Deployment

ThreatGet can be deployed on any server, Windows or Linux. We will demonstrate deployment using as an example Ubuntu LTS.

Prerequisites

One first needs to install Docker and Docker Compose on the server. The setup of Docker is described here. The setup of Docker Compose is described here.

The next step is to log in to the docker repository of AIT.

sudo docker login registry.threatget.com

The username and password have been supplied to you by AIT.

Finally, we need a folder for the database backups:

sudo mkdir -p /var/backups/postgres

Setting up a docker configuration

Create a folder name threatget. The folder can be anywhere. We assume it to be in your home directory for this manual. In that folder create a file docker-compose.yml with he following content:

version: '3'

services:
  db:
    image: postgres:10
    restart: always
    environment:
        - POSTGRES_DB=threatget
        - POSTGRES_USER=threatget
        - POSTGRES_PASSWORD=$DATABASE_PASSWORD
    volumes:
        - data:/var/lib/postgresql/data
  threatget:
    links:
      - db
    image: registry.threatget.com/threatget/server:$THREATGET_VERSION
    restart: always
    environment:
        - SERVER_URL=$PROTOCOL://$HOST
        - FMVEA_RULE_DATABASE_LINK=db
        - FMVEA_RULE_DATABASE_PORT=5432
        - FMVEA_RULE_DATABASE_DATABASENAME=threatget
        - FMVEA_RULE_DATABASE_USERNAME=threatget
        - FMVEA_RULE_DATABASE_PASSWORD=$DATABASE_PASSWORD
        - INITIAL_PASSWORD=$INITIAL_ADMIN_PASSWORD
        - INITIAL_LICENSE=$INITIAL_LICENSE_KEY
    ports:
      - "80:8080"

  backup:
    links:
      - db
    image: postgres:10
    volumes:
      - /var/backups/postgres:/var/backups
    command: /bin/bash -c  'pg_dump --dbname=postgresql://threatget:${DATABASE_PASSWORD}@db:5432/threatget -F c -f /var/backups/${HOST}-$$(date +%F_%H-%M-%S).dump'

volumes:
  data:

and also create a config file called .env. Note the dot (.) in the beginning.

# User Config
THREATGET_VERSION=20.01
HOST=threatget.mycompany.com
PROTOCOL=http
DATABASE_PASSWORD=abcdef
INITIAL_ADMIN_PASSWORD=12345
INITIAL_LICENSE_KEY=12345678-abcd-ef12-3456-789012345678

The THREATGET_VERSION should contain the latest threatget release. AIT will notify you when new releases are available.
The HOST should be the hostname the server will later be available under. PROTOCOL specifies the protocol the server is available under. We will discuss HTTPS setup below.
The DATABASE_PASSWORD should be changed to a random password. It is only used for the two docker instance to communicate securely.
The INITIAL_ADMIN_PASSWORD specifies the password of the admin user on the web interface. This setting only takes effect on first start. Aftewards the admin password can be changed in the web interface.
The INITIAL_LICENSE_KEY is the licence key you received from AIT. This setting only takes effect on first start. Aftewards the license key can be changed in the web interface.

Starting and stopping the containers

The containers can be started using

cd ~/threatget
sudo docker-compose up -d

The containers can be stopped using

cd ~/threatget
sudo docker-compose down

Backups

It is best practice to make a backup of the database as often as possible, at least daily.

The database backup can be initiated as root using cd /home/username/docker; docker-compose start backup. Subsequently the backup is stored in /var/backups/postgres. From there it should be copied off the machine to a secure backup location.

Restore

This operation will erase all content of the database. Please create a backup before initiating a restore.

Make sure that the db container is up and running, but the threatget container is stopped.

cd ~/threatget
sudo docker-compose start db
sudo docker-compose stop threatget

Then we are ready to restore the database. The file with the backup on the host machine in this example is /var/backups/postgres/threatget.mycompany.com-2020-01-31_05-00-02.dump.

source .env
sudo docker-compose exec -T db pg_restore -c --dbname=postgresql://threatget:${DATABASE_PASSWORD}@localhost:5432/threatget -F c < /var/backups/postgres/threatget.mycompany.com-2020-01-31_05-00-02.dump

Then we can start the threatget container again.

sudo docker-compose start threatget

SSL connectivity

To allow access to the website via SSL you will need a certificate for the desired domain. SSL certificates are sold by certification authorities. If the website is reachable from the Internet (as opposed to being firewalled) Let's Encrypt can be used to obtain a free certificate.

The recommended setup is to have the ThreatGet administration interface only available from the company network and use a commercial certificate.

To this end the following lines in the docker-compose.yml file above need to be adjusted:

    ports:
      - "80:8080"

to

    ports:
      - "8080:8080"

As well as adjusting PROTOCOL=http to PROTOCOL=https in the .env file.

After that the containers need to be restarted:

cd ~/threatget
sudo docker-compose down
sudo docker-compose up -d

Reverse proxy

Any reverse proxy that can terminate SSL is suitable. We will demonstrate the configuration using apache2. Apache2 can be installed using

sudo apt-get install apache2
sudo a2enmod proxy_http ssl rewrite

We will then create a file /etc/apache2/sites-available/threatget.conf with the following content. Note that /etc/ssl/certificate.pem and /etc/ssl/privkey.pem are provided by your SSL certificate vendor and must be installed prior. Also the hostname threatget.mycompany.com needs to be adjusted to your domain name.

<VirtualHost *:80>
ServerName threatget.mycompany.com

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
ServerName threatget.mycompany.com

ProxyPass "/"  "http://localhost:8080/"
ProxyPassReverse "/"  "http://localhost:8080/"

SSLCertificateFile /etc/ssl/certificate.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire
</VirtualHost>

Finally you can enable the site and reload the apache config:

sudo a2ensite threatget
sudo systemctl reload apache2

Your ThreatGet instance will subsequently be available under https and http requests are automatically redirected to https.