1080*80 ad
Home » Blog » Installing Arkime (Moloch) on Debian 11

Installing Arkime (Moloch) on Debian 11

Benhcmark Administrator Benhcmark Administrator
05/09/2025
0 Views 0
Installing Arkime (Moloch) on Debian 11

How to Install and Configure Arkime (Moloch) on Debian 11: A Comprehensive Guide

In the world of network security and incident response, visibility is paramount. Understanding what traffic is traversing your network is the first step toward identifying threats and analyzing security events. Arkime (formerly known as Moloch) is a powerful, open-source tool designed for large-scale, full packet capture (PCAP) and analysis. It indexes and stores network traffic in a standard PCAP format, providing a fast, intuitive web interface for browsing and searching through terabytes of data.

This guide will walk you through the complete process of installing and configuring Arkime on a Debian 11 (Bullseye) server. By the end, you will have a fully functional network forensics platform ready to monitor your network.

Prerequisites: Preparing Your Debian System

Before we begin, it’s essential to prepare your server. A clean, updated system prevents potential conflicts and ensures all dependencies are met.

  1. Update Your System: First, ensure your system’s package list and installed packages are up to date.
    bash
    sudo apt update && sudo apt upgrade -y
  2. Install Required Dependencies: Arkime and its components rely on several common utilities. Let’s install them now.
    bash
    sudo apt install wget curl gnupg apt-transport-https -y

Step 1: Installing and Configuring Elasticsearch

Arkime uses Elasticsearch as its backend to store and index session metadata, making the vast amounts of captured data searchable. Arkime currently works best with Elasticsearch version 7.x.

  1. Import the Elasticsearch GPG Key: Add the key to your system’s trusted keys to verify the package authenticity.
    bash
    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
  2. Add the Elasticsearch Repository: Create a repository file to allow apt to find the Elasticsearch package.
    bash
    echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
  3. Install Elasticsearch: Update your package list again and install Elasticsearch.
    bash
    sudo apt update
    sudo apt install elasticsearch
  4. Configure Elasticsearch: Before starting the service, we need to make a small but crucial configuration change. Open the main configuration file with a text editor.
    bash
    sudo nano /etc/elasticsearch/elasticsearch.yml

    Inside the file, find the following lines, uncomment them (remove the #), and set them as shown. This is critical for Arkime to connect correctly.
    yaml
    cluster.name: arkime
    action.auto_create_index: false
  5. Start and Enable the Service: Now, start the Elasticsearch service and enable it to launch automatically on boot.
    bash
    sudo systemctl start elasticsearch
    sudo systemctl enable elasticsearch

    You can verify that Elasticsearch is running by sending a request to its local port.
    bash
    curl -X GET "localhost:9200"

    You should receive a JSON response with details about your Elasticsearch node.

Step 2: Downloading and Installing Arkime

With the database backend ready, we can now install the Arkime application itself.

  1. Download the Arkime Package: Navigate to the official Arkime downloads page and find the latest version for Debian 11. Copy the link to the .deb file and download it using wget.
    bash
    # Replace with the latest version number
    wget https://s3.amazonaws.com/files.molo.ch/builds/debian-11/arkime_4.1.0-1_amd64.deb
  2. Install the Package: Use the dpkg command to install the downloaded Arkime package. This will place all the necessary files in the /data/moloch/ directory.
    bash
    # Ensure you use the same filename you downloaded
    sudo dpkg -i arkime_4.1.0-1_amd64.deb

Step 3: Configuring Arkime for Your Environment

The installation script places a sample configuration file. We will now run the configuration script to tailor it to our setup.

  1. Run the Configuration Script: This interactive script simplifies the setup process.
    bash
    sudo /data/moloch/bin/Configure

  2. Answer the Prompts: The script will ask several questions. Here are the most important ones:

    • Interface to monitor: Enter the network interface you want Arkime to capture packets from (e.g., eth0). You can find your interface name by running the ip a command. This is a critical setting for packet capture.
    • Elasticsearch server URL: When prompted for the Elasticsearch location, use the default if you installed it on the same server: http://127.0.0.1:9200.
    • Password: Set a strong password for securing communication between Arkime components.

  3. Initialize the Arkime Database: This command instructs Arkime to set up the necessary indices in Elasticsearch.
    bash
    sudo /data/moloch/db/db.pl http://127.0.0.1:9200 init

  4. Add an Admin User: You need to create an administrative user to log into the Arkime web interface.
    bash
    sudo /data/moloch/bin/arkime_add_user.sh admin "Admin User" YOUR_STRONG_PASSWORD --admin

    Replace YOUR_STRONG_PASSWORD with a secure password of your choice.

Step 4: Starting and Securing Arkime

Your system is now configured. The final step is to start the Arkime services and ensure they are secure.

  1. Start Arkime Services: Arkime is comprised of two main services: arkimecapture and arkimeviewer. Start them and enable them on boot.
    bash
    sudo systemctl start arkimecapture
    sudo systemctl start arkimeviewer

    bash
    sudo systemctl enable arkimecapture
    sudo systemctl enable arkimeviewer
  2. Access the Web Interface: The Arkime viewer runs on port 8005 by default. Open your web browser and navigate to http://YOUR_SERVER_IP:8005. You can now log in with the admin user credentials you created.

Actionable Security Tips

A default installation is functional but not fully secured for production use. Consider these essential security enhancements:

  • Implement a Firewall: Use a firewall like UFW to restrict access to the Arkime viewer port. Only allow connections from trusted IP addresses.
    bash
    # Example: Allow access from a specific IP
    sudo ufw allow from 192.168.1.100 to any port 8005
  • Use a Reverse Proxy: Never expose the Arkime viewer directly to the internet. Instead, place a reverse proxy like Nginx or Apache in front of it. This allows you to implement SSL/TLS encryption (HTTPS), add more robust authentication, and hide the default port.
  • Regularly Update Arkime: Stay informed about new releases and security patches to keep your system protected against known vulnerabilities.

You now have a powerful network forensics platform at your disposal. You can begin exploring the interface, creating custom views, and digging into the rich data Arkime provides to enhance your network security posture.

Source: https://kifarunix.com/install-arkime-moloch-full-packet-capture-tool-on-debian/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket