Installing AC-Hunter on Proxmox
RTFM First
The Procedure
Note
This process will install Zeek, BeaKer, and AC-Hunter. I am running this on my home network to experiment with Zeek and AC-Hunter. See the link down below about the warning about capturing packets in a VM.
DO NOT USE LXC CONTAINERS
If you use the ubuntu-20.04-standard_20.04-1_amd64.tar.gz LXC CT Template, AC-Hunter will fail to start.
- Install Proxmox (this guide does not cover how to do that)
- Navigate to Proxmox's local -> ISO Images and download Ubuntu 20.04 to storage. You can find it here.
- Install OpenV Switch in Proxmox
- Create an OVS vmbr and port
a. In the Proxmox Network, create a new OVS Bridge and give it a vmbr name and ensureAutostartis selected
b. In the Bridge ports section, select the physical interface ie.eno4 - In a Proxmox shell (replace the # with your vmbr name)
- Create a new VM using the Ubuntu ISO with
- Open the new VM settings, create a new Network Device, and attach the vmbr to the second network interface then UNCHECK firewall
- Create a second VM using the Ubuntu ISO with
- Start the AC-Hunter and Zeek VMs
- Update both systems
- This guide does not cover how to set up SSH, but you need to configure SSH for the two VMs to talk to each other. You will need to use
ssh-keygento make new SSH keys andssh-copy-idto copy the keys to each of the servers. Ensure you can SSH into each other. NOTE I also suggest modifying your/etc/hostsfile to include the IP address and hostname of the servers. Similar to the one below: - In the Proxmox shell:
In the commands below, theip link | grep tapcommand will show all the interfaces, you're looking for atapwith the VM's ID in the interface. For example, if you have the Zeek container as VM 200, you'd look fortap200i1. Thetap200i0is the first interface for the management interface. You will replace that in the second command. You will also replace the # with the vmbr you created earlier.
- Download the AC-Hunter tar file into the AC-Hunter VM
- Run the install script based on the Install Guide (see, told you to RTFM.)
Troubleshooting
While installing, if you receive an error stating something along the lines of TypeError: kwargs_from_env() got an unexpected keyword argument 'ssl_version' you can reference a dude's workaround in Discord.
I ran into an error when installing AC Hunter CE on a fresh Ubuntu 22.0.4.3 LTS system with Python 3.10.12, Docker version 24.07, and docker-compose version 1.29.2. The error occured at line 362 of install_ac_hunter.sh:
local mongo_datasets=`./hunt run --rm db_client mongo_cmd.sh "db.getMongo().getDBNames()". The error was thrown by docker-compose, which was being called from the hunt bash script, so this issue could also be seen outside of the installation process.The last part of the error is:
File "/usr/local/lib/python3.10/dist-packages/compose/cli/docker_client.py", line 124, in docker_client kwargs = kwargs_from_env(environment=environment, ssl_version=tls_version) TypeError: kwargs_from_env() got an unexpected keyword argument 'ssl_version'
Workaround #1
Use older version of Docker / docker-compose.
Workaround #2
Need to edit 3 lines in /usr/local/lib/python3.10/dist-packages/compose/cli/docker_client.py (make a backup first). Delete line 112 with ssl_version=tls_version. Also, remove the ending comma from line 111. Line 123 (line 124 in the unedited file), remove , ssl_version=tls_version.
The updated file should look like:
Lines 109 - 111:
return TLSConfig(
client_cert=client_cert, verify=verify, ca_cert=ca_cert,
assert_hostname=False if skip_hostname_check else None
)
Line 123:
After this change, the installation of AC Hunter and Zeek will complete without errors. AC-Hunter CE is up and running.
User Guides
Resources/Sources
- HoldMyBeer Security: Install/Setup Zeek + PF_Ring on Ubuntu 18.04 on Proxmox 5.3 + OpenVSwitch
- Active Countermeasures: Is It OK to Capture Packets in a Virtual Machine?
- Installing Security Onion on Proxmox video
- Security Onion and Proxmox FYI on promisc setup
!!!