The recently released Ghost version 0.3 features a management frontend, which allows you to monitor the state of several computers running Ghost in a central location. This is ideal for companies - you can run Ghost on all the machines you want to protect and have the information collected for the organization's IT department. The web frontend on the central server provides a quick overview of the situation and also detailed information in case of an incident. In this article I'm going to describe how to set everything up.
Let's first discuss the requirements: What do you need in order to run the management frontend? Well, first of all you have to have computers that you want to protect. They must be able to run Ghost and have Python 2 installed. The second component you need is a server that the computers can reach via the network. It will receive the results from Ghost and aggregate them.
The setup consists of two main steps. Step 1 is to get the server ready to receive data from the machines running Ghost. Step 2 comprises the setup of Ghost on the computers.
Setting up the server
The server's task is to receive reports from all the Ghost instances and aggregate the information in a web frontend. Also, it keeps track of everything in a database. Basically, four components are required:
- MongoDB, which we use to store all relevant data.
- HPfeeds, a data broker that will be in charge of receiving data from the client machines.
- A Ghost component that consumes data from HPfeeds and supplies the database.
- Another Ghost component that provides the web frontend based on the data in the database.
It doesn't really matter which operating system you run on the server, as long as Python and MongoDB are available for it. We'll now go through the setup of each of the components step by step.
MongoDB is an open-source NoSQL database. You can download it from the website, where you'll also find documentation on how to install it on your respective operating system. You don't have to configure it to listen on any external network interface - it's completely sufficient for our purposes if the database is reachable locally.
HPfeeds is a data broker and corresponding protocol developed by the Honeynet Project. In order to run it, you need a working Python installation and a running instance of MongoDB if you want user authentication. You can download the code from Github. If you'd like to read some more on the protocol, have a look at the wiki.
In case your network can be considered trusted, you can run the test broker (by launching "python broker/testbroker.py"), which will run without any authentication. Otherwise, you can set up a simple authentication scheme in the broker - please refer to the HPfeeds wiki for instructions.
For the case that you have to reboot the server you might want to launch the broker automatically on boot. Please refer to your respective operating system's documentation for instructions on how to do so.
The server-side components of Ghost connect what we've installed so far. Additionally they're responsible for providing the web frontend. You can download Ghost from the project website. For the server, we're only interested in two scripts that are part of the Ghost bundle - you don't actually install Ghost on it. Also, you need to download the web frontend bundle from that same website.
First, we're going to launch the script that subscribes to HPfeeds for reports and submits them to the database. Open process_reports.py (PythonBindings/process_reports.py in the Ghost bundle) in a text editor first in order to adjust the configuration parameters. You don't have to change a lot here - just set HPFEEDS_HOST to "localhost", because that's where you run the broker. Then launch the script by running "python process_reports.py".
Secondly, we need to start the script that provides the web frontend based on data in the database. Simply run "python serve.py" (in the web frontend bundle) in order to start a simple web server based on the bottle framework. Alternatively, you may follow the instructions in the bottle wiki to serve the page from a web server of your choice.
In any case, you'll want to automate the start of those two components on the server, so that the system is re-launched immediately after a reboot. Again, please refer to your operating system's documentation for instructions.
Setting up the clients
Now that the server is ready to handle incoming data, we can set up the clients. Please apply the following instructions to each machine that you want to monitor.
First of all, you need to install Ghost. Please refer to the project wiki for instructions. Next, you have to configure and launch ghostwatch.py, a Python script that will regularly run Ghost and submit the results to HPfeeds. Configure the script by opening it in a text editor. You'll find the configuration parameters right on top. Set HPFEEDS_HOST to the name or IP address of the server running the HPfeeds broker and HPFEEDS_PORT to the corresponding port (by default, it runs on port 10000). You only need to adjust HPFEEDS_IDENT and HPFEEDS_SECRET if you chose to activate authentication in HPfeeds. Otherwise just enter a name for the machine in HPFEEDS_IDENT - the web frontend will use that name. Leave the remaining parameters as they are.
Start the script by double-clicking on it. Note that you need a working Python installation in order to run it (refer to the Python website for downloads and instructions). You can right-click the script and choose "Run with pythonw.exe", so that Python runs without displaying a console window. You'll want to automatically launch that script everytime the machine boots up in order to get the detection system started. To do so, create a shortcut for the command and place it in the Autostart folder of your Windows menu.
Checking the setup
Finally, we can check that everything is installed and configured correctly. If your setup works, you should now be able to see results in the web frontend: Open a browser and direct it to port 8080 on your server, i.e. "http://your.server.address:8080/". You should see a website that lists your machines and the time that they last reported to the server. In case of an infection with USB malware, the corresponding entry will highlight in red, and you'll be able to view details of the incident.
That's pretty much it - you're now equipped to monitor all your machines for infections with USB malware. In case of problems feel free to post to the mailing list and I'll be sure to look at it.