First, follow the instructions in this post to build a firewall host.
In AWS EC2, launch the CentOS 7 wazuh instance.
Attach 1 interface eth0 to the wazuh instance.
Subnet | Interface | Address |
---|---|---|
DMZ | eth0 | 10.20.1.15 |
The wazuh instance will use 10.20.0.1 for its default gateway.
From the firewall instance, you should be able to login to the wazuh instance using your ssh key.
ssh -i key.pem centos@10.20.1.15
Install some utilities
yum install net-tools yum install mlocate sh /etc/cron.daily/mlocate yum install dos2unix yum install sysstat yum install lsof yum install tcpdump yum install nmap-ncat yum install bind-utils yum install tree
Modify the following files
vi /etc/dhclient.conf ------------------------------ cut here ------------------------------ supersede host-name "wazuh-host.domain"; supersede domain-name "domain"; supersede routers 10.20.1.1; ------------------------------ cut here ------------------------------ vi /etc/hostname ------------------------------ cut here ------------------------------ wazuh-host ------------------------------ cut here ------------------------------ vi /etc/hosts ------------------------------ cut here ------------------------------ ::1 localhost localhost.domain 127.0.0.1 localhost localhost.domain 10.20.1.10 firewall-host.domain firewall-host 10.20.0.15 wazuh-host.domain wazuh-host ------------------------------ cut here ------------------------------ vi /etc/sysconfig/network ------------------------------ cut here ------------------------------ NETWORKING=yes NETWORKING_IPV6=no NOZEROCONF=yes ------------------------------ cut here ------------------------------ vi /etc/cloud/cloud.cfg ------------------------------ cut here ------------------------------ preserve_hostname: true ------------------------------ cut here ------------------------------ vi /etc/sysconfig/network-scripts/ifcfg-eth0 ------------------------------ cut here ------------------------------ DEVICE="eth0" BOOTPROTO="dhcp" ONBOOT="yes" TYPE="Ethernet" USERCTL="yes" PEERDNS="yes" IPV6INIT="no" PERSISTENT_DHCLIENT="1" ------------------------------ cut here ------------------------------ vi /etc/resolv.conf ------------------------------ cut here ------------------------------ search domain nameserver 10.20.0.2 ------------------------------ cut here ------------------------------ vi /etc/sysctl.conf ------------------------------ cut here ------------------------------ net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.log_martians=1 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.default.log_martians=1 net.ipv4.conf.default.secure_redirects=0 vm.swappiness=10 vm.vfs_cache_pressure=50 ------------------------------ cut here ------------------------------
Add swap file
dd if=/dev/zero of=/swapfile count=1024 bs=1MiB chmod 600 /swapfile mkswap /swapfile swapon /swapfile free -h ------------------------------ cut here ------------------------------ total used free shared buff/cache available Mem: 991M 74M 67M 12M 848M 738M Swap: 1.0G 0B 1.0G ------------------------------ cut here ------------------------------ vi /etc/fstab ------------------------------ cut here ------------------------------ /swapfile none swap sw 0 0 ------------------------------ cut here ------------------------------
Install development tools and other utilities
yum groupinstall 'Development Tools' yum install wget mkdir /root/src cd /root/src wget http://downloads.laffeycomputer.com/current_builds/rpl-1.4.1.tar.gz tar zxf rpl-1.4.1.tar.gz cd rpl-1.4.1 ./configure make make install cd /root/src wget http://utenti.gufi.org/~gmarco/files/distfiles/xtail-2.1.tar.gz tar zxf xtail-2.1.tar.gz cd xtail-2.1 ./configure make make install
Adjust sshd
vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ ClientAliveInterval 900 IgnoreRhosts yes LoginGraceTime 30 MaxAuthTries 3 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes ------------------------------ cut here ------------------------------ service sshd restart
Adjust syslog
vi /etc/rsyslog.conf ------------------------------ cut here ------------------------------ *.* /var/log/all.log ------------------------------ cut here ------------------------------ touch /var/log/all.log chmod 600 /var/log/all.log systemctl restart rsyslog.service vi /etc/logrotate.d/syslog ------------------------------ cut here ------------------------------ /var/log/all.log ------------------------------ cut here ------------------------------
Enable NTP
yum install ntp systemctl is-enabled ntpd.service systemctl enable ntpd.service systemctl restart ntpd.service
Make SELinux permissive
vi /etc/sysconfig/selinux ------------------------------ cut here ------------------------------ SELINUX=permissive ------------------------------ cut here ------------------------------ restorecon -RFv /etc
Update CentOS
yum update
Install Wazuh manager
cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=CentOS-$releasever - Wazuh baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch protect=1 EOF yum install wazuh-manager curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - yum install nodejs yum install wazuh-api curl -Lo jre-8-linux-x64.rpm --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u144-b01/090f390dda5b47b9b721c7dfaa008135/jre-8u144-linux-x64.rpm" rpm -qlp jre-8-linux-x64.rpm > /dev/null 2>&1 && echo "Java package downloaded successfully" || echo "Java package did not download successfully" yum install jre-8-linux-x64.rpm rm jre-8-linux-x64.rpm
