Because AC-Hunter is a security tool, it’s common that it may be placed in a network segment that can’t make direct outbound connections but allows requests sent through an HTTP or HTTPS proxy. This blocks AC-Hunter from 1) checking for updated AC-Hunter versions, 2) installing and updating packages during the install, and 3) sending outbound Slack alerts.

With a short adjustment to two configuration files AC-Hunter can use your proxy for its outbound connections, both during the installation and during normal operation.

 

Setting Environment Variables to Force Using a Proxy in AC-Hunter

You have the ability to set environment variables for your containers by editing the yaml files that start them up. For example, if we want to set the Linux *_proxy variables for the API container, please do the following. Edit /opt/AC-Hunter/docker/api.yaml with:

sudo nano /opt/AC-Hunter/docker/api.yaml

In that file scroll down to the “services:” section, the “api:” section inside that, and the “environment:” section in “api:”. You’ll see some environment variables already there. Below them, add the following lines, preserving the spacing exactly as the others (in my case, there are 6 spaces before each “-“. You’ll need to replace “http://” with “https://” if the proxy expects an https connection, “1.2.3.4” with the IP address of the proxy, and “3128” with the TCP port to which the proxy is listening in all 6 lines. The “dash” is required.

- http_proxy="http://1.2.3.4:3128/"
- https_proxy="http://1.2.3.4:3128/"
- ftp_proxy="http://1.2.3.4:3128/"
- HTTP_PROXY="http://1.2.3.4:3128/"
- HTTPS_PROXY="http://1.2.3.4:3128/"
- FTP_PROXY="http://1.2.3.4:3128/"

The URL placed inside the pairs of quotes can also accept a username and password if needed to access the proxy, like:

- http_proxy="http://bart:[email protected]:3128/"
- https_proxy="http://bart:[email protected]:3128/"
- ftp_proxy="http://bart:[email protected]:3128/"
- HTTP_PROXY="http://bart:[email protected]:3128/"
- HTTPS_PROXY="http://bart:[email protected]:3128/"
- FTP_PROXY="http://bart:[email protected]:3128/"

If your proxy IP address is an IPv6 address, it needs to be surrounded by square brackets so that it’s clear which part is the IPv6 address and which part is the port:

- http_proxy="http://[fe80:cafe::7]:3128/"
- https_proxy="http://[fe80:cafe::7]:3128/"
- ftp_proxy="http://[fe80:cafe::7]:3128/"
- HTTP_PROXY="http://[fe80:cafe::7]:3128/"
- HTTPS_PROXY="http://[fe80:cafe::7]:3128/"
- FTP_PROXY="http://[fe80:cafe::7]:3128/"

Once you have the modified versions of these lines added, save and exit.

Restart AC-Hunter with:

hunt down ; sleep 10 ; hunt up -d

(You should _not_ need to add –force-recreate to the above command)

Finally, please make a backup of api.yaml somewhere so you can pull in these changes after a future upgrade.

Once these changes are in place, most command line tools that need to place outbound connections understand they should look at these environment variables to locate a proxy.

 

Forcing a Proxy During the AC-Hunter Install

If you also need to use a proxy during the initial install, you’ll have to do that at the command line for the user doing the install. Edit the file “~/.bash_profile” and add the following lines:

export http_proxy="http://1.2.3.4:3128/"
export https_proxy="http://1.2.3.4:3128/"
export ftp_proxy="http://1.2.3.4:3128/"
export HTTP_PROXY="http://1.2.3.4:3128/"
export HTTPS_PROXY="http://1.2.3.4:3128/"
export FTP_PROXY="http://1.2.3.4:3128/"

In a similar way to how you edited api.yaml above you’ll need to:

– Replace 1.2.3.4 with the IP address of your proxy (surrounding it with square brackets if it’s an IPv6 address)
– Replace “3128” with the port on which the proxy listens
– Replace “http://” with “https://” if the proxy expects HTTPS (encrypted) connections
– Add in a username and password if required to access the proxy.

Make sure you do this on all systems on which you’re installing an AC-Hunter component, and log out and log back in before trying the installation.

 

Reference

When AC-Hunter is started it uses docker-compose to actually launch the underlying programs. For more detail on setting environment variables with docker-compose, see https://docs.docker.com/compose/environment-variables/set-environment-variables/ .

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8186

Note; following these steps will irretrievably and permanently remove your entire AC-Hunter installation and all data. If this isn’t what you want, please do not follow these steps.

Do not follow these steps if you have any docker images, containers, or volumes not supplied by Active Countermeasures on this system.

 

1) Back up your whitelist. Dashboard, gear, whitelist tab, download whitelist.

2) If you’ve added any blacklisted IPs to /etc/AC-Hunter/blacklist/ips.txt , make a backup of this somewhere outside of /etc/AC-Hunter/ .

