The Blumira sensor provides a way to connect your environment to the Blumira service and also acts as a honeypot to detect lateral movement. Customers can configure multiple sensors as needed.
The sensor integrates with third-party products such as firewalls, identity services, endpoint detection tools and cloud infrastructure and collects logs as part of the Blumira service.
To install a Blumira sensor on Ubuntu, you will need:
1. Download the latest Ubuntu Server 18.04.x ISO from this link: Ubuntu 18.04.05 LTS Downloads. Download the Server and LTS version.
Note: Blumira does not recommend using Ubuntu 20 LTS at this point as it’s kernel has a tendency to be unstable. We recommend using Ubuntu 18 LTS which is supported until 2026 and has been shown to be much more stable. When Ubuntu 20 LTS is stable we will provide upgrade directions for organizations that would like to move to 20 LTS.
2. Boot your machine from the ISO.
3. Wait until the installer finishes loading and displays the language selection page. Use the up and down arrow keys to select your language, then press Enter.
4. On the keyboard selection page, in most cases, you can simply press Enter to accept the default.
5. On the Install selection page, press Enter to accept the default (Install Ubuntu).
6. On the network configuration page, we’ll have to make some edits. Use the up arrow key to select eth0. Press Enter to get a submenu. Use the down arrow key to select “Edit IPv4”. Press Enter to edit the settings.
7. In the settings dialog, press Enter again to show a pull-down menu. Select Manual and press Enter.
8. In the manual settings dialog, the Subnet field should be in CIDR format (xx.xx.xx.xx/yy where yy is the number of bits in the net mask, and xx.xx.xx.xx is the first yy bits of your IP address). The other fields should be self-explanatory. Move down to [Save] and press Enter.
9. You should now be back at the main network configuration page. Use the down arrow key to move down to [Done] and press Enter.
10. Next is the proxy configuration page. HTTP Proxies are pretty rare these days, so you can most likely just press Enter to accept the default (no proxy).
11. On the Ubuntu archive mirror configuration page, press Enter to accept the default mirror.
12. On the filesystem configuration page, we’ll have to make some edits. Use the down arrow key to select “Use An Entire Disk And Set Up LVM” and press Enter.
13. Choose the disk to install onto. Usually, you can just press Enter to select the default.
14. On the partition configuration page, we need to make some edits. The default configuration gives us a 4GB ubuntu-lv and leaves the rest as free (inaccessible) space. We want to maximize the size of ubuntu- lv to leave no free space. Use the up arrow to move to ubuntu-lv. Press Enter to open a submenu. Move down to “Edit”. Press Enter.
15. In the Partition edit dialog, change the size to be exactly equal to the maximum. Move down to [Save] and press Enter.
16. Now you should be back at the partition configuration page. The free space should have disappeared now. Use the down arrow to move down to [Done] and press Enter.
17. A confirmation box should appear. Move down to [Continue] and press Enter.
18. While it is installing, it will continue to ask a few more questions. The next page mostly concerns the username and password you will use to login with. This is a privileged user who has the ability to escalate to root. Enter the information, move down to [Done], and press Enter.
19. Lastly, there is a list of featured snaps (additional features that you may want to install). The only one we need is “docker”. Move down to “docker” and press SPACE. Move all the way down to [Done] and press Enter.
20. Wait until the installation of Ubuntu is complete. Press Enter to reboot the Ubuntu machine.
21. It will ask you to remove the installation media and press Enter. In Hyper-V, the installation ISO is disconnected automatically so you can just press Enter immediately. If you’re using VMWare, you may need to manually disconnect the ISO mount depending on the version. If it boots back into the installer, remove the mounted ISO and reboot.
sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd
It is the customer’s responsibility to keep this Ubuntu server secure and running properly. You should treat it as any other asset in your organization’s infrastructure.
The Ubuntu system will automatically install security patches on a daily basis, but if updates require the machine to be rebooted, it will not do this automatically. You should periodically check that security updates are being successfully installed, and reboot it if the login banner informs you that a reboot is required.
Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.