When are you deploying via containers in your environment? Is it for ease of deployment, updates, and what are your thoughts on performance vs VMs.

I am in the process of configuring wazuh for docker hosts. I would like to brainstorm a bit on here and figure out what may be important to monitor on these hosts vs standard VMs.

Some of the things I have come up with so far:

• Changes to any containers - create, start, stop, delete, etc

• Any privilege escalation - docker containers should never be run as root. If root access is some how achieved within the container, they will have root access to the host. So any sudo or commands run as root would be REALLY bad

• File Integrity Monitoring - Files should not change on hosts outside normal maintenance windows. Any file change on the host that isnt a log file or temp directory could be a really bad thing.

So I am also monitoring all the same stuff I would on a normal host. I am just trying to think of any security challenges that may be unique to docker hosts.

@travisdh1 said in Can someone help explain this alias part to me?:

@IRJ That User_Alias is just another way to group users together within the sudoers file. Just ignore that part and use the standard system groups if you need to grant sudo permissions to multiple people. Typically wheel.

Within the sudoers file, uncomment or add

 %wheel        ALL=(ALL)       ALL

Then add users to the wheel group

usermod -aG wheel USERNAME

That should be it, unless you need to lock things down to only running certain programs. Which is still simple, but get tedious if you aren't managing servers with a state management system of some sort.

Yeah I am trying to use minimum permission on this account. I will use groups instead of the alias thing though. Good idea

@DustinB3403 said in Cannot SSH using public key:

Why wouldn't you use ssh-copy-id to get the key to the public scan_user?

I copied the key to my box that way, and I am still getting same error. In practice, that is no different then what I was doing anyway. Maybe less steps, but same as specifying a key, right?

@stacksofplates said in Cannot SSH using public key:

Also what distro are you logging into?

Using Ubuntu and trying to follow their broken guide :pouting_face:

https://tenable.force.com/s/article/SSH-Public-Key-Authentication

@DustinB3403 said in Cannot SSH using public key:

Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use

ssh-keygen -t dsa

. . .

This will create the following files 2 files;
/home/scan_man/.ssh/new_id_rsa.pub  ===> Public Key
/home/scan_man/.ssh/new_id_rsa  ===> Private Key

Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.

@travisdh1 said in Cannot SSH using public key:

@IRJ said in Cannot SSH using public key:

@DustinB3403 said in Cannot SSH using public key:

Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use

ssh-keygen -t dsa

. . .

This will create the following files 2 files;
/home/scan_man/.ssh/new_id_rsa.pub  ===> Public Key
/home/scan_man/.ssh/new_id_rsa  ===> Private Key

Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.

/agree

I figured the first one out. I guess I should make guides here once I am done, because the interwebs does not have any good documentation for this and Tenable has really screwed up.

Updated for 100% automation. Tested on Ubuntu 18.04 and Ubuntu 16.04

@travisdh1 said in How to configure SSH Keys for Nessus:

Thanks for posting this. I know how interesting their instructions are thanks to your adventures yesterday.

You think this would be super important to them. I guess everyone just uses password auth with sudo access :man_shrugging:

Or maybe they just use windows :man_facepalming:

@DustinB3403 said in How to configure SSH Keys for Nessus:

@IRJ said in How to configure SSH Keys for Nessus:

Or maybe they just use windows

Those licenses aren't that expensive compared to the 15 seconds it takes to setup key access, right?

Sure, but it took me half a day with terrible documentation.

I can understand some kb articles that are outdated/broken, but you think account setup would be an extremely important article that is maintained and tested at least quarterly. Whoever wrote that article, did not only have incorrect information, but they seemed to have never made a blog post before.

Sometimes explanations came before or after the listed command, and some things had no explanations at all. It wasnt even consistent throughout the article.

Wazuh will do this for you. The configuration is different on windows, but the monitoring is the same.

@wirestyle22 said in Wazuh Manager Install - Ubuntu:

A few things:

The manager label is wrong. It says manger instead of manager.

@IRJ said in Wazuh Manager Install - Ubuntu:

Install Filebeat

There are two entries for "Install Filebeat"

I tried to install Filebeat going command by command and it can't find it.

Thanks I fixed the guide.

What you need to do is this:

#***********************************************************
#Install GPG keys and add repository
#***********************************************************

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list

#***********************************************************
# APT Update
#***********************************************************

sudo apt update

#***********************************************************
#Install Filebeat
#***********************************************************
sudo apt install -y filebeat=6.7.1

#***********************************************************
#Download Filebeat config file to forward logs
#***********************************************************

sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml


#***********************************************************
#Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1)
#***********************************************************

sed -i 's/YOUR_ELASTIC_SERVER_IP/192.168.122.181/' /etc/filebeat/filebeat.yml

#***********************************************************
#Start Filebeat service and configure it to automatically start at boot
#***********************************************************
sudo systemctl daemon-reload
sudo systemctl enable filebeat.service
sudo systemctl start filebeat.service

make sure to change 192.168.122.181 with your ip or localhost if you are using a single server for wazuh and ELK

@Obsolesce said in Email server options:

Maybe if you factor in labor, cost of Windows and MS management, time etx, perhaps cloud is better?

