@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

unfortunately didn't show

ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

/var/log/apache2/access.log

<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

wazuh-manager restart done

You need to restart agents, too

@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

What log file is storing this?

apache

If I replace nginx section with apache?

Yeah just change the location to match apache log

You do not need a decoder for this, just create a new rule file like the one above.

<!-- ################################### -->
<!-- # NMAP Detection Rule                   #  -->
<!-- ################################### -->


<group name="NMAP_Security_Correlations,">

  <rule id="100100" level="5">
    <match>Nmap Scripting Engine</match>
    <description>NMap Scripting Engine Detected</description>
    <location>/var/log/nginx/access.log</location>
  </rule>

</group>

If using NGINX, you could also just block this and not worry about alerting on it. Just add that to your NGINX configuration file.

if ($http_user_agent ~* (nmap scripting engine) {
    return 403
}

Ok so you are trying to detect when someone uses NMap scripting engine....

What log file is storing this?

Are you just verifying it works? ICMP is disabled in windows firewall quite often, and really isn't necessary.

VLAN them and use ACLs that don't even all them to communicate with any other hosts. Allow them only to reach out straight to the vendor outbound and no inbound connections whatsoever.

You pretty much need to treat them as compromised

@JaredBusch said in Vultr Mobile App:

@IRJ said in Vultr Mobile App:

You aren't asking the right questions. You are saying "How do I specfically do X?" not "What is the best way to achieve my desired results?."

Managing instances from a mobile is just a bad idea, I understand you are out and about and you may need to run a remote command or two on your mobile. Managing the console does nothing to help you. What you really need is SSH. There are apps that let you save SSH commands so if you needed to restart your database service you could save the command and it do it with a single click. You can automate updates that way or you can use something like unattended-upgrades to automatically do that for you.

In no scenario do I see having an app for Vultr being beneficial. Let us know what problem you are actually trying to solve.

You are missing the point. He was managing the instances. Not the server running in the instances.

What is he managing that he can't do from ssh?

You aren't asking the right questions. You are saying "How do I specfically do X?" not "What is the best way to achieve my desired results?."

Managing instances from a mobile is just a bad idea, I understand you are out and about and you may need to run a remote command or two on your mobile. Managing the console does nothing to help you. What you really need is SSH. There are apps that let you save SSH commands so if you needed to restart your database service you could save the command and it do it with a single click. You can automate updates that way or you can use something like unattended-upgrades to automatically do that for you.

In no scenario do I see having an app for Vultr being beneficial. Let us know what problem you are actually trying to solve.

@gjacobse said in Vultr Mobile App:

Thanks @scottalanmiller; I could see the need for me to use it more as I don’t have access to a network in which I can access it for much of the day. Working for home, I can’t say I would ever need it. But as I can’t access it from the State network, I’m limited to my mobile device. And while it’s accessible via a web browser, on a mobile device (phone or tablet) an app could be ‘easier’ maybe.

Or just use Ssh from your phone. Why do you need to access the management interface ever?