Self-hosting HaxHQ

This article explains the process for deploying, maintaining and using HaxHQ in a zero trust model.

Deploying HaxHQ

Hardware requirements

  • CPU - 1vCPU
  • RAM - 1GB
  • Disk - 40GB

HaxHQ is extremely efficient and has very modest hardware requirements, which enables you to run it in VirtualBox on a desktop or micro computer if you don't have a VMWare server.

For larger teams an extra vCPU may increase performance.

Software stack

  • Debian OS
  • Nginx
  • Postgres
  • Python (Flask)
  • additional OS packages required (Debian): git nginx postgresql python3.X-venv memcached

Installation

We will provide an .ova image, just import it to VMWare or VirtualBox. The instance will be pre-configured with your initial account.

A default reporting template is installed, you can use the template download and upload features to apply your branding to it. We would be happy to do this for you and can also make other changes as required to match any existing report format.

Required connectivity

The host will need the following outbound connectivity:

  • TCP/443 (HTTPS) access to deb.debian.org and pypi.org. This is used for OS and Python package updates.
  • TCP/5885 (HTTPS) access to updates.haxhq.com. This is used for HaxHQ updates.
  • TCP/587 (SMTPS) optional access to smtp.haxhq.com. If the app is configured to send email, by default it will try to send directly to smtp.haxhq.com with SSL encryption. An alternate mail server can be configured, or email can be disabled completely.

Support and operation

Software updates

HaxHQ and python package updates are done from the web interface (user menu -> check for updates).

With OS updates, you can check if any packages can be upgraded from the web interface but installation requires root privileges and as such will need to be applied locally from the command line (or as part of any local automation system). There are options available to automate OS updates as well. Please ask so we can determine the option that is best for you.

Security and privacy

No third party content is loaded or accessed by the application - no Google analytics or externally loaded JS libraries. The host will need internet access for OS and Python package updates (to deb.debian.org and pypi.org respectively) and access to updates.haxhq.com.

With some types of imports, IP address data may be missing for a finding. In those cases, the system attempts to resolve these which could leak information if you are using 3rd party resolvers. This feature can be turned off if required.

2FA is available, client certificate authentication can be configured as well.

Should you wish to pentest the application, this can be done at any time against your own instance. If you want to test security before you purchase, you can pentest the demo instance provided by us - just let us know at least 24h in advance. You can also test an instance protected with client certificate authentication at https://hackme.haxhq.com; it will be a boring test 🙂. Please provide us with a copy of the results of the testing on completion.