Kibana Wazuh Agent isn't showing anything in integrity
-
Also do iptables rules to block all incoming 9200 and 5601 traffic as you will not need it
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Which that is tied in specifically with the Safe Guard plugin
If its on the same host, then just do a nginx reverse proxy.
(I've never set one up)
Install NGINX
apt-get -y install nginx
Generate self-signed cert for Kibana
mkdir -p /etc/ssl/certs /etc/ssl/private openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem
Setup config file for NGINX
cat > /etc/nginx/sites-available/default <<\EOF server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 default_server; listen [::]:443; ssl on; ssl_certificate /etc/ssl/certs/kibana-access.pem; ssl_certificate_key /etc/ssl/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } } EOF
Enable authentication by password for Kibana
apt-get -y install apache2-utils
Set username and password for Kibana access. Replace <user> with your desired username
htpasswd -c /etc/nginx/conf.d/kibana.htpasswd <user>
Restart NGINX
systemctl restart nginx
-
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ Okay, ran all of that.
How do I confirm the reverse proxy is working properly now?
access kibana on 443 and it should prompt you for a pw
-
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
-
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
@IRJ nothing, it just spins. I assume I need to allow 443 through firewall-cmd?
Not that. . .
-
Nginx just isn't doing it. Being the first time I've set this up doesn't really help either.
-
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } }
-
Without the 5601 ports and if I add under
server
ssl on;
the connection just never responds and times out. -
Looks like a permissions issue for the kibana user.
Dec 18 09:08:25 wazuh.localdomain kibana[11090]: {"type":"log","@timestamp":"2019-12-18T14:08:25Z","tags":["fatal","root"],"pid":11090,"message":"{ Error: EACCES: permission denied, open '/etc/pki/tls/private/kibana-access.key'\n at Object.openSync (fs.js:439:3)\n at readFileSync (fs.js:344:35)\n at getServerOptions (/usr/share/kibana/src/core/server/http/http_tools.js:81:33)\n at HttpServer.setup (/usr/share/kibana/src/core/server/http/http_server.js:68:60)\n at HttpService.runNotReadyServer (/usr/share/kibana/src/core/server/http/http_service.js:137:26)\n at HttpService.setup (/usr/share/kibana/src/core/server/http/http_service.js:60:18)\n errno: -13,\n syscall: 'open',\n code: 'EACCES',\n path: '/etc/pki/tls/private/kibana-access.key' }"} Dec 18 09:08:25 wazuh.localdomain kibana[11090]: FATAL Error: EACCES: permission denied, open '/etc/pki/tls/private/kibana-access.key'
Looking into that.
-
Finally got the website to respond via ssl at
https://192.168.1.100:5601/kibana
but I didn't get greeted with a nginx login page. . . -
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server {
listen 80;
listen [::]:80;
listen 5601;
listen [::]:5601;
return 301 https://$host$request_uri;
}server {
listen 443 ssl;
listen [::]:443;
ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
access_log /var/log/nginx/nginx.access.log;
error_log /var/log/nginx/nginx.error.log;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://localhost:5601/;
}
}Why are you listening on 5601?
proxy_pass http://localhost:5601/;
will redirect 5601 to443
-
@IRJ said in Kibana Wazuh Agent isn't showing anything in integrity:
@DustinB3403 said in Kibana Wazuh Agent isn't showing anything in integrity:
Well I'm making progress, I at least have nginx responding when I hit the page with An error occurred during a connection to 192.168.1.100:5601. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
server { listen 80; listen [::]:80; listen 5601; listen [::]:5601; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/; } }
Why are you listening on 5601?
proxy_pass http://localhost:5601/;
will redirect 5601 to443
That is no longer in the file, I was testing with it. The below is current.
server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443; ssl on; ssl_certificate /etc/pki/tls/certs/kibana-access.pem; ssl_certificate_key /etc/pki/tls/private/kibana-access.key; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://localhost:5601/;