...
| Code Block |
|---|
service elasticsearch restart |
Verifying that Elasticsearch is running is possible via: netstat -tlnpu (ports 9200, 9300)
Notably, "cluster.initial_master_nodes" must be commented out after the first initialization of the Elasticsearch cluster. The above configuration assumes that the setup includes a single Elasticsearch node. Configuration for more advanced setups is available in the following WiFiMon guide "Streaming Logs Into ELK Cluster".
...
| Code Block |
|---|
service kibana restart |
Verifying that kibana is running is possible via: netstat -tlnpu (port 5601)
Anchor wifimon wifimon
5. WiFiMon Installation
| wifimon | |
| wifimon |
...
Firstly, installation of certbot is required:
| Code Block |
|---|
sudo apt-get update |
...
sudo apt-get install -y certbot |
A certificate must be requested for the FQDN of the WAS/WTS, referred as WAS_FQDN:
| Code Block |
|---|
certbot certonly --webroot -w /var/www/html -d WAS_FQDN |
Note: Prior to this step, connections to port 80 must be allowed. If a web server is already installed on the machine, it should be temporarily stopped.
Issued certificates should be renewed regularly using the following command:
| Code Block |
|---|
certbot renew |
Next, generated certificates/keys will be inserted in the Apache configuration files. File /etc/apache2/sites-available/default-ssl.conf should be edited and the following lines should be changed based on the FQDN of the WAS/WTS, referred as WAS_FQDN.
...
Changes should be applied and SSL should be enabled using the following commands:
| Code Block |
|---|
a2ensite default-ssl |
...
a2enmod ssl |
...
systemctl restart apache2 |
More information is available in the following links from which the above commands are taken:
...
The following files should be copied in /usr/lib/wifimon/keystore:
| Code Block |
|---|
cp /etc/letsencrypt/live/WAS_FQDN/cert.pem /usr/lib/wifimon/keystore/cert.pem |
...
cp /etc/letsencrypt/live/WAS_FQDN/privkey.pem /usr/lib/wifimon/keystore/privkey.pem |
...
cp /etc/letsencrypt/live/WAS_FQDN/chain.pem /usr/lib/wifimon/keystore/chain.pem |
Within /usr/lib/wifimon/keystore folder, PEM certificates should be converted to Java Keystore (JKS) format using the following commands:openssl pkcs12
| Code Block |
|---|
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cert.pem -out testkeystore.p12 |
...
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wifimon.jks -deststoretype JKS |
Passwords should be provided when prompted and noted.
...
| server.port=8443 server.ssl.key-store=./keystore/wifimon.jks server.ssl.key-store-password=[PASSWORD_keystore] server.ssl.key-password=[PASSWORD_key] |
In /usr/lib/wifimon/config/ui.properties, the following changes should be made:
...
| server.ssl.enabled: true server.ssl.certificate: /usr/lib/wifimon/keystore/cert.pem server.ssl.key: /usr/lib/wifimon/keystore/privkey.pem |
Moreover, in the WTS test pages, the agentPort should be agent from 9000 to 8443 in every testtool HTML page as well as http to https. Moreover, http should be changed to https in /var/www/html/wifimon/js/nettest/nettest-swfobject.js. This is a file related to the NetTest testtool. More information about these parameters is included in the WiFiMon Test Server (WTS) installation guide.
...
In the sequel, we will secure the ELK stack using a self-signed certificate. First, the file “/usr/share/elasticsearch/instances.yml” should be created with the following contents:
| Code Block |
|---|
instances: |
...
- name: elasticsearch |
...
dns: WAS_FQDN |
...
ip: WAS_IP |
Important Note: In case of correlation with RADIUS and DHCP Logs, Logstash is also required. In this case, instances.yml requires additional information. More information is available in the following WiFiMon guide "Streaming Logs Into ELK Cluster". The WAS guide mainly focuses on the integration of the previous guide with the WiFiMon code setup.
Then, the certificate of the Certificate Authority (CA) and its corresponding key should be generated using the following command:
| Code Block |
|---|
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --ca-dn CN=’WiFiMon CA’ --days 3650 --keysize 4096 --out wifimon-ca.zip --pass --pem |
This command will create the file “wifimon-ca.zip” in /usr/share/elasticsearch directory. The file contents should be unzipped using the following command:
| Code Block |
|---|
unzip /usr/share/elasticsearch/wifimon-ca.zip |
Then, the self-signed certificate and the corresponding key should be generated using the following command:
| Code Block |
|---|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.key --days 1234 --in /usr/share/elasticsearch/instances.yml --keysize 4096 --out wifimon-certs.zip --pass --pem |
This command will create wifimon-certs.zip file in /usr/share/elasticsearch directory. The contents of this file should be unzipped using the following command:
| Code Block |
|---|
unzip /usr/share/elasticsearch/wifimon-certs.zip |
Directories /etc/elasticsearch/certs and /etc/kibana/certs should then be created. Files ca.crt, elasticsearch.key and elasticsearch.crt should be copied in the aforementioned directories and in /usr/lib/wifimon/keystore using the following commands:
| Code Block |
|---|
mkdir /etc/elasticsearch/certs |
...
mkdir /etc/kibana/certs |
...
cp /usr/share/elasticsearch/ca/* /etc/elasticsearch/certs/ |
...
cp /usr/share/elasticsearch/ca/* /etc/kibana/certs/ |
...
cp /usr/share/elasticsearch/elasticsearch/* /etc/elasticsearch/certs/ |
...
cp /usr/share/elasticsearch/elasticsearch/* /etc/kibana/certs/ |
...
cp /usr/share/elasticsearch/ca/* /usr/lib/wifimon/keystore/ |
...
cp /usr/share/elasticsearch/elasticsearch/* /usr/lib/wifimon/keystore/ |
Then, the elasticsearch keystore should be configured using the following command:
| Code Block |
|---|
/usr/share/elasticsearch/bin/elasticsearch-keystore create |
Adding certificate key passphrase for HTTP communication protocol requires using the following command and entering the certificate key passphrase when prompted:
| Code Block |
|---|
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase |
Adding certificate key for transport communication protocol and entering the certificate key passphrase when prompted is possible via the following command:
| Code Block |
|---|
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase |
The following command is required for setup verification:
| Code Block |
|---|
/usr/share/elasticsearch/bin/elasticsearch-keystore list |
The following information should be present:
| Code Block |
|---|
keystore.seed |
...
xpack.security.http.ssl.secure_key_passphrase |
...
xpack.security.transport.ssl.secure_key_passphrase |
In /etc/elasticsearch/elasticsearch.yml the following information should be added and the Εlasticsearch cluster should be then restarted:
...
Next, passwords for the built-in users should be generated. These passwords are not provided again and should be noted. Inside directory /usr/share/elasticsearch/bin/, the following command should be used:
| Code Block |
|---|
./elasticsearch-setup-passwords auto -u "https://WAS_FQDN:9200" |
Kibana keystore is configured using the following command:
| Code Block |
|---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore create |
The following command should be used and “kibana” should be provided as the username:
| Code Block |
|---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.username |
The following command should be used the password of the “kibana” built-in user should be provided:
| Code Block |
|---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.password |
The following command should be, then, used and the elasticsearch.key passphrase should be provided:
| Code Block |
|---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase |
The following command is required for setup verification:
| Code Block |
|---|
sudo -u kibana /usr/share/kibana/bin/kibana-keystore list |
The following information should be present:
| Code Block |
|---|
elasticsearch.username |
...
elasticsearch.password |
...
server.ssl.keyPassphrase |
In /etc/kibana/kibana.yml, the following details should be added and Kibana should be restarted:
...
Note: Make sure that certificates and keys in /etc/elasticsearch/certs/, /etc/kibana/certs/ and /usr/lib/wifimon/keystore/ are accessible by both Εlasticsearch and Kibana.
Next, the WiFiMon Agent properties should be configured. The truststore for X-Pack will be created using the following command:
| Code Block |
|---|
keytool -import -trustcacerts -alias root -file /usr/lib/wifimon/keystore/ca.crt -keystore /usr/lib/wifimon/keystore/truststore.jks |
The keystore for X-Pack will be created using the following commands:
| Code Block |
|---|
cat /usr/lib/wifimon/keystore/elasticsearch.crt /usr/lib/wifimon/keystore/elasticsearch.key > /usr/lib/wifimon/keystore/combined.crt |
...
keytool -import -trustcacerts -alias yourdomain -file /usr/lib/wifimon/keystore/combined.crt -keystore /usr/lib/wifimon/keystore/keystore.jks |
File /usr/lib/wifimon/config/secure-processor.propertiesshould be edited and the following lines should be added:
...