{status}}

See the link below for instructions on how to send alerts to Slack, Line or another service.

Information on Alert Channels

Hardening Check List

Ensure all items are completed before deploying to production.

Steps

Step 1 - Disable the bootstrap mamori admin account

Step 2 - Enable the mamori server firewall and open only used ports

Step 3 - Enforce 2FA for all logins

Step 4 - Executed the hardening guide for your mamori server OS.
Click for basic hardening guide

Helpful Scripts

Upgrade

#!/bin/bash

NOW=`date +%s`
sudo docker tag iomamori/mamori-all-in-one:latest mamori-$NOW
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW

sudo docker pull iomamori/mamori-all-in-one:latest


sudo docker create \
        --network host \
        --restart always \
        --privileged \
    --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/opt/mamori/influxdb \
        -v mamori-influxdb-data:/var/lib/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
    -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori iomamori/mamori-all-in-one:latest /sbin/my_init

sudo docker start mamori

sudo docker rm mamori-$NOW
sudo docker rmi mamori-$NOW

#!/bin/bash

NOW=`date +%s`
sudo docker tag mamori-all-in-one:latest mamori-$NOW
sudo docker stop mamori
sudo docker rename mamori mamori-$NOW

sudo docker image load < mamori_mon_docker.tgz

sudo docker create \
        --network host \
        --restart always \
        --log-opt max-size=10m --log-opt max-file=10 \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v mamori-var:/opt/mamori/var \
        -v mamori-nginx-conf:/etc/nginx \
        -v mamori-data:/var/lib/postgresql \
        -v mamori-pg-conf:/etc/postgresql \
        -v mamori-influxdb:/var/lib/influxdb \
        -v mamori-influxdb-conf:/etc/influxdb \
        -v mamori-grafana:/opt/mamori/grafana \
        -v /proc:/host/proc:ro \
        -v /etc/timezone:/etc/timezone:ro \
        -v /etc/localtime:/etc/localtime:ro \
        --name mamori mamori-all-in-one /sbin/my_init

sudo docker start mamori

docker rm mamori-$NOW
docker rmi mamori-$NOW

Upgrade Clean Up Script

Removes backup mamori containers and images.

Always run cleanup after you have verified your upgrade. If you don't run the clean up and reboot the server, then multiple mamori services will start.

cleanup.sh

#!/bin/bash

FOUND_CONTAINER=`docker ps -a -f "name=mamori-[0-9]+" -q 2> /dev/null`
if [[ $FOUND_CONTAINER == "" ]]; then
    echo "No old mamori containers found"
else
    echo Found old Mamori containers: $FOUND_CONTAINER
    docker rm $FOUND_CONTAINER
fi

FOUND_IMAGE=`docker images -f "reference=mamori-[0-9]*" -q 2> /dev/null`
echo $FOUND_IMAGE
if [[ $FOUND_IMAGE == "" ]]; then
    echo "No old mamori images found"
else
    echo Found old Mamori images: $FOUND_IMAGE
    docker image rm -f $FOUND_IMAGE
fi

Uninstall

uninstall.sh

#!/bin/bash

sudo docker kill mamori
sudo docker kill mamori-wireguard

sudo docker rm mamori mamori-wireguard
sudo docker rmi iomamori/mamori-all-in-one mamori-wireguard mamori-alpine-boringtun
sudo docker volume rm \
        mamori-var \
        mamori-nginx-conf \
        mamori-data \
        mamori-pg-conf \
        mamori-influxdb \
        mamori-influxdb-data \
    mamori-influxdb-conf \
        mamori-grafana

High Availability

Steps

Step 1 - Setup PG Cluster

Step 2 - Install Metric DB & MQTT Server

Step 3 - Install Mamori Base with HA Option

Step 4 - Install & Configure Load Balancer