3) Make a backup of any databases you wish to keep. Since we’ll be deleting the entire collection of actual mongo databases, you may wish to use mongodump to export them to a file.

4) Stop sending logs from your sensors to this system. On each sensor, edit (under sudo) /etc/cron.d/zeek_log_transport ; comment out the line sending logs to this AC-Hunter system. Save and exit.

5) Make a backup of any Zeek logs you wish to keep, placing them outside of /opt/zeek/remotelogs/

6) Get a listing of all docker volumes with:

sudo docker volume ls

If you wish to keep any of these volumes, stop here.

7) Get a listing of all docker containers with:

sudo docker ps

If any of these do not have names (last column of output) that start with “beaker_” or “achunter_”, stop here.

8) Get a listing of all docker images with:

sudo docker images

The repository column for all should start with “ac-hunter/”, “ai-hunter/”, “activecm-beaker/”, “<none>”, or “mongo”, “taskrabbit/elasticsearch-dump”, or “hello-world”. If there are images from any other source, stop here.

9) Shut down AC-Hunter with:

hunt down -v

(If “hunt” is not located, try using “/usr/local/bin/hunt” in all commands that use it.)

10) Confirm that AC-Hunter is shut down by running:

sudo docker volume ls | grep hunter

; this command should return no output. If you do get any output, please stop here and contact [email protected] .

11) Shut down Beaker with:

beaker down

(If “beaker” is not located, try using “/usr/local/bin/beaker” in all commands that use it.)

12) Remove all docker volumes with (all on one line):

for X in `sudo docker volume ls | awk '{print $2}' | grep -v VOLUME` ; do sudo docker volume rm "$X" ; done

13) Remove all images with (all on one line):

for X in `sudo docker images | awk '{print $3}' | grep -v IMAGE` ; do sudo docker rmi "$X" ; done

14) If you no longer need the Zeek logs, remove the directories under /opt/zeek/remotelogs/ (keep /opt/zeek/remotelogs/ itself).

15) Move old configuration directories out of the way with:

cd /etc
sudo mv AI-Hunter AI-Hunter.old
sudo mv AC-Hunter AC-Hunter.old
sudo mv BeaKer BeaKer.old

It’s OK if the “sudo mv AI-Hunter AI-Hunter.old” reports an error that the directory doesn’t exist.

 

(If you find any errors in the above instructions or have suggestions for improving them, please let us know at [email protected] ).

Version: 202108301034

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3784

This isn’t supported in AI-Hunter versions earlier than v3, because RITA and AI-Hunter need independent databases for their operation. The advantage of using 2 different systems is that no matter how much data is being processed by RITA, AI-Hunter will continue to operate smoothly.

In versions 3.x and later, AC-Hunter and RITA have been optimized to share the same system.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=879

---

All systems are designed to run on 64 bit Linux operating systems. The preferred platforms are:

1) Ubuntu Linux 18.04 LTS, Ubuntu Linux 20.04 LTS
2) CentOS 7
3) RHEL 7

The system should be patched and up-to-date using apt or yum. AC-Hunter will install all of the required dependencies.

AC-Hunter version 6.4.x offers beta support for the following operating systems: AlmaLinux 8, Centos 8, RHEL 8, Rocky Linux 8, and Ubuntu 22.04. Note, ElasticSearch (used in Espy and BeaKer, but not AC-Hunter itself) is not supported on these, so it will need to be run on one of the fully supported operating systems.

If your operating system offers “server” and “desktop” versions, we encourage the server version as it frees up a little more ram and the desktop isn’t required. That said, if you prefer the desktop for your uses, that’s fine. With the exception of the system running Zeek, all of the other components can be run on physical or virtual machines.

 

We don’t recommend Windows or Mac OS as platforms on which to run these packages, but heartily encourage their use by the analyst for running a web browser (Chrome or Firefox recommended) to review results.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=878

---

Required Internet Connectivity

If the installation enables a firewall, make sure you allow at least the following traffic:

A. Incoming to the AC-Hunter system, allow incoming TCP ports 22, 80, 443.

B. Incoming to the Zeek system, allow incoming TCP port 22. For the interface(s) used to sniff traffic, there should be no incoming firewall at all.

C. If you’re setting up a third Active-Flow system to process netflow records, that system should accept incoming TCP port 22 and UDP port 2055.

D. You can further restrict the above ports so that only machines owned by administrators and the Zeek and Active-Flow nodes can access port 22, only machines that should see the AC-Hunter web interface can access ports 80 and 443 on the AC-Hunter computer, and only the routers feeding netflow records can access UDP port 2055 on Active-Flow.

E. All systems should be able to place UDP port 53 and TCP ports 53, 80, and 443 requests out to the Internet to retrieve patches and pull down supporting information used in AC-Hunter’s web UI.

 

Future versions of AC-Hunter may use outbound https connections to retrieve reputation information. Details about this access will be added as these features are included.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=874

---