Install Elasticsearch
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch cat > /etc/yum.repos.d/elastic.repo << EOF [elastic-5.x] name=Elastic repository for 5.x packages baseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF yum install elasticsearch systemctl daemon-reload systemctl enable elasticsearch.service systemctl start elasticsearch.service curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/template_file.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @- curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @- vi /etc/elasticsearch/elasticsearch.yml ------------------------------ cut here ------------------------------ bootstrap.memory_lock: true ------------------------------ cut here ------------------------------ mkdir -p /etc/systemd/system/elasticsearch.service.d vi /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf ------------------------------ cut here ------------------------------ [Service] LimitMEMLOCK=infinity ------------------------------ cut here ------------------------------ systemctl daemon-reload systemctl restart elasticsearch.service curl https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/elasticsearch/wazuh-elastic5-template.json -o w-elastic-template.json vi w-elastic-template.json ------------------------------ cut here ------------------------------ "index.refresh_interval": "5s", "number_of_shards" : 1, "number_of_replicas" : 0 ------------------------------ cut here ------------------------------ curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @w-elastic-template.json curl -XPUT 'localhost:9200/wazuh-*/_settings?pretty' -H 'Content-Type: application/json' -d' { "settings": { "number_of_replicas" : 0 } } '
Install Logstash
yum install logstash curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/logstash/01-wazuh.conf curl -so /etc/logstash/wazuh-elastic5-template.json https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/elasticsearch/wazuh-elastic5-template.json vi /etc/logstash/conf.d/01-wazuh.conf ------------------------------ cut here ------------------------------ ## Remote Wazuh Manager - Filebeat input #input { # beats { # port => 5000 # codec => "json_lines" ## ssl => true ## ssl_certificate => "/etc/logstash/logstash.crt" ## ssl_key => "/etc/logstash/logstash.key" # } #} ## Local Wazuh Manager - JSON file input input { file { type => "wazuh-alerts" path => "/var/ossec/logs/alerts/alerts.json" codec => "json" } } ------------------------------ cut here ------------------------------ usermod -a -G ossec logstash vi /etc/logstash/startup.options ------------------------------ cut here ------------------------------ LS_GROUP=ossec ------------------------------ cut here ------------------------------ /usr/share/logstash/bin/system-install systemctl daemon-reload systemctl enable logstash.service systemctl start logstash.service
Install Kibana and Wazuh UI
yum install kibana vi /etc/kibana/kibana.yml ------------------------------ cut here ------------------------------ server.host: "localhost" ------------------------------ cut here ------------------------------ /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Install nginx
cat > /etc/yum.repos.d/nginx.repo <<\EOF [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 EOF yum install nginx mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
Install SSL public certificate in /etc/pki/tls/certs/kibana-access.pem
Install SSL private key in /etc/pki/tls/private/kibana-access.key
cat > /etc/nginx/conf.d/default.conf <<\EOF server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 default_server; listen [::]:443; ssl on; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } EOF yum install httpd-tools htpasswd -c /etc/nginx/conf.d/kibana.htpasswd wazuh systemctl restart nginx systemctl daemon-reload systemctl enable kibana.service systemctl start kibana.service
Configure Wazuh manager
cd /var/ossec/api/configuration/auth node htpasswd -c user admin systemctl restart nginx.service systemctl restart wazuh-api.service
Install SSL public certificate in /var/ossec/etc/sslmanager.cert
Install SSL private key in /var/ossec/etc/sslmanager.key
/var/ossec/bin/ossec-authd -i vi /var/ossec/etc/ossec.conf ------------------------------ cut here ------------------------------ <wodle name="open-scap"> <disabled>no</disabled> ------------------------------ cut here ------------------------------ /var/ossec/bin/ossec-control restart /var/ossec/bin/update_ruleset.py vi /etc/cron.weekly/wazuh ------------------------------ cut here ------------------------------ #!/bin/sh cd /var/ossec/bin && ./update_ruleset.py -r ------------------------------ cut here ------------------------------ yum install openscap-scanner /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 /sbin/sysctl -w net.ipv4.route.flush=1 /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 /sbin/sysctl -w net.ipv4.route.flush=1 /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 /sbin/sysctl -w net.ipv4.route.flush=1