Articles in this section

Private Scan Hub Setup Guide

Avatar
Sam Illingworth
  • Updated
Follow

This guide explains how to deploy a private (internal) AppCheck scan hub. AppCheck provides private scan hubs to allow clients to scan target infrastructure and applications from inside their organisation’s perimeter firewall boundary (while AppCheck’s public scan hubs allow scanning from outside, over the public internet).

Note: The scan hub software is designed to be installed on servers and to be always online.  Installing hubs on personal computers and switching hubs off or disconnecting them from the internet for significant periods of time is not recommended and can result in the hub failing to update.

If you encounter any issues with hub deployment or configuration, please refer to Troubleshooting Problems Setting Up an AppCheck Scan Hub; if this does not resolve your issue you can contact our technical support team via https://appcheck-ng.com/get-help/.

Contents

  1. Requirements
  2. Download Image
  3. Create VM
  4. Install Hub Software
  5. Start Hub
  6. Open Outbound Firewall Access
  7. Limit Inbound Firewall Access
  8. Complete Setup Wizard in Web Browser
  9. Wait for the Hub to Provision
  10. Inform AppCheck Support
  11. Configure FQDN Resolution
  12. Perform a Test Scan

Requirements

  • Access to your organization's VM hosting platform.
  • Capacity for a VM.  The standard hardware requirements are below, but see the Create VM section for further details.
    • 16GB RAM
    • 4 CPU cores
    • 60GB storage.
  • Access to your organization's network admin interface to assign the scan hub the appropriate IP address with access to the scan targets.
  • Access to your organization's firewall and IPS/WAF settings to enable the necessary access for the scan hub.
  • Access to the scan hub's internal IP address on port 8080 so you can access it's local web GUI.

Download Image

To get started download the latest version of the installer ISO:

Download Link: https://assets.appcheck-ng.com/packages/install.iso
SHA256: b6809394b30beb1cb1cf7171702e3fac5c9c19f4a22162e11fc9409bd017a392

Create VM

The exact process to create a new VM will depend on your hypervisor/VM platform.  Create a VM with the necessary resources:

Memory

The standard amount is 16GB.  This makes a hub capable of 5 concurrent scans.  Each additional 2GB of RAM adds an additional concurrent scan slot, thought in real-world use some scan targets may use up more RAM than others.  The number of scans you can run concurrently is also limited by your AppCheck Licence.

You may need to increase this in future depending on the number and size of scans you run, but this is difficult to estimate ahead of time.  A hub can operate on 8GB but would be limited in the number of concurrent scans it could run, and may not be able to install updates while scanning.

CPU

The number of assigned cores should match the maximum number of concurrent scans that you want to run, plus one core for other OS function, with a minimum requirement of 4 cores recommended.

For example, to support 4 concurrent scans, please assign 5 CPU cores.

Disk Capacity

60GB (this can be statically or dynamically assigned).

Firmware Type

BIOS.  The AppCheck software does not currently support UEFI.  Your VM creation interface may ask for this explicitly or in other terms (for example VirtualBox refers to Gen 1 and Gen 2).

Network Interface

The nature of the network connection you assign to the VM is up to you, for example it may be bridged or NATed.  You only need to ensure that the VM has access both to the targets you wish to scan, and to the internet for communication with AppCheck.

OS Installation / Optical Drive

You may be asked about OS installation when you create the VM.  Choose the option of installing from a CD/DVD and select the AppCheck ISO.  Alternatively you can select no operating system, then attach the ISO image to the virtual optical drive before starting the VM.

Install Hub Software

Boot the VM from the ISO

With the AppCheck ISO image inserted into the virtual optical drive, start the VM.  It will boot from the virtual DVD:

1

Wait while the kernel and installer load.  You may briefly see an error referring to getty but if this is replaced by the menu then it can be ignored.

4

Begin The Installation

Press Tab to highlight items in the menu and Enter to select them.  Select Install.

The next screen will validate system requirements.  If they all pass, select Network Setup:

5

Configure the Network

Here you can choose whether to use DHCP or static IP address assignment. 

The default settings will use DHCP and Google's DNS servers.  If you are happy with these then you do not need to change anything.

You can also select your own DNS servers, but be aware these are not used to resolve scan targets - they are used only once scans have been complete to reverse-lookup scanned IP addresses in order to display hostnames in scan results.  Also be aware that access to Google DNS is still required even if not selected as the DNS server.

Once you are happy with your settings, select Save to continue, then Test Settings to test them. 

8

Once they are confirmed working, you can proceed to Disk Setup.9

Install the AppCheck Firmware to the Virtual Hard Disk

Select Fresh Install if installing a new hub, or Upgrade Existing if upgrading an existing AppCheck scan hub.

