LUCY

User Tools

Site Tools

Trace:
lucy_onboarding_checklist

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
lucy_onboarding_checklist [2020/01/15 08:50] lucylucy_onboarding_checklist [2020/04/16 16:25] lucy
Line 40: Line 40:
 | Login | [[lucy_weblogin|Login]] to LUCY with the Webbrowser using the IP address of your server. Continue the setup in the browser using the credentials provided in the setup script. As an alternative you can also use a domain name for the administration. If you want to use a domain for your administration UI, Connect to your LUCY instance with the root or phishing account. If you connect as root, please execute the command  python /opt/phishing/current/tools/setup/setup.py (if you have a docker based installation, execute: docker exec -it lucy /bin/bash and then press enter and execute "python /opt/phishing/current/tools/setup/setup.py)". Within the setup script menu please choose menu item "domain configuration" and set the domain for your admin UI | • Did you think of reserving a domain for the administration frontend of LUCY?| [[domain_configuration|Domain configuration]] | | Login | [[lucy_weblogin|Login]] to LUCY with the Webbrowser using the IP address of your server. Continue the setup in the browser using the credentials provided in the setup script. As an alternative you can also use a domain name for the administration. If you want to use a domain for your administration UI, Connect to your LUCY instance with the root or phishing account. If you connect as root, please execute the command  python /opt/phishing/current/tools/setup/setup.py (if you have a docker based installation, execute: docker exec -it lucy /bin/bash and then press enter and execute "python /opt/phishing/current/tools/setup/setup.py)". Within the setup script menu please choose menu item "domain configuration" and set the domain for your admin UI | • Did you think of reserving a domain for the administration frontend of LUCY?| [[domain_configuration|Domain configuration]] |
 | Download License | Please send us the [[how_to_activate_lucy|workstation ID]] | - | [[https://lucysecurity.com/pricing/|LUCY Pricing]] | | Download License | Please send us the [[how_to_activate_lucy|workstation ID]] | - | [[https://lucysecurity.com/pricing/|LUCY Pricing]] |
-| Update | Please make sure that LUCY can connect to the internet via http/https to our update server (193.25.100.129 - update.phishing-server.com). If you are using a proxy, please go to “advanced settings” and define your proxy first. \\ • Please test the disk space before updating all templates. Show a warning, if disk space is not sufficient. Always install with “install + replace” \\ • System update: show this button greyed out while templates are downloaded. If all templates are downloaded, allow the user to check for updates. Display an error if the http connection cannot be established. | - | [[update_lucy|Update LUCY]] |+| Update | Please make sure that LUCY can connect to the internet via http/https to our update server (176.9.154.150 - update.phishing-server.com). If you are using a proxy, please go to “advanced settings” and define your proxy first. \\ • Please test the disk space before updating all templates. Show a warning, if disk space is not sufficient. Always install with “install + replace” \\ • System update: show this button greyed out while templates are downloaded. If all templates are downloaded, allow the user to check for updates. Display an error if the http connection cannot be established. | - | [[update_lucy|Update LUCY]] |
 | Mail Settings | Define your **[[mail_delivery_methods_in_lucy|default mail delivery method]]** in LUCY. If you plan a phishing siluation together with a training, you might want to consider using a different domain or een mail server for the awareness training. In case you use the build in mail server: set the [[set_hostname_for_smtp_communication|hostname]] for the mail server. | • Do you want to perform a phishing simulation bundled with awareness training? | - | | Mail Settings | Define your **[[mail_delivery_methods_in_lucy|default mail delivery method]]** in LUCY. If you plan a phishing siluation together with a training, you might want to consider using a different domain or een mail server for the awareness training. In case you use the build in mail server: set the [[set_hostname_for_smtp_communication|hostname]] for the mail server. | • Do you want to perform a phishing simulation bundled with awareness training? | - |
