Separate installation of Feed Service and Feed Utility (Linux)

You can install Feed Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the Internet.

Do not delete the dmz directory from the distribution kit of Kaspersky CyberTrace, even if you are not going to use Feed Service and Feed Utility on separate computers.

You can install Feed Utility on a Windows computer. For this you must have the distribution package for Windows which also contains the instructions on how to perform the installation.

How Feed Service and Feed Utility work in DMZ

The following diagram describes how Feed Service and Feed Utility work in DMZ.

DMZ_SIEM

Workflow when Feed Service and Feed Utility are installed on separate computers

Using CyberTrace Web if Feed Service and Feed Utility are on separate computers

If you use Kaspersky CyberTrace Web with Feed Service and Feed Utility installed on separate computers, avoid performing the actions below on the Settings > Feeds tab, in the Feeds update period section. The actions will be ineffective.

  1. Do not update feeds (by clicking the Launch update now button) or change the update frequency (by selecting a value from the Update frequency drop-down list).

    The feeds will not be updated on the Local computer, because it is isolated from the Internet.

  2. (Kaspersky CyberTrace version 3.0) Do not change the Kaspersky certificate (by clicking Import certificate).

    The certificate will only be changed on the Local computer. To change the certificate on the DMZ computer, manually copy it from the Local computer to the dmz directory.

By default, Kaspersky CyberTrace updates Kaspersky Threat Data Feeds every 30 minutes.

If you use DMZ integration, perform one of the following actions:

You can use Kaspersky CyberTrace Web to perform the actions listed below. However, note that each time you make any changes, you have to copy the kl_feed_util.conf file from the Local computer to the DMZ computer so that the changes you made on the Local computer get replicated on the DMZ computer.

  1. You can change the remaining settings of feeds on the Settings > Feeds tab.

    For example, you can add new custom or third-party feeds.

  2. You can change the settings of a proxy server on the Settings > Service tab in the Connection settings section.

Outline of the installation procedure

The following procedure describes how to install Feed Service on one computer (in this topic, referred to as Local) and Feed Utility on another computer (in this topic, referred to as DMZ).

If you use Kaspersky CyberTrace Web, please see section "Using CyberTrace Web if Feed Service and Feed Utility are on separate computers" above before proceeding to the installation.

To install Feed Service and Feed Utility on separate computers:

  1. Install Kaspersky CyberTrace from the distribution package to a directory (referred to as %service_dir%) on the Local computer.

    (Kaspersky CyberTrace version 3.0) After you specify the path to the certificate file in the configurator, the list of available feeds is not retrieved, because the Local computer is not connected to the Internet. In this case, you are prompted to manually select the feeds.

  2. Locate the the kl_feed_service.conf configuration file. In this file, locate the <NotifyKTFS path="">false</NotifyKTFS> element. Change it to <NotifyKTFS path="..\bin">true</NotifyKTFS>.
  3. Copy the dmz subdirectory of the installation directory from the Local computer to the DMZ computer.

    (Kaspersky CyberTrace version 3.0) When you have to use a new PEM-formatted certificate for updating feeds, change Kaspersky CyberTrace configuration using the installation script. You will have to copy the dmz subdirectory from the Local computer to the DMZ computer.

  4. If you use Kaspersky CyberTrace Web and want to change the settings of any feed or add a new custom or third-party feed, make all the necessary changes directly in Kaspersky CyberTrace Web.

    For more information on how to manage the settings of feeds through Kaspersky CyberTrace Web, see section "Feeds settings".

  5. Replace the kl_feed_util.conf file in the dmz directory located on the DMZ computer with the copy of the same file stored on the Local computer.

    You can obtain kl_feed_util.conf on the Local computer in one of the following ways:

    • Copy it from the %service_dir%/etc directory.
    • If you use Kaspersky CyberTrace Web, select the Settings > Service tab and click Export configuration file.
  6. Configure the synchronization of directories containing feeds as stated in section "Synchronizing directories that contain feeds" below.
  7. In the %service_dir%/scripts/cron_cybertrace.sh file on the Local computer, specify the credentials for connecting to the DMZ computer and the path to the feeds directory on the DMZ computer.

Configuring the updating of feeds on the DMZ computer

Configure the cron task that runs the updating of feeds on the DMZ computer so that the cron-dmz.sh script will run twice as often as when Kaspersky CyberTrace is installed on a single computer. This is done so that the new versions of feeds will be used as soon as possible. For example, specify the following line in the cron configuration file:

*/15 * * * * %path_to_cron.sh%/cron-dmz.sh

Configuring the updating of feeds on the Local computer

Add a task that runs the updating of feeds so that the cron_cybertrace.sh script will run twice as often as when Kaspersky CyberTrace is installed on a single computer. The synchronization of feeds must occur after they are updated on the DMZ computer, and so you can specify launching of the cron_cybertrace.sh script several minutes after the cron-dmz.sh script is launched on the DMZ computer. For example, specify the following line in the cron configuration file:

*/15+7 * * * * %service_dir%/scripts/cron_cybertrace.sh

You might have to change the settings in the cron_cybertrace.sh script. The settings are describes in the following table. For more information, see section "Synchronizing directories that contain feeds" below.

Settings in cron_cybertrace.sh

Setting

Description

RSYNC_USER

Login on the computer where the RSync utility is installed.

RSYNC_HOST

Host where the RSync utility is installed.

PATH_TO_FEEDS

Path to the directory where to store the processed feeds.

DOWNLOAD_DIR

Path to the directory in which the feeds are downloaded.

Do not change the value of this parameter. Changing this value may cause Feed Utility not to work properly.

SSH_KEY

The RSA public key to be used when synchronizing directories with feeds.

Synchronizing directories that contain feeds

For synchronizing feeds on both the Local and DMZ computers you can use the RSync utility. If the DMZ computer is a Windows computer, the RSync utility can be run by using Cygwin.

To install the RSync utility on a Windows computer:

  1. Install the default set of packages from the Cygwin distribution.
  2. Install the following utilities: OpenSSH, OpenSSL, and RSync.
  3. On the DMZ computer, configure the OpenSSH components as follows:
    1. Run the following command as root:

      ssh-host-config

      You can answer "Yes" every time. The main point is to run the sshd daemon as a service.

    2. Run the following command:

      net start sshd

The sshd daemon will start automatically.

To configure the synchronization of feeds:

  1. Create a private key and a corresponding public key.

    For this purpose, run the following command on the Local computer:

    ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key

    (Specify the user login instead of <user>.) The keys will be created without a password.

  2. Copy the public key from the Local computer to the DMZ computer by running the following command:

    ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>

    When you run this command, you will be asked for the password to <DMZ_user>@<DMZ_host>.

  3. Test the synchronization of the contents of directories that contain feeds by running the following command on the Local computer:

    rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/

    In this command, <Path_to_feeds_on_Local> is the path to the directory containing feeds on the Local computer (namely, %service_dir%/feeds), and <Path_to_feeds> is the path to the directory on which updated feeds are stored on the DMZ computer.

    To pass the synchronization test, the contents of the <Path_to_feeds_on_Local> directory on the Local computer must be the same as the contents of the <Path_to_feeds> directory on the DMZ computer.

Page top