Installation can take some time, during which you will see logs scroll past.  At the end you should see a success message:

10

Boot from the Virtual Hard Disk

Eject the ISO from the virtual optical drive and reboot the VM.  The scan hub firmware will now be running, ready to begin provisioning.

Start Hub

After booting from the virtual hard disk the VM will show you a command line log in screen:

mceclip0.png

You do not need to log in here, all you need it the URL mentioned on the first line (in the above example https://192.168.0.8:8080/). Note this down or bookmark it - this is the URL of the hub's local dashboard, where the remainder of the setup process, and future maintenance, will take place (though it is not where you will configure scans - that all happens in the main AppCheck customer portal)

Note: it is possible for this screen to load before the VM has finished establishing its network connection, in which case the IP address will be incorrect (it will use one of the hub’s internal containers’ addresses). To ensure you’re seeing the actual address you can press enter (without typing anything in the login prompt) a few times to reload the screen. If it still does not show the desired IP address then move on to Configure Hub’s Network Access.

Open Outbound Firewall Access

You must ensure that your hub has outbound access the necessary destinations, which are mostly AppCheck servers but also include Ubuntu for some asset retrieval and Google’s DNS which is uses to confirm internet connectivity even if you are using alternative DNS servers.

All access granted is outbound from your network to AppCheck, and it is not necessary to open up any inbound connectivity from the public internet.

Required Access

Source

Destination Host

Destination (IP)

Port(s)

Protocol

Purpose:Hub system and OS updates and provisioning

(internal hub)

assets.appcheck-ng.com

167.99.85.223
  • 80
  • 443

TCP

(internal hub)

*.archive.ubuntu.com

-
  • 80
  • 443

TCP

(internal hub)

docker.appcheck-ng.com

68.183.33.54
  • 80
  • 443

TCP

Purpose: Hub command & control communication with AppCheck cloud platform

(internal hub)
  • wire1.appcheck-ng.com
  • wire2.appcheck-ng.com

178.128.173.89
  • 80
  • 443
  • 5671

TCP

(internal hub)

wire3.appcheck-ng.com

178.128.163.167
  • 80
  • 443
  • 5671

TCP

(internal hub)

lograbbit.appcheck-ng.com

178.62.17.110
  • 80
  • 443

TCP

Purpose: DNS / hostname resolution

(internal hub)

dns.google
  • 8.8.8.8
  • 8.8.4.4
  • 53

TCP, UDP

Purpose: Scan hub software licence activation and renewal

(internal hub)

licensing.appcheck-ng.com

104.248.173.23
  • 80
  • 443

TCP

(internal hub)

licensing-master.appcheck-ng.com

142.93.43.105
  • 80
  • 443
  • 4505
  • 4506

TCP

 

Bypass HTTP Proxy If Present

The deployed internal hub will, during normal operation, call out to the AppCheck cloud platform on ports 80 and 443 in order to retrieve Command & Control (C&C) tasking, and to report back results. These connections are initiated outbound from your network to the AppCheck cloud.

Because of the use of ports 80 and 443, some customers may find that the traffic is intercepted by operated HTTP proxies. Despite using port 80 and 443 (among others), the traffic is not HTTP traffic (it uses a custom protocol), so it is necessary to bypass the HTTP proxy (if you use one) or add an exception for each of the below endpoints:

Source

Destination Host

Destination (IP)

Protocol

(internal hub)
  • wire1.appcheck-ng.com
  • wire2.appcheck-ng.com

178.128.173.89

TCP

(internal hub)

licensing.appcheck-ng.com

104.248.173.23

TCP

(internal hub)

licensing-master.appcheck-ng.com

142.93.43.105

TCP

(internal hub)

docker.appcheck-ng.com

68.183.33.54

TCP

(internal hub)

lograbbit.appcheck-ng.com

178.62.17.110

TCP

(internal hub)

assets.appcheck-ng.com

167.99.85.223

TCP
       

 

Note that even if your proxy allows the traffic through it mat interfere with it in a manner that would be harmless for HTTP traffic but interferes with AppCheck’s custom protocol, so bypassing the proxies entirely is recommended.

 

Limit Inbound Firewall Access

For maximum security given the scan hub's likely privileged location on your network we recommend restricting access to the hub in your firewall so non-essential access is blocked.

The vast majority of connections will be established outbound from the hub, so very little inbound access is required.

