Deploying OpenCTI on Ubuntu: A Complete Guide with Troubleshooting

Harsimran SinghHarsimran Singh
4 min read

Intoduction

OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to centralize and analyze cyber threat intelligence. While it’s a powerful tool, setting it up can be complex due to its multiple dependencies. I recently deployed OpenCTI on an Ubuntu server and found that there aren’t many comprehensive guides available online. So, in this blog, I’ll walk you through a complete OpenCTI deployment, from installation to making it accessible for your team, along with troubleshooting solutions for issues I encountered.

Prerequisites

Before we begin, make sure you have:

  1. An Ubuntu 22.04 LTS server (Recommended: 8GB+ RAM, 4 vCPUs, 50GB+ SSD)

  2. A public IP or domain (if you want external access)

  3. Basic knowledge of Docker & Linux commands

  4. SSH access to the server

  5. OpenCTI Docker files: GitHub Repo

  6. OpenCTI Terraform Deployment (AWS, Azure, GCP): GitHub Repo

  7. Use UUID v4 Generator to create tokens.

Step 1: Update System and Install Dependencies

First, update your server and install the required dependencies:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git unzip ufw

Step 2: Install Docker & Docker Compose

  1. Install Docker:

     sudo apt install -y docker.io

  2. Enable and Start Docker:

     sudo systemctl enable --now docker

  3. Check if Docker is running:

     sudo systemctl status docker

  4. Allow your user to run Docker without sudo (optional):

     sudo usermod -aG docker $USER
 newgrp docker

  5. Install Docker Compose:

     sudo apt install -y docker-compose

🔹 Troubleshooting:

  • If docker-compose pull fails with Permission denied error, run with sudo:

      sudo docker-compose pull

  • To permanently fix permissions, add your user to the Docker group (step 4 above).

Step 3: Clone OpenCTI Repository and Set Up Environment

  1. Clone OpenCTI repo:

     git clone https://github.com/OpenCTI-Platform/docker.git opencti
 cd opencti

  2. Copy or rename the .env file and configure OpenCTI:

     cp .env.example .env
 nano .env

    Set your admin email, password, and token in the .env file:

     OPENCTI_ADMIN_EMAIL=admin@opencti.io
 OPENCTI_ADMIN_PASSWORD=StrongPassword123
 OPENCTI_ADMIN_TOKEN=ReplaceWithYourUUID
 OPENCTI_BASE_URL=http://localhost:8080

Step 4: Deploy OpenCTI Using Docker Compose

  1. Pull the required Docker images: This step will take some time to finish so be patient.

     docker-compose pull

  2. Start OpenCTI:

     docker-compose up -d

  3. Verify running containers:

     docker ps

    You should see services like OpenCTI, Elasticsearch, MinIO, RabbitMQ, and Redis running.

🔹 Troubleshooting:

  • If the instance crashes due to insufficient memory (4GB RAM issue), resize to 8GB+ RAM.

  • If Elasticsearch fails to start, check logs:

      docker-compose logs -f elasticsearch

    Solution: Increase memory allocation in the .env:

      ELASTIC_MEMORY_SIZE=4G

Step 5: Adding Threat Intelligence Connectors

We added several connectors to enhance threat intelligence:

  1. GreyNoise Vulnerability

  2. Shodan

  3. VirusTotal

  4. OTX (AlienVault)

  5. CISA Known Exploited Vulnerabilities

  6. Intrinsic Feed

  7. AbuseIPDB

Each connector requires an API key. Check out the full list of OpenCTI connectors here: OpenCTI Connectors GitHub.

Note: Some third-party connectors, like BinaryEdge, are not part of the OpenCTI ecosystem yet. See the OpenCTI Ecosystem for supported integrations.

Example for AbuseIPDB Connector:

connector-abuseipdb:
    image: opencti/connector-abuseipdb:6.5.1
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=ChangeME //UUID v4
      - CONNECTOR_NAME=AbuseIPDB
      - CONNECTOR_SCOPE=IPv4-Addr
      - CONNECTOR_AUTO=true
      - CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=error
      - ABUSEIPDB_API_KEY=ChangeME
      - ABUSEIPDB_MAX_TLP=TLP:AMBER
    restart: always
    depends_on:
      opencti:
        condition: service_healthy

Step 6: Setting up the platform for external use

StepsCommand
Open Firewall Portsudo ufw allow 8080/tcp
Find Public IPcurl ifconfig.me
Set Up a Domain (DNS A Record)opencti.example.com -> Your Public IP
Install Nginxsudo apt install -y nginx
Configure Reverse ProxyEdit /etc/nginx/sites-available/opencti
Enable Nginx Sitesudo ln -s /etc/nginx/sites-available/opencti /etc/nginx/sites-enabled/
Test Nginx & Restartsudo nginx -t && sudo systemctl restart nginx
Install SSL (HTTPS)sudo certbot --nginx -d your-domain.com
Test HTTPS Accesshttps://your-domain.com
Restrict Access (Optional)Modify location/ in Nginx config

This step is optional if your goal is only to use the OpenCTI platform yourself or for your home network; it’s best to keep it internal.

Conclusion

Congratulations! Your OpenCTI instance is now fully deployed, running with multiple threat intelligence connectors, and securely accessible online. If you run into any issues, check Docker logs and ensure enough system resources are allocated.

Have questions? Drop them in the comments! 💬

0
Subscribe to my newsletter

Read articles from Harsimran Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

opencti#cybersecuritythreat intelligence

Written by

Harsimran Singh
Harsimran Singh