Threat detection and response with WAZUH part-1

 

WAZUH is an open-source security monitoring solution that helps organizations detect and respond to cyber threats. It provides a centralized view of your security posture, allowing you to monitor and secure your infrastructure, applications, and networks in real-time. It includes a variety of features and capabilities such as: Intrusion detection, File integrity monitoring (FIM), Log analysis, Compliance, Vulnerability management. Its integration with the Elastic Stack makes it easy to search, analyze, and visualize security data, allowing you to identify and address potential issues before they become major problems.

There are many ways you can install wazuh. In this wazuh how to series I’ll show you how to install it using docker, how to configure it and how to install the wazuh client. Lets start with the server part.

WAZUH Components

Before make your hands dirty lets go through some basic components of Wazuh. Wazuh is built with three major components.

  • Wazuh indexer
  • Wazuh server
  • Wazuh dashboard

The Wazuh indexer is a component of the Wazuh platform that is responsible for indexing and storing the security data collected by the Wazuh agents. The indexer uses Elasticsearch, a search and analytics engine, to index the data and make it easily searchable and accessible.

The Wazuh server is the main component of the Wazuh platform. It receives and processes data from the Wazuh agents, and then forwards it to the indexer for storage. The server also includes a number of other features, such as the ability to perform real-time analysis of the data, run security scans, and send alerts when suspicious activity is detected.

The Wazuh dashboard is a web-based interface that allows you to view and analyze the security data collected by the Wazuh platform. It provides a range of visualizations and reports that can help you understand the security posture of your infrastructure, identify potential threats, and take corrective action. The dashboard can be accessed through a web browser, and is typically used by security analysts and other IT professionals to monitor and manage the security of their systems.

WAZUH Docker Deployment

Wazuh can be deployed in two ways. Single node or Multi node stack.

Single node deployment: One wazuh manager, one wazuh indexer and one wazuh dashboard, all in one place. useful for testing and quick learning. Suitable for small environment.

Multi node deployment: Deploy the wazuh stack in multiple server. It provide redundancy and is best fits for the production environment. Suitable for large environment.

WAZUH Docker Installation

In this lab I’ll go for a single node deployment using Ubuntu 18.04 server with docker installed. If you are not familiar with docker, check out my docker post here. Follow the below steps for installing WAZUH in your Ubuntu server.

  1. Install Docker and Docker Compose on your system.
  2. Increase the max_map_count on your system. max_map_count is a linux kernel level parameter that define the maximum count of max mapped memory regions allowed in the system. Elastics uses this parameter to store its indices. Open the /etc/sysctl.conf file as root with your favorite text editor and insert the below text:
vm.max_map_count=262144

save and exit from sysctl.conf file.

3. Clone the wazuh repository from its official github page using the below command

git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.10

4. After cloning the repository you will find a directory name wazuh-docker in your current directory. Go to wazuh-docker/single-node directory and run the below command to generate the certificates. This certificate ensure secure communication between the wazuh nodes.

docker-compose -f generate-indexer-certs.yml run --rm generator

The command will generate all required certificates in config/wazuh_indexer_ssl_certs/ directory. Now its time to run the wazuh stack. Run the below command to run the stack.

docker-compose up -d

Wait for some minutes. The initial execution of the stack will take some time because all the necessary docker images for building the stack must be downloaded. Run the below command to check the status of the stack.

docker-compose ps

The output will be like below. Check the state column, it should display Up which mean the nodes are up and running.

 Name                          Command                       State  Ports
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
single-node_wazuh.dashboard_1 /entrypoint.sh Up 443/tcp, 0.0.0.0:443->5601/tcp,:::443->5601/tcp
single-node_wazuh.indexer_1 /entrypoint.sh opensearchw ... Up 0.0.0.0:9200->9200/tcp,:::9200->9200/tcp
single-node_wazuh.manager_1 /init Up 0.0.0.0:1514->1514/tcp,:::1514->1514/tcp, 0.0.0.0:1515->1515/tcp,:::1515->1515/tcp, 1516/tcp,0.0.0.0:514->514/udp,:::514->514/udp, 0.0.0.0:55000->55000/tcp,:::55000->55000/tcp

5. Open your browser and type your wazuh server IP or DNS name. You will see the wazuh login screen like below.

 

 

 

The default user is admin and the password is SecretPassword. Changing the default admin password was the first thing I did after installing Wazuh. Follow the below steps the change the default admin password of wazuh.

Change the default admin password

Go to wazuh-docker/single-node directory and run the below command to stop the running stack.

docker-compose down

6. Type the below command. It will run a container and execute a scripts inside that container which will generate the hash value of your provided password.

docker run --rm -ti wazuh/wazuh-indexer:4.3.10 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

It will ask you to provide your new password. Type your new password and press enter.

[Password:]

It will generate the hash value of your password. Copy the hash value. Open the below file.

vim /single-node/config/wazuh_indexer/internal_users.yml

7. Find the admin section and replace the hash value with your newly generated hash value. Save and exit from that file. Open the docker-compose.yml file located in the single-node directory. Search the all occurrence of INDEXER_PASSWORD and change its value with your new password like below.

INDEXER_PASSWORD=<YOUR NEW PASSWORD>

Run the wazuh stack again like below from the single-node directory.

docker-compose up -d

8. Now its time to do some work inside the container name single-node-wazuh.indexer-1. To access the container run the below command.

docker exec -it single-node_wazuh.indexer_1 bash

9. Now you are inside the container. Type/paste the below command one after another in the container shell and press enter.

export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem
KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem
CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

10. To make them permanent and make your new password effected type the below command inside the container and press enter.

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl

You will see some output which will end up with the below text

Done with success

Exit from the container and try to login wazuh interface from your browser with your new password. If things goes will you can login to your wazuh instance. In my next post I’ll show you how to install the wazuh client and forward logs for further analysis. Till then Enjoy WAZUH,

Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments. 

About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top
%d bloggers like this: