Deploying Velociraptor on Rocky Linux 8: A Comprehensive Guide
In today’s complex cybersecurity landscape, having deep visibility into your network’s endpoints is no longer a luxury—it’s a necessity. Velociraptor is a powerful, open-source tool for digital forensics and incident response (DFIR) that provides exactly that. By deploying a central server and lightweight clients, you can proactively hunt for threats, collect forensic artifacts, and respond to security incidents across your entire fleet from a single console.
At its core, Velociraptor uses the flexible Velociraptor Query Language (VQL) to ask detailed questions of your endpoints, allowing for customized and rapid investigations. This guide provides a step-by-step walkthrough for installing and configuring the Velociraptor server on a Rocky Linux 8 system.
Prerequisites: Preparing Your Rocky Linux System
Before we begin, it’s essential to ensure your server is up-to-date and has the necessary tools installed.
First, connect to your Rocky Linux 8 server via SSH and update all system packages to their latest versions. This is a critical first step for security and stability.
sudo dnf update -y
Next, we’ll need wget to download the Velociraptor binary. If it’s not already installed, run the following command:
sudo dnf install wget -y
With your system prepared, you’re ready to install Velociraptor.
Step 1: Download the Velociraptor Binary
Velociraptor is distributed as a single, self-contained binary, which simplifies the installation process. We will download the latest stable release directly from its official GitHub repository.
Navigate to the GitHub releases page for Velociraptor to find the latest version. Copy the link for the Linux amd64 binary. Use wget to download it to your server.
# Example for a specific version - always check for the latest
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.2/velociraptor-v0.7.2-linux-amd64
For ease of use, rename the downloaded file to velociraptor and make it executable.
mv velociraptor-v0.7.2-linux-amd64 velociraptor
chmod +x velociraptor
Step 2: Generate the Server Configuration
Velociraptor includes a convenient interactive wizard to generate the necessary server and client configuration files. This process creates the cryptographic keys needed to secure communication between the server and its clients.
To start the wizard, run the following command:
./velociraptor config generate -i
The wizard will prompt you for several choices. For most standard deployments on Rocky Linux, you can select the following options:
- Operating System: Choose
Linux. - Datastore: For a simple, self-contained server, the File-based datastore is sufficient. This stores all collected data on the server’s local filesystem.
- GUI Admin User: You will be prompted to create a username and password for the web interface. Choose a strong, unique password and store it securely.
- DNS Name: Enter the public IP address or fully qualified domain name (FQDN) of your server. This is the address clients will use to connect.
- GUI Port: The default port for the web interface and API is 8889.
- Client Communication Port: The default port for clients to connect to the server is 8000.
- Log File: Accept the default path for the server’s log file.
After completing the wizard, two files will be created in your current directory: server.config.yaml and client.config.yaml. The server.config.yaml contains all the settings for your Velociraptor server.
Step 3: Run Velociraptor as a Systemd Service
To ensure the Velociraptor server runs continuously and starts automatically on boot, we will configure it as a systemd service.
First, move the velociraptor binary and the server.config.yaml file to a more permanent location, such as /opt/velociraptor/.
sudo mkdir -p /opt/velociraptor
sudo mv velociraptor /opt/velociraptor/
sudo mv server.config.yaml /opt/velociraptor/
Next, create a systemd service file.
sudo nano /etc/systemd/system/velociraptor.service
Paste the following configuration into the file. This defines how systemd should manage the Velociraptor process.
[Unit]
Description=Velociraptor Server
After=network.target
[Service]
User=root
Group=root
ExecStart=/opt/velociraptor/velociraptor --config /opt/velociraptor/server.config.yaml frontend
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
Now, reload the systemd daemon, enable the service to start on boot, and start it immediately.
sudo systemctl daemon-reload
sudo systemctl enable velociraptor
sudo systemctl start velociraptor
You can verify that the service is running correctly with the status command:
sudo systemctl status velociraptor
Step 4: Configure the Firewall
The server is running, but we need to open the necessary ports in the Rocky Linux firewall to allow incoming connections. We need to allow traffic to the GUI/API port (8889) and the client communication port (8000).
Use firewall-cmd to add permanent rules for these ports.
sudo firewall-cmd --add-port=8889/tcp --permanent
sudo firewall-cmd --add-port=8000/tcp --permanent
sudo firewall-cmd --reload
Your Velociraptor server is now installed, configured, and accessible.
Step 5: Repackage and Deploy the Client
The final step is to prepare the client agent for deployment on your endpoint machines. We will use the client.config.yaml file generated earlier to “repackage” the original velociraptor binary. This embeds the configuration directly into the client executable, making deployment incredibly simple.
First, you’ll need the original binary (the one we downloaded and named velociraptor) and the client.config.yaml file. If you already moved the binary, you can use the copy in /opt/velociraptor/.
Run the repackage command:
/opt/velociraptor/velociraptor --config /opt/velociraptor/server.config.yaml \
repackage client > repackaged_client_linux
This command creates a new binary named repackaged_client_linux. This new file is the self-contained client agent that you will deploy to your other Linux machines. You can rename it as needed.
To deploy, simply copy this repackaged binary to a client machine, make it executable, and run it. For a persistent installation on the client, you can also configure it to run as a service.
Accessing the Web Interface
Once a client is running, you can access the Velociraptor web GUI by navigating to your server’s address in a web browser:
https://<your_server_ip_or_dns>:8889
Log in with the admin credentials you created during the configuration step. You should see your newly connected client appear in the dashboard, ready for investigation.
Security Best Practices for Your Deployment
- Restrict Firewall Access: For enhanced security, configure your firewall rules to only allow access to ports 8889 and 8000 from trusted IP addresses or internal networks.
- Use TLS: The default configuration automatically generates self-signed TLS certificates to encrypt all communication. For production environments, consider replacing these with certificates from a trusted Certificate Authority (CA).
- Regular Updates: Keep your Velociraptor server and clients updated to the latest versions to benefit from new features and important security patches.
- Secure Your Server: Apply standard server hardening practices to the underlying Rocky Linux operating system to protect your Velociraptor instance.
By following this guide, you have successfully deployed a powerful tool for endpoint monitoring and forensics. You are now equipped to explore the power of VQL and gain unprecedented insight into the state of your systems.
Source: https://kifarunix.com/install-and-setup-velociraptor-on-rocky-linux-8/
