Installing AcuMonitor Internally
AcuMonitor is the infrastructure used by the Acunetix 360 web application security scanner uses to detect Server Side Request Forgery (SSRF), and all other kinds of blind, asynchronous, and second-order vulnerabilities that require data to be sent over out-of-band channels.
This topic explains how to host AcuMonitor infrastructure in your environment.
For further information, see How AcuMonitor Finds Vulnerabilities.
Requirements
These are the minimum requirements for the machines on which you install AcuMonitor:
- Docker must be installed
- SSL certificate ready in .pem format for <DOMAIN_NAME>
- Recommended RAM: 4 GB
- Recommended disk: 100 GB (mostly for logging purposes)
How to Install AcuMonitor Internally
- Make sure you have a Static IP address to allocate to the DNS Server, which will be referred to as <STATIC_IP> in these steps.
- Register a short DNS Address, which will be referred to as <DOMAIN_NAME> or example.com in this document.
- Register ns.<DOMAIN_NAME> and ns2.<DOMAIN_NAME> as Name Servers for <DOMAIN_NAME>.
- Point ns.<DOMAIN_NAME> and ns2.<DOMAIN_NAME> to <STATIC_IP>. The Name Server will be hosted inside the Docker Container.
- Please make sure that the following AcuMonitor ports are reachable and not used by any other process:
- TCP 80, 53, 443; from everywhere
- UDP 53; from everywhere
- Download the latest compressed AcuMonitor Docker image file and copy it to a machine with a Docker installation. You can download it from this link: https://invicti.s3.amazonaws.com/acumonitor.tar.xz
- Load this image to Docker using the following command:
docker load < acumonitor.tar.xz
- Create a container using the following command. Adjust the command, by inserting your own domain name (<DOMAIN NAME> and static IP (<STATIC IP>).
docker create -it -e DOMAIN_NAME='<DOMAIN_NAME>' -e STATIC_IP='<STATIC_IP>' -e RESPONDER_HTTP_ONLY='NO' --security-opt=no-new-privileges --restart=always --oom-kill-disable --memory=3g -p 80:80 -p 443:443 -p 53:53/udp --name acumonitor
- We recommend that you have SSL support between Acunetix 360 and AcuMonitor. If your certificates are in .crt and .key file formats, they should be converted to .pem files (see https://stackoverflow.com/search?q=crt+key+pem).
- Copy your certificate and private key into the cert folder in the AcuMonitor container
- docker cp fullchain.pem acumonitor:/opt/cert/fullchain.pem
- docker cp privkey.pem acumonitor:/opt/cert/privkey.pem
- If you do not wish to use HTTPS, e.g. for testing purposes, pass the RESPONDER_HTTP_ONLY='YES' argument to the docker create command.
- Start the container:
- docker start acumonitor
- Configure DNS for <DOMAIN_NAME>, as in example.com:
- Define two name servers ns.example.com and ns2.example.com to point to the static IP address of the docker host
- Check that the docker host machine is accessible using these DNS names
- AcuMonitor should be able to resolve the following addresses:
- example.com
- ns.example.com
- ns2.example.com
- a.example.com
- a.b.c.example.com
- aaaaaaaaaaaaaaaaaaaaaaa.example.com
- Change the AcuMonitor URI in the policy to https://example.com or http://example.com if you do not want to use HTTPS.
- Validate DNS Settings and Validate AcuMonitor.
You can now run Acunetix 360 scans using a custom server that uses this policy for AcuMonitor verification.