Set up ParseDMARC, Elasticsearch, Kibana and NGINX on FreeBSD 13

ParseDMARC is an open-source, self-hosted DMARC report analyzer. To generate visualized data, ParseDMARC relies on Elasticsearch and Kibana, both of which are RAM hungry in the default configuration. Elasticsearch is written in JAVA and JVM’s RAM usage can be configured in /usr/local/etc/elasticsearch/jvm.options

Installing ParseDMARC and GeoIP

Please following commands:

# pkg install python38-pip geoipupdate

Maxmind, the creator of the widely used GeoIP database requires you to create an account and get an API key to update the local installed database. Please go to https://www.maxmind.com/en/home in order to create your account.

As ParseDMARC is a python module, please install it with:

# pip install parsedmarc

Installing Elasticsearch and Kibana

Simply use following install commands:

# pkg install elasticsearch kibana7

After installation adopt your RAM usage in the /usr/local/etc/elasticsearch/jvm.options file, right at the top.

Now let’s make the two start at boot time:

# sysrc elasticsearch_enable="YES"
# sysrc kibana_enable="YES"

and start them right away:

# service elasticsearch start
# service kibana start

Installing NginX

# pkg install nginx

After installation you need to proxy pass to the kibana interface. Change /usr/local/etc/nginx/nginx.conf:

...
location / {
    proxy_pass http://127.0.0.1:5601;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...

Find the line “location /” and replace the content with the above lines.

Now start nginx at boot and immediately:

# sysrc nginx_enable="YES"
# service nginx start

Configuring ParseDMARC

Create following config /usr/local/etc/parsedmarc.ini

[general]
# Save aggregate and forensic reports to Elasticsearch
save_aggregate = True
save_forensic = True

[imap]
# Log into the DMARC report email address and download data.
host = mail.yourdomain.com
port = 993
ssl = True
user = dmarc@yourdomain.com
password = your_password_here
watch = False

[elasticsearch]
# Send data to Elastichsearch, which listens on port 9200.
hosts = 127.0.0.1:9200
ssl = False

[smtp]
# For sending email
host = mail.yourdomain.com
port = 587
ssl = True
user = dmarc@yourdomain.com
password = your_password_here
from = dmarc@yourdomain.com

# send results to this address
to = admin@yourdomain.com

and run the script:

parsedmarc -c /usr/local/etc/parsedmarc.ini

WARNING: the specified inbox will be emptied when the script is running! Be aware.

Configuring geoipupdate

As stated at the beginning of this tutorial, pleaase create a Maxmind account to get an account ID and API key. Now edit /usr/local/etc/GeoIP.conf and your personal datat in there and run:

# geoipupdate -v

Keeping data up to date

Last but not least, you need to create cron jobs for updating DMARC data and the GeoIP database. Please refer to the CRON documentation on FreeBSD for that purpose.

Enable LDAPS in Active Directory with OpenSSL

Step 1: Create a Certificate Authority (CA) with OpenSSL

Use the following commands to create a CA with a validity period of 10 years. The CA can be created on any machine using OpenSSL:

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Go ahead and enter the asked information, here are some sample lines:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: New York
Locality Name (eg, city) []: New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany
Organizational Unit Name (eg, section) []: IT
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Step 2: Install the Certificate Authority (CA)

  • Open MMC (Microsoft Management Console) by opening PowerShell and typing “mmc”
  • when opened go to “File -> Add/Remove Snap-in”
  • and add “Certificates” to the list.
  • Click on “Next” and select “Computer Account”, “Next”, “Local Computer”
  • then “Finish” and go to the MMC window.
  • Under “Trusted Root Certification Authorities”, right-click on the “Certificates” node, select “All Tasks -> Import…” and import the certificate created in step 1.

Step 3: Create a Certificate Signing Request (CSR)

Create a new file with .inf extension (e.g. request.inf)

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=ad1.server.com,OU=IT Department,DC=domain,DC=local,O=MyCompany,L=New York,S=New York,C=US";
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1; this is for Server Authentication

Go ahead and change the Subject line to your needs. You could also raise the key length to 4096 if you want to.

Now that you created the file, create the signing request with:

certreq -new request.inf MyDC.csr

Step 4: Sign and accept the Certificate

You should now transfer the CSR back to the machine where you installed OpenSSL and sign the request with your CA and get the corresponding CRT:

openssl x509 -req -days 3650 -in MyDC.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out MyDC.crt

Transfer the created CRT file onto the server and execute in the PowerShell:

certreq -accept MyDC.crt

Step 5: Install the Certificate

Assuming MMC (Certificates) is still open, expand the “Certificates” node under “Personal”, right-click on the “Certificates” node, select “All Tasks -> Import…” and import MyDC.crt

Step 7: Restart Active Directory

All that’s left is to reboot your AD server. Done.

Enable TLSv1 in Ubuntu 20.04

By default, Ubuntu 20.04, or better the used OpenSSL version, disables all ciphers below TLSv1.2 and you need to re-enable it in order to use older ciphers. It is quite simple, add following text at the top of /etc/ssl/openssl.cnf:

openssl_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

Now reboot the machine and you should be done.

Warning: this can harm your machine, not physically but mentally. make sure you know how to restore the openssl.cnf if you have to.