I have found myself deploying MISP on very small instances lately, mostly to function as a clearinghouse for intelligence I have been generating. So it begs the question – Does MISP run in DigitalOcean or Vultr hosting?
Deploy an Appliance
Unless you are going to be creating a truly massive MISP instance, you can probably run a lightweight instance on some smaller system specifications. In my use case, I will be generating intelligence which really does not need into ingest information from other sources. In other words, this instance will be used as a clearinghouse for my own produced intelligence.
In my case, I will be using a smaller instance. 1vCPU, 2GB RAM, 55GB SSD, and 2TB of bandwidth, and using Ubuntu 18.04 as the base Operating System.
After a very brief wait, the deployment is complete, and we can move through to patching and hardening the Operating System.
Update the OS
As always, the VM needs to be updated and upgraded using canonical sources. We achieve this through a very small scriptlet.
sudo apt update -y && sudo apt upgrade -y
There is nothing too fancy in there, except now I am going to install a firewall and an intrusion detection system on the VM so we can defend against external attacks, and hopefully prevent and slow down brute-force attacks.
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Create a new user
MISP dislikes being installed as a root user, and Vultr and DigitalOcean will create root users for you by default. We are now going to create a new user and add it to the sudoers group so we can install MISP using the automated installer.
adduser mispinstall
usermod -aG sudo mispinstall
su - mispinstall
Now that we are sudo’ed into the new user we can start installing MISP.
Install MISP
Installation is pretty easy, it is a two-liner to download and install. You will be asked for sudo credentials, and you can change the BASE URL for the installation here too. Lastly, you will be asked to create a new user for MISP. In my installations, I choose to create a new user called ‘misp’ for the service itself.
wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh
bash /tmp/INSTALL.sh -A
Now because we have ConfigServer installed on the base Operating System, we need to permit ports 80 and 443 for incoming connections. Within ConfigServer we can achieve that through the following scriptlet.
sudo nano /etc/csf/csf.conf
Find the TCP_IN variable, add update the contents with ports you which to permit to have incoming connections.
TCP_IN = "22,80,443"
Once updated, we will need to restart CSF so the new rules kick in.
sudo csf -r
Configure MISP
For the initial installation, a number of settings will need to be updated, we can change most of these through the CLI in a programmatic manner.
sudo /var/www/MISP/app/Console/cake Password [email protected] Password1234
Hardening MISP with Certbot
Now that we have installed and configured MISP, we can also generate certificates using certbot and then link those certificates to the apache configuration file for MISP.
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly -d 'misp.yourdomain.com' --server https://acme-v02.api.letsencrypt.org/directory
sudo ln -s /etc/letsencrypt/live/misp.yourdomain.com/fullchain.pem /etc/ssl/private/misp.local.crt
sudo ln -s /etc/letsencrypt/live/misp.yourdomain.com/privkey.pem /etc/ssl/private/misp.local.key
sudo apachectl -t
sudo systemctl restart apache
The Answer?
Yes, it does. For a very lightweight implementation, MISP may well be capable of being deployed into a small instance like this. An installation of this kind would possibly be appropriate for those who are starting on the CTIS journey.
Leave a Reply