How to Install Gophish on Debian 12: A Step-by-Step Guide
In today’s complex cybersecurity landscape, the human element remains a critical factor. Phishing attacks continue to be one of the most effective methods for cybercriminals to gain initial access to a network. To counter this, organizations must proactively test and train their employees. This is where Gophish, a powerful open-source phishing framework, becomes an invaluable tool for security professionals.
This guide provides a comprehensive walkthrough for installing and configuring Gophish on Debian 12 (Bookworm), enabling you to set up your own ethical phishing simulation platform.
Prerequisites
Before we begin, ensure you have the following:
- A server or virtual machine running a fresh installation of Debian 12.
- Access to the server via SSH with a user that has
sudoprivileges.
First, connect to your server and update your system’s package repository to ensure all software is up-to-date. This is a crucial first step for stability and security.
sudo apt update && sudo apt upgrade -y
Next, we need the unzip utility to extract the Gophish archive. If it’s not already installed, run the following command:
sudo apt install unzip -y
Step 1: Download and Extract Gophish
Gophish is distributed as a pre-compiled binary, which simplifies the installation process significantly. We will download the latest version directly from its official GitHub repository.
- Navigate to your home directory or a directory of your choice, such as
/opt. - Use
wgetto download the latest 64-bit Linux package.
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
Note: Always check the Gophish GitHub Releases page for the latest version and update the URL accordingly.
Once the download is complete, extract the contents of the zip file.
unzip gophish-v0.12.1-linux-64bit.zip
This command will create a new directory named gophish-v0.12.1-linux-64bit containing all the necessary files. For easier management, let’s rename this folder to something simpler.
sudo mv gophish-v0.12.1-linux-64bit /opt/gophish
Moving the files to /opt is a common practice for installing third-party software on Linux systems.
Step 2: Configure Gophish for Remote Access
By default, the Gophish admin portal is only accessible from the local machine (127.0.0.1), which is not practical for a server setup. We need to edit the configuration file to allow remote access.
Navigate to the Gophish directory and open the config.json file using a text editor like nano.
sudo nano /opt/gophish/config.json
Locate the admin_server section. You need to change the listen_url from 127.0.0.1:3333 to 0.0.0.0:3333. This change tells Gophish to listen for connections on all available network interfaces.
{
"admin_server": {
"listen_url": "0.0.0.0:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
...
}
Important Security Note: Exposing the admin panel to the internet without proper security measures is risky. It is highly recommended to place Gophish behind a reverse proxy (like Nginx) with SSL/TLS encryption and to configure a firewall to restrict access to trusted IP addresses only. For now, this change allows us to access the web interface for the initial setup.
Save the file and exit the editor (press CTRL+X, then Y, then Enter in nano).
Step 3: Run Gophish for the First Time
Now that the configuration is updated, we can run Gophish.
Navigate to the Gophish directory and execute the main binary.
cd /opt/gophish
sudo ./gophish
When you run it for the first time, Gophish will generate a one-time administrative password. Pay close attention to the terminal output. You will see a line similar to this:
Please login with the username admin and the password YOUR_SECRET_PASSWORD
Copy this password immediately, as you will need it to log in.
Open a web browser and navigate to http://YOUR_SERVER_IP:3333. You will be greeted with the Gophish login screen. Use the username admin and the password you just copied from the terminal.
Once logged in, the first thing you should do is change the default password to something strong and memorable. You can do this in the “Account Settings” section.
Step 4: Create a Systemd Service for Gophish
Running Gophish directly in the terminal is fine for testing, but for any practical use, you need it to run as a background service that starts automatically when the server boots. We can achieve this by creating a systemd service file.
Create a new service file using
nano:sudo nano /etc/systemd/system/gophish.servicePaste the following configuration into the file. This defines how the service should be managed.
[Unit] Description=Gophish Phishing Framework After=network.target [Service] User=root WorkingDirectory=/opt/gophish ExecStart=/opt/gophish/gophish Restart=always RestartSec=3 [Install] WantedBy=multi-user.targetSave and close the file.
Now, reload the systemd daemon to make it aware of the new service.
sudo systemctl daemon-reload
Enable the Gophish service to start on boot:
sudo systemctl enable gophish
Finally, start the Gophish service:
sudo systemctl start gophish
You can verify that the service is running correctly with the status command:
sudo systemctl status gophish
If everything is configured correctly, you should see an “active (running)” status. Your Gophish instance is now running as a persistent background service.
Security Best Practices and Final Steps
Your Gophish instance is now operational, but here are some crucial security tips to implement:
- Configure a Firewall: Use
ufw(Uncomplicated Firewall) to restrict access. At a minimum, you should only allow access to the Gophish admin port (3333) from your IP address.
bash
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow from YOUR_IP_ADDRESS to any port 3333
sudo ufw enable
- Use a Reverse Proxy with SSL/TLS: Never expose the admin portal directly over HTTP. Configure a web server like Nginx as a reverse proxy to handle SSL/TLS encryption. This protects your login credentials and makes the platform more professional.
- Use a Dedicated Domain: For your phishing campaigns to be effective, use a dedicated domain name that appears legitimate to your targets.
- Stay Ethical: Remember that Gophish is a tool for authorized security testing and employee training. Never use it for malicious or illegal activities. Always obtain proper authorization before launching a campaign.
You now have a fully functional and robust Gophish server on Debian 12, ready to help you strengthen your organization’s security posture by building a more resilient human firewall.
Source: https://kifarunix.com/install-gophish-on-debian-12/
