Putting It All Together

Here’s the sensor parts list:

Q '" -ICRO3$ CARD FASTER IS BETTER 

Q .OO%LEC .%3$2 842 .%3$2 -INI WILL WORK TOO BUT ONLY FOR THE LOWER FREQUENCY n-(Z BANDS 

Q SIM808 GSM breakout board.

Q '3- ANTENNA FREQUENTLY SOLD WITH THE 3)-  Q 3OME 3)- MODULES REQUIRE A LITHIUM ION BATTERY

Q .$ # 'LOBAL3AT 53" '03 DONGLE

Q 53" TO SERIAL 20I CONSOLE ADAPTER CONSIDER !DAFRUIT PRODUCT   Q 0OWER SUPPLY FOR THE 2ASPBERRY 0I ! 

Q 53" CABLE FOR RELOCATING THE 3$2 DONGLE DUE TO ITS SIZE IT CAN BLOCK OTHER 53" PORTS 

Q 53" CABLE FOR PROVIDING POWER TO THE '3- MODEM

Q %THERNET CABLE OR 7I &I ADAPTER

3ERVICES YOULL NEED LOGINS FOR

Q #HOOSE A CLOUD PROVIDER .OTHING HERE IS PROVIDER SPECIFIC 9OU JUST need to be able to instantiate Linux instances.

FEATURE

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

Q 'IT(UB SET UP MULTI FACTOR AUTHENTICATION -&!  Q Resin.io: https://resin.io USE -&! HERE AS WELL  Q OpenCellID: http://opencellid.org.

Q Slack.

Q 4WILIO !0) CREDENTIALS 

Q 9OUR FAVORITE DOMAIN REGISTRAR AS LONG AS IT PROVIDES $.3 TOO 

Q Docker Hub: https://hub.docker.com IF YOU PLAN ON MODIFYING ANY OF the base images).

Setting Up the SITCH Service "EFORE GETTING STARTED A FEW CAVEATS 4HIS WALK THROUGH IS GOING TO PROVIDE YOU WITH A DEMO GRADE SERVICE 9OURE URGED TO CONSIDER USING +UBERNETES -ESOS  -ARATHON OR ANOTHER MORE RESILIENT PLATFORM TO GET THE BENEFIT OF A MORE SELF HEALING APPLICATION 4HAT BEING SAID THE COMPONENTS ARE all containerized, so restarting pieces in the event things get weird IS TRIVIAL &OR THE SAKE OF BREVITY SOME COMMON ADMINISTRATIVE TASKS ARE NOT COVERED IN DETAIL 9OU CAN FIND MORE DOCUMENTATION AND TROUBLESHOOTING INFORMATION AT http://sitch.io.

Instance Creation #REATE ONE ,INUX INSTANCE WITH AT LEAST '" OF 2!- AND '" OF DISK SPACE ON THE ROOT VOLUME AND ADD A SECOND VOLUME WITH AT LEAST '" OF SPACE 4HIS DEMO RELIES ON $OCKER NOT ANY SPECIFIC ,INUX DISTRIBUTION !LLOCATE A STATIC )0 TO THE INSTANCE and give it a DNS name. Initially, you need only SSH access. Make SURE THAT YOUR INSTANCE IS ONLY REACHABLE VIA 33( FROM YOUR CURRENT )0 address. Once the instance is alive, ssh IN FORMAT THE '" VOLUME WITH 8&3 AND MOUNT THE '" VOLUME UNDER OPTSHARED

Obtaining Certificates ) USE %&&S #ERTBOT TO OBTAIN CERTIFICATES FOR THE WEB SERVER PORTION OF THE SERVICE http://letsencrypt.readthedocs.io/en/

LATESTINSTALLHTMLHIGHLIGHTDOCKERRUNNING WITH DOCKER  /PEN UP 4#0 PORTS  AND  FOR INBOUND ACCESS SO THAT THE ,ETS %NCRYPT SERVICE CAN

FEATURE

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

VERIFY YOUR CONTROL OF YOUR SERVERS $.3 NAME .EXT RUN THIS COMMAND

docker  run  -­it  -­-­rm  \   -­p  443:443  -­p  80:80  \   -­-­name  certbot  \  

-­v  "/etc/letsencrypt:/etc/letsencrypt"  \  

-­v  "/var/lib/letsencrypt:/var/lib/letsencrypt"  \   quay.io/letsencrypt/letsencrypt:latest  \  

certonly

4HIS RUNS THE CERTBOT CONTAINER IMAGE WHICH WILL WALK YOU THROUGH THE PROCESS OF OBTAINING A CERTIFICATE FOR YOUR ENVIRONMENT #LOSE 4#0 PORT  9OU WONT NEED IT AGAIN UNTIL YOU RENEW THE CERTIFICATES 9OU ALSO SHOULD CONSIDER ONLY LEAVING 4#0 PORT  OPEN TO )0S WHERE YOUR sensors will live.

Setting Up Your Own Vault ) USE 6AULT BY (ASHICORP TO STORE THE CRYPTO MATERIAL FOR SECURING THE SENSOR TO SERVICE COMMUNICATION 3TART UP 6AULT MOUNTING IN THE CERTIFICATES CREATED IN THE PRIOR STEP

docker  run  -­d    \   -­-­cap-­add=IPC_LOCK  \   -­p  8200:8200    \  

-­v  /etc/letsencrypt/:/etc/letsencrypt/  \  

-­e  'VAULT_LOCAL_CONFIG={"backend":  {"file":  {"path":    

 ´"/vault/file"}},"listener":{"tcp":{"address":"0.0.0.0:8200"  

´,"tls_cert_file":  "/etc/letsencrypt/live/YOUR_DOMAIN_NAME_HERE/  

´fullchain.pem","tls_key_file":"/etc/letsencrypt/live/  

´YOUR_DOMAIN_NAME_HERE/privkey.pem"}},"default_lease_ttl":    

 ´"7200h",  "max_lease_ttl":  "7200h"}'  \   -­-­name  sitch_vault  \  

vault  server

Replace YOUR_DOMAIN_NAME_HERE in the above command with the

$.3 NAME OF YOUR SERVER WHICH IS THE SAME NAME THAT YOU USED IN THE Certbot wizard, above. Running docker  ps SHOULD CONFIRM THAT THE vault service is now up and running. Next, you need to unseal the vault

FEATURE

and obtain a root token.

4O UNSEAL THE VAULT START WITH THIS docker  exec  sitch_vault   vault  init  -­-­tls-­skip-­verify 9OULL SEE SOMETHING LIKE &IGURE 

4O UNSEAL THE VAULT RUN THIS COMMAND

docker  exec  -­it  sitch_vault  vault  unseal  -­-­tls-­skip-­verify

4HAT WILL RESULT IN A PROMPT REQUESTING A KEY #OPYPASTE ONE FROM ABOVE $O THIS THREE TIMES TOTAL USING A DIFFERENT UNSEAL KEY EACH TIME AND THE VAULT WILL UNSEAL 9OU SHOULD SEE OUTPUT FROM THE FINAL command that reads: Sealed:  false 2ECORD YOUR )NITIAL 2OOT 4OKEN in your password manager.

Populating Vault with Keys Log delivery uses Filebeat and Logstash.

4HESE REQUIRE CERTIFICATES FOR OPERATION &ORTUNATELY THE PROCESS FOR

generating and uploading it has been automated. First, you’ll need to open 4#0 PORT  FROM THE WORLD INTO YOUR SERVER .EXT YOULL RUN THE 3)4#(

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

Figure 3. Output from docker  exec  sitch_vault  vault  init  -­-­tls-­skip-­verify

FEATURE

3ELF 3IGNED 3EEDER HTTPSHUBDOCKERCOMRSITCHSELF?SIGNED?SEEDER):

docker  run  -­it  \  

-­e  VAULT_URL=$VAULT_URL  \   -­e  VAULT_TOKEN=$VAULT_TOKEN  \   -­e  LS_CLIENTNAME=$LS_CLIENTNAME  \   -­e  LS_SERVERNAME=$LS_SERVERNAME  \   docker.io/sitch/self_signed_seeder

4HIS WILL CAUSE THE 6AULT TO BE POPULATED WITH CERTS AND KEYS FOR SENSOR and service. Make sure that your LS_SERVERNAME is set to the same hostname as included in the VAULT_URL, because these containers are RUNNING ON THE SAME HOST 4HERE ARE TWO TOKENS MENTIONED IN THE QUITE verbose) output at the end: Client token and Server token. Look under EACH SECTION AND GRAB THE TOKEN LABELED CLIENT TOKEN &IGURE  

9OUR 6AULT IS NOW SEEDED WITH SELF SIGNED CERTS AND KEYS FOR ,OGSTASH

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

Figure 4. Grabbing the Token

FEATURE

Configuring Storage for Scans 3ET UP THE %LASTICSEARCH AND +IBANA PORTIONS OF THE %,+ STACK IN WHATEVER MANNER MAKES THE MOST SENSE FOR YOUR ENVIRONMENT )F YOURE USING !73 YOU CAN ACCELERATE THIS BY USING THE !73 %LASTIC3EARCH 3ERVICE 5SE %LASTIC3EARCH VERSION  OR GREATER

2ETAIN THE 52,S FOR ACCESSING +IBANA AND %LASTICSEARCH

Configuring Logstash for Ingestion ,OGSTASH IS USED FOR INGESTION OF TELEMETRY FROM THE SENSORS 4HERES A 3)4#( SPIN OF THE ,OGSTASH CONTAINERˆFOLLOW THE INSTRUCTIONS IN THE 2%!$-% FOUND AT

https://hub.docker.com/r/sitch/logstash) to set your environment VARIABLES FOR RUNNING THE CONTAINER "EFORE YOU COMPLETE THIS STEP YOULL NEED ACCESS TO 3LACK TO CREATE A WEBHOOK FOR NOTIFICATION

GRAPHITE_HOST IS THE NAME OF YOUR SERVER AND GRAPHITE_PORT will BE  4HE 'RAPHITE LINE PROTOCOL IS USED FOR DELIVERING TIME SERIES INFORMATION WHICH IS UNDERSTOOD BY )NFLUX$" &INALLY OPEN PORT 

so that the Filebeat log shipper can connect to Logstash.

Building the SITCH Data Feed .OW LETS BUILD THE 3)4#( FEED WHICH

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

Figure 5. Diagram of Sensor Software and Enrichment Information Flow

FEATURE

IS COMPOSED OF THE /PEN#ELL)$ DATABASE ENRICHED WITH INFORMATION FROM THE 4WILIO !0) AND THE &## LICENSE DATABASE ,OCATE YOUR /PEN#ELL)$

!0) KEY AND YOUR 4WILIO 3)$ AND TOKEN FOR !0) ACCESS 2UN THE CONTAINER ACCORDING TO THE 2%!$-% AT HTTPSHUBDOCKERCOMRSITCHFEED?BUILDER.

4HIS JOB WILL TAKE QUITE A WHILE TO RUN )F YOUR CURIOSITY DEMANDS TO see progress, run docker  logs  -­f  CONTAINER_NAME TO SEE THE FEED BUILDERS PROGRESS $ONT STOP IT MID JOB OR YOU MAY HAVE TO WAIT UNTIL TOMORROW TO TRY AGAIN 4HE /PEN#ELL)$ DATABASE CAN BE RETRIEVED ONLY once daily, per API key. So let it roll until it’s done.

Configuring the Time-Series Database !NY TIME SERIES DATABASE THAT SUPPORTS THE 'RAPHITE LINE PROTOCOL SHOULD WORK WITH 3)4#( &OR THE PURPOSES OF THIS DEMO )M USING )NFLUX$" -AKE SURE THAT 4#0 PORTS

   AND  ARE ACCESSIBLE FROM THE SERVER ITSELF USING ITS OWN PUBLIC )0 ADDRESS 3TART )NFLUX$" WITH THIS COMMAND

docker  run  -­d  \  

-­-­name  sitch_influx  \   -­p  8083:8083  \  

-­p  8086:8086  \   -­p  2003:2003  \  

-­e  INFLUXDB_GRAPHITE_ENABLED=true  \  

-­v  /opt/shared/influxdb:/var/lib/influxdb  \   influxdb

4HE LAST STEP IN PREPARING THE PERSISTENCE LAYER IS #HRONOGRAF )M USING

#HRONOGRAF TO VISUALIZE THE INFORMATION STORED IN )NFLUX$" 3TART IT LIKE THIS

docker  run  -­d  \   -­p  10000:10000  \  

-­-­name  sitch_chronograf  \   chronograf

)NSTRUCTIONS FOR RUNNING THE 3)4#( FRONT END WEB SERVER CONTAINER ARE at https://hub.docker.com/r/sitch/web. Follow the instructions there and CONFIRM THAT YOU CAN DOWNLOAD HTTPS9/52?3%26%2?.!-%CSVGZ

4HIS WILL CONFIRM THAT YOUR FEED IS BUILT AND AVAILABLE FOR YOUR SENSORS .OW

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

FEATURE

IS A GREAT TIME TO MAKE SURE THAT THE PORTS MAPPED IN FOR THE WEB CONTAINER ARE ACCESSIBLE TO YOU FROM YOUR )0 ADDRESS )TS NOT AN AWFUL IDEA TO TAKE IT A STEP FURTHER AND EMPLOY AUTHENTICATION IN THE WEB CONTAINER OR A 60. FOR ACCESSING IT BUT THATS OUTSIDE THE SCOPE OF THIS DEMO

Building the SITCH Sensor Log in to https://resin.io AND CREATE YOUR FIRST PROJECT .AME IT WHATEVER YOU LIKE #LICK h$OWNLOAD 2ESIN/3v TO DOWNLOAD THE IMAGE FOR YOUR 2ASPBERRY 0I &OLLOW THE DIRECTIONS ON SCREEN TO IMAGE YOUR -ICRO3$ CARD )NSERT THE CARD INTO THE 2ASPBERRY 0I  AND PLUG IN THE '03 3$2 AND %THERNET CABLE 5SE THE 53" CONSOLE CABLE TO ATTACH THE SIM808 module to the Pi. Black goes to ground, red to vio, green to rx and WHITE TO TX 'IVE THE 0I POWER AND IN A FEW MINUTES VERIFY THAT THE DEVICE HAS REGISTERED WITH YOUR APPLICATION .EXT SET THE FOLLOWING ENVIRONMENT variables in your Resin project:

Q FEED_URL_BASE ˆ THIS SHOULD BE HTTPS9/52?3%26%2?.!-%

Q GSM_MODEM_BAND — try GSM850_MODE. Q KAL_BAND — try GSM850.

Q KAL_GAIN ˆ IF YOURE INDOORS AND HAVE BAD RECEPTION TRY  OR 

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

Figure 6. Time-Series Data from Kalibrate and GSM Modem Graphed in Chronograf