Introduction
On Day 3, I took the first steps toward setting up my Elastic stack by creating a virtual machine (VM) on Vultr.com and installing ElasticSearch. This crucial step establishes the foundation for my SOC environment, allowing me to eventually analyze logs and detect threats.
1. Signing Up on Vultr.com and Setting Up Credit
I registered on Vultr.com using a $300 credit that will allow me to complete the challenge without exceeding any budgetary constraints. Vultr is a cloud platform providing virtual private servers (VPS) that support a range of services needed to build a SOC.
2. Creating the Virtual Private Cloud (VPC)
I set up a Virtual Private Cloud (VPC) in the same location where I planned to create my VM. I configured the network with a custom IPv4 range to ensure that the VM and VPC would be able to communicate seamlessly.
Key Configuration:
- Location: Bangalore (Closest to my location: Bangladesh)
- IP Range:
172.31.x.x/24 - Network Name: MyDFIR SOC Challenge
3. Deploying My First Virtual Machine (VM)
I created my first virtual machine on Vultr using Ubuntu (version 22.04 LTS) as the operating system. I ensured the VM was configured with sufficient resources to run ElasticSearch smoothly:
- CPU: 4 virtual CPUs
- RAM: 16GB
- Disk Space: 80GB
This VM will serve as the base for running ElasticSearch.
4. Logging into the VM via SSH
Once the VM was up and running, I logged into it using SSH to configure and install ElasticSearch. Here’s the command used:
ssh username@<my-public-IP>
Note: I used the public IP provided by Vultr to access the VM.
5. Installing ElasticSearch
To install ElasticSearch, I followed these steps:
- Updated the system packages using:
apt-get update && apt-get upgrade -y
- Downloaded the latest version of ElasticSearch using
wget. - Installed the
.debpackage via:
dpkg -i elasticsearch-8.15.0-amd64.deb
During installation, ElasticSearch auto-configures security settings and provides critical credentials. These credentials are essential for future authentication to the ElasticSearch instance.
6. Configuring ElasticSearch
I accessed the configuration file elasticsearch.yml to modify the network settings. By default, ElasticSearch only allows local connections. I changed this to allow remote access for my SOC Analyst laptop:
- Public IP:
<My-VM-Public-IP> - Port:
9200
7. Securing the ElasticSearch Instance
To restrict public access to my ElasticSearch instance, I added a firewall rule on Vultr that only allowed SSH connections from my own IP. This helps prevent unauthorized access and ensures a secure setup.
8. Starting ElasticSearch Service
Finally, I started the ElasticSearch service and confirmed its status as “running” with the following commands:
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service
systemctl status elasticsearch.service
Conclusion
On Day 3, I successfully set up a functioning ElasticSearch instance, marking a critical step in building a fully operational SOC environment. Next up, I will be integrating Kibana, a visualization tool that works with ElasticSearch.