Required Access

Source

Destination (IP)

Port(s)

Protocol

Purpose

Administrators such as the user setting up the hub and users performing future maintenance

The scan hub's internal IP address

8080

HTTPS

Access to the hub's local web GUI

 

Complete Setup Wizard in Web Browser

Access the Hub Setup GUI

With the IP address correctly assigned you should now be able to access the hub’s Graphical User Interface (GUI) in your web browser, using the URL listed on the CLI login screen as detailed previously in the guide. For example, when the hub’s IP address is 192.168.1.151 the URL for the GUI is https://192.168.1.151:8080. You will need to enter the URL exactly, including the scheme (HTTPS) and the port number (8080).

If everything is working as expected you should see a login screen as below:

mceclip6.png

Log in with the following username:

admin@appcheck-ng.com

Contact AppCheck Support if you have not been provided with the password.  Note that both the username and password are case sensitive.

Confirm Outbound Connectivity

The setup wizard will confirm the required outbound connectivity is in place. If the required access is not in place you will need to go back to the step Open Outbound Firewall Access.

Insert License Key

Once connectivity is confirmed, click Next and you will be asked to enter a license key. Contact your account manager if you do not have a license.

Enter your license key and click Next. Note that each license key can only be used once - if you need to rebuild your hub for any reason just contact Technical Support and a replacement key will be created.

Finish Wizard

blobid0.png

Click “Finish” on the next screen to complete the registration process.

Wait for the Hub to Provision

Note: Do not restart or power off the hub during this provisioning process.  Doing so could corrupt the hub and necessitate deleting the VM and starting again.

The hub will now perform a full package update and start up various local services.  You will first be presented with the text "Your license has been accepted and your hub is being set up. A list of expected services will appear here when provisioning starts", which after some time (see note below) will be replaced with a list of running services as shown below:

provisioning.png

You can refresh the web interface to monitor the progress of provisioning.

Provisioning will be complete once all services* are shown in green and with a status indicating they are "Up", such as “Up 3 hours (healthy)

* the exception to this is "scanhub_plugins_builder", which will display "Starting up" when operating.

Note: This process typically takes between 1 and 24 hours.  The time can vary significantly depending upon a number of factors (such as the bandwidth available at the client side, the resources assigned to the VM, and the current load on AppCheck's provisioning servers). If the configuration has not finished within 24 hours, please contact the AppCheck Technical Support (if you already have a support ticket open regarding the setup of your internal hub then you should update this ticket. If you do not, you can open a new ticket at https://appcheck-ng.com/get-help/).

Inform AppCheck Support

Once the hub has completed provisioning you will need to inform AppCheck Technical Support so that they can grant your account access to run scans from the new hub. Note that AppCheck will not be able to do this (and will have no visibility of the provisioning hub) until it has completed provisioning, so you must wait until the previous step is complete before informing them.

If you already have a support ticket open regarding the setup of your internal hub then you should update this ticket. If you do not, you can open a new ticket at https://appcheck-ng.com/get-help/.

Support will inform you once they have completed the necessary steps on their side. Once this is done the hub will be selectable when configuring scans, and will be listed at https://scanner.appcheck-ng.com/scan_hubs.

Configure FQDN Resolution

If you wish to specify scan targets by hostname (as opposed to by IP address) and those hostnames are not resolvable via public DNS, then you will need to add hosts-file-style entries at https://scanner.appcheck-ng.com/scan_hubs as shown in the below example. You will only be able to edit this once AppCheck Technical Support have linked to hub to your account (see previous step).

mceclip0.png

Note: the scanning engine will not make use of your internal DNS server to resolve targets even if you have configured one in the netplan configuration file. Internal DNS servers are only refereed to after scans have completed in order to display host names alongside scanned IP addresses (using reverse lookups).

Perform a Test Scan

Once the above steps have been completed as required, it is a good idea to perform a test scan using your new hub, ideally scanning a single or small number of targets, which you know to be online and responsive.

Internal scans are configured the same way as external ones, through the same user interface at https://scanner.appcheck-ng.com/. You will need to assign your new scan hub to any scans that you wish it perform by setting the scan hub in the “Advanced Config Settings” options at the foot of your scan configuration page:

mceclip1.png

Note that if you select the hub by name and in future you need to redeploy it for any reason then the hub’s name will change, and you would need to update all your affected scans to select the new name. Therefore it is usually better to select “Any Private Hub”.

For scans that you wish to have run always from public hubs, never from your private hub, select “Any Public Hub” (the default “Auto Select” option could result in the same scan running from public hubs some times and your private hub other times).

Further Help

If you run into any problems or need any further help visit the rest of AppCheck’s support pages at https://appcheck-ng.com/get-help/. There are a number of other in-depth guides like this one, as well as many useful FAQs on both simple and complex questions.

You can also contact AppCheck’s Technical Support team if you need any further assistance.

Related articles

Comments

0 comments

Article is closed for comments.