 | Domain Setup | You will need two domain types in LUCY:  \\ \\ **Attack simulation domains** \\ \\ This is the domain you could use for your phishing website in your attack simulation. We recommend reserving first a generic domain like "cloud-services625.com". If you create a wildcard A-record for that domain, you can then use a matching subdomain. Let’s say you prepare a phishing simulation with some web-based email service. Using the subdomain "webmail" would give you the domain "webmail.cloud-services625.com" for the landing page. If you ask the user to download a file, you could use "download.cloud-services625.com" etc. \\ If you want to do more sophisticated attacks you can reserve a typo squatted version of your own domain name. Typo squatting is a technique of registering domain names which look similar to some legitimate domain name. For instance, given google.com, one example of typo squatting domain might be g00gle.com. You can use https://spoofing.lucysecurity.com  to verify what variations of a domain name are available.You can use the domain from your landing page also for the email sender (like sender@cloud-services625.com). But as the sender email domain is a free text field that can be used with any domain name, it is not required to reserve a domain for just sending emails. There are some rules though when it comes to sending on behalf of other domain names: \\  \\ a) You can only use domain names that really exist \\ b) You can only use domain names that are not SPF protected (unless you white list them on your mail server) \\ c) You can only use domains that also have an MX record \\  \\ That means, you cannot use "@apple.com" as there is an SPF entry for this domain. You also cannot use "@this-does-not-exist.com". But you could use "@example.com" - a domain that exists, but is not protected. The website MX Toolbox helps you verifying if a MX or SPF record exists. \\  \\ **Awareness Website Domain** \\  \\ Try to avoid using the same domain for attack simulations as for the awareness training. If possible, point a trusted domain record to LUCY like "training.your-domain.com" and send awareness emails using your own mail server as a relay in LUCY. \\ If you don't have a domain registered yet, you can use the integrated LUCY Domain Registration Wizard. This feature is only available for commercial licenses, allowing you to reserve all the available domain names for an affordable price. Commercial clients have a built-in budget for using the domain API and are also able to later add credits for the domain reservation.  | - | - | | Domain Setup | You will need two domain types in LUCY:  \\ \\ **Attack simulation domains** \\ \\ This is the domain you could use for your phishing website in your attack simulation. We recommend reserving first a generic domain like "cloud-services625.com". If you create a wildcard A-record for that domain, you can then use a matching subdomain. Let’s say you prepare a phishing simulation with some web-based email service. Using the subdomain "webmail" would give you the domain "webmail.cloud-services625.com" for the landing page. If you ask the user to download a file, you could use "download.cloud-services625.com" etc. \\ If you want to do more sophisticated attacks you can reserve a typo squatted version of your own domain name. Typo squatting is a technique of registering domain names which look similar to some legitimate domain name. For instance, given google.com, one example of typo squatting domain might be g00gle.com. You can use https://spoofing.lucysecurity.com  to verify what variations of a domain name are available.You can use the domain from your landing page also for the email sender (like sender@cloud-services625.com). But as the sender email domain is a free text field that can be used with any domain name, it is not required to reserve a domain for just sending emails. There are some rules though when it comes to sending on behalf of other domain names: \\  \\ a) You can only use domain names that really exist \\ b) You can only use domain names that are not SPF protected (unless you white list them on your mail server) \\ c) You can only use domains that also have an MX record \\  \\ That means, you cannot use "@apple.com" as there is an SPF entry for this domain. You also cannot use "@this-does-not-exist.com". But you could use "@example.com" - a domain that exists, but is not protected. The website MX Toolbox helps you verifying if a MX or SPF record exists. \\  \\ **Awareness Website Domain** \\  \\ Try to avoid using the same domain for attack simulations as for the awareness training. If possible, point a trusted domain record to LUCY like "training.your-domain.com" and send awareness emails using your own mail server as a relay in LUCY. \\ If you don't have a domain registered yet, you can use the integrated LUCY Domain Registration Wizard. This feature is only available for commercial licenses, allowing you to reserve all the available domain names for an affordable price. Commercial clients have a built-in budget for using the domain API and are also able to later add credits for the domain reservation.  | - | - |
lucy_onboarding_checklist.txt · Last modified: 2021/09/29 10:28 by lucysecurity