Sensor Installation Guide
The following provides a basic overview of how to perform an installation of a GreyNoise Sensor on a Customer Hosted device.
Pre-Install
System Requirements
- An internet-facing Linux box running a supported operating system:
- Linux Kernel >= 5.6
- Debian based-operating system that uses
apt
andsystemd
- Ubuntu 22.04 LTS
- Debian 12
- Minimum supported hardware and CPU requirements:
- 1 vCPU, 0.5 GB of ram and 1GB of storage - Architecture equivalency of Amazon t2micro
- Root level access
- You will need a public IP for your sensor.
- This box must *not* be used for any other purposes and dedicated to serving as a GreyNoise Sensor. All traffic will be forwarded to the GreyNoise Cloud using a Wireguard tunnel, where our backend will handle making the sensor โlookโ like a certain honeypot persona (Operating System + Applications).
- By default, the SSH port will be changed to a non-standard SSH port. You can only SSH into the sensor via the installation's configured SSH Management Port.
- All egress traffic from the sensor will be blocked.
- We recommend that you use infrastructure that can be easily destroyed/rebuilt (there is no uninstallation provided for the sensor in the Early Access program).
Static IP Required
We rely on a stable, static IP address to be assigned to each Sensor for the life of that sensor.
Dedicated Systems Only
Systems used as a GreyNoise Sensor must ONLY be used as a GreyNoise sensor and should not serve any other purpose.
Unique Environment Requirements
Amazon EC2
When installing a GreyNoise Sensor on an Amazon EC2 system, it is important to follow the manual install steps below with the optional -p
flag so that the external IP of the system can be passed to the bootstrap script. Additionally, ensure that the EC2 system has a static IP that will not change if the system is powered off.
Google GCP
When installing a GreyNoise Sensor on a Google GCP system, an additional step is required pre-install step is required. Before running the bootstrap script, ensure that the /etc/hosts
file contains an entry for 127.0.0.1 localhost
. This is not included by default and can cause unexpected behavior with the system after the bootstrap script is executed.
Installing the Sensor
Ensure Sensor access on GreyNoise Visualizer
Log into the GreyNoise Visualizer and navigate to the Sensors
Tab in the top-level navigation.
Is the Sensor tab missing?
If you donโt see the sensors tab, try logging out and back in. If you still canโt see it, you may not have been provisioned correctly for early access. Contact [email protected] if you are an early access participant that cannot see your sensors.
Connect to the system
SSH into the system designated to be converted to a GreyNoise sensor. Ensure the account being used has root
privileges.
SSH Port Change
Once installation is complete, you will be logged out of your existing SSH session. You will be able to SSH back into your sensor with the new SSH management port configured post-install (the port is randomly set during install, but can be customized).
Choose Installation Method
Standard Installation using the BootStrap Command from the Visualizer
Public IP on Interface Required
To use the standard installation method, the Public IP address assigned to the server must be on one of the primary interfaces. If the sensor is being installed in an environment like AWS, where the Public IP isn't easily detectible, please follow the Custom Install instructions in the next section.
Copy/paste the bootstrap installation script from the sensor management screen into your terminal and hit enter.
Installation should proceed automatically, and your sensor will appear on the Sensor tab of the Visualizer when finished.
Have an issue with the script?
Make sure to check out the Troubleshooting section below, or contact [email protected] for assistance.
SSH Port Change
Once installation is complete, you will be logged out of your existing SSH session. You will be able to SSH back into your sensor with the new SSH management port configured post-install (the port is randomly set during install, but can be customized).
Customized Script Using Optional Flags
Sometimes, you may need to manually configure flags to bootstrap the sensor. The following is a list of the available flags supported by the bootstrap script:
-i <ip_address>
- is used to define the internal IP address the system uses for outbound network connections. This should only be needed if the IP address used to connect to the internet is not easily discoverable.-p <ip_address>
- is used to provide the public IP address that the GreyNoise Cloud will use to communicate with the sensor. This option is used when the Public IP is hidden from the operating system via something similar to the NAT configuration used by AWS EC2 instances.-s <SSH management port>
- is used to provide the desired SSH management port instead of the randomly generated one provided by the script. Once the installation is complete, you will use this port to SSH into your sensor.-n <interface name>
- is used to set the interface used for publicly routable ingress/egress traffic, e.g.eth0
. By default, the script will attempt to guess the interface based on the default route.-g <ip_address>
- is used to define the gateway IP for traffic. It is only needed if sensor response traffic should be sent via a different route than the normal route to access the internet.
Example Commands - make sure to run as a root/sudo level user
export GREYNOISE_API_KEY=<your api key>
curl -H "key: $GREYNOISE_API_KEY" -L https://api.greynoise.io/v1/workspaces/MY_WORKSPACE_ID/sensors/bootstrap/script > bootstrap.sh
chmod 755 ./bootstrap.sh
./bootstrap.sh -i 123.124.125.126 -s 3822 -n eth4
Unique Bootstrap Script URL
Please note in the example above that the MY_WORKSPACE_ID should be a unique identifier that points to a personal or team workspace. This can be copied directly from the Senor page bootstrap command.
Installation should proceed automatically, and your sensor will appear on the Sensor tab of the Visualizer when finished.
SSH Port Change
Once installation is complete, you will be logged out of your existing SSH session. You will be able to SSH back into your sensor with the new SSH management port configured post-install (default is randomly generated and provided in the output of the script, but can be customized during the installation).
Example: ssh -p 3822 ubuntu@mysensorip
Post-Installation
Once you have successfully installed a sensor, the sensor will be running the GreyNoise Default
persona, which is not listening on any ports but will respond to pings and send transport protocol rejection packets. When you are ready for the sensor to start collecting data, be sure to select one of the device personas and apply it to the sensor so it captures additional traffic and scanning attempts.
Troubleshooting
For any issues, please feel free to contact [email protected] for assistance.
Check your Firewall Settings
The firewall on your server must permit traffic on the ports that the persona requires to be open.
I canโt log into the server I installed the GreyNoise sensor via SSH anymore after installation
Once the GreyNoise sensor bootstrap is installed, your SSH port will be changed. The port us updated when the script runs, and the new port is provided as an output to the script. It can also be found in the visualizer after your sensor IP.
My sensor shows the wrong IP address in the Visualizer.
For some systems, the public IP address can not be automatically detected during installation. If this is the case for your device, please use either the -i or -p switch on the bootstrap script and redo the installation.
Updated 4 months ago