Those are the very reasons for cloud solutions....lol

@wrx7m said in Wazuh - Agents.Error. globalAgent is null:

I didn't get the error when looking at the list of agents today. Looks like the update or reboot of the Wazuh server fixed it.

I know this is a necropost, but it's good to mention that mismatched version of manager and agent will almost always cause issues. It is recommended to comment out the repository until you are ready to update agents and manager at the same time.

Welp found another solution that is working

#***********************************************************
# Monitoring wazuh agent
#***********************************************************

check process wazuh-execd
        matching "ossec-execd"

check process wazuh-agentd
        matching "ossec-agentd"

check process wazuh-syscheckd
        matching "ossec-syscheckd"

check process wazuh-logcollector
        matching "ossec-logcollector"

check process wazuh-modulesd
        matching "wazuh-modulesd"

When i stop, I now get an email

@black3dynamite mentioned zabbix when I was testing monit last week. monit works great for what I want to do, but it does not have any json logs out of the box. So it does not integrate will with ELK.

I want to monitor a few services on a small network, so i wasnt really looking forward to spinning up a new server for this. However if Zabbix has decent ELK integration out of the box, it may be worth it.

---

Install Nginx

---

sudo apt install -y nginx

---

Install and Configure Maria DB

---

sudo apt install -y mariadb-server 
sudo systemctl enable mariadb
sudo systemctl start mariadb

---

Setup WP database

---

sudo mysql_secure_installation
mysql -u root -p

Then create database and user

CREATE DATABASE wp_db;
CREATE USER wpuser IDENTIFIED BY 'Passw0rd2';
GRANT ALL ON wp_db.* TO `wpuser`;

---

Install Certbot

---

sudo apt install python-certbot-nginx -y

---

Install PHP

---

sudo apt install -y php
sudo apt install -y php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-mysql php-mbstring php-xml libapache2-mod-php

---

Configure PHP

---

sudo sh -c "sed -i '/cgi.fix_pathinfo=1/c\cgi.fix_pathinfo=0' /etc/php/7.2/fpm/php.ini" 
sudo sh -c "echo '' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo '' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo ';***********************************************************' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo '; Wordpress Settings ' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo ';***********************************************************' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo 'upload_max_filesize = 500M' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo 'post_max_size = 2000M' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo 'memory_limit = 2000M' >> /etc/php/7.2/fpm/php.ini"
sudo sh -c "echo 'max_execution_time = 120' >> /etc/php/7.2/fpm/php.ini"

---

Create Website Configuration

---

sudo sh -c "cat > /etc/nginx/sites-available/mywebsite.com <<\EOF
server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.php index.html index.htm;
    server_name  mywebsite.com www.mywebsite.com;

    client_max_body_size 500M;

    location / {
        try_files \$uri \$uri/ /index.php?\$args;
    }
	
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }	

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }	

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
         fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
         include fastcgi_params;
    }
}
EOF
"

---

Configure site link for nginx

---

sudo sh -c "ln -s /etc/nginx/sites-available/mywebsite.com /etc/nginx/sites-enabled/"
sudo sh -c "rm -f /etc/nginx/sites-available/default"
sudo sh -c "rm -f /etc/nginx/sites-enabled/default"
sudo systemctl restart nginx

---

Install Wordpress

---

sudo sh -c "wget https://wordpress.org/latest.tar.gz -o /var/www/html/latest.tar.gz"
sudo sh -c "tar -zxvf latest.tar.gz -C /var/www/html/ --strip-components=1"
sudo sh -c "rm -rf /var/www/html/latest.tar.gz"
sudo sh -c "cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php"

---

Set permissions

---

sudo chown -R www-data:www-data /var/www/html/*
sudo chmod -R 755 /var/www/html/*

---

Set WP config

---

sudo sh -c "sed -i '/database_name_here/c\define\( '\''DB_USER'\'', '\''wpuser'\'' \);' /var/www/html/wp-config.php" 
sudo sh -c "sed -i '/username_here/c\define\( '\''DB_NAME'\'', '\''wp_db'\'' \);' /var/www/html/wp-config.php" 
sudo sh -c "sed -i '/password_here/c\define\( '\''DB_PASSWORD'\'', '\''Passw0rd2'\'' \);' /var/www/html/wp-config.php" 

---

Install SSL

---

Note: you must point your DNS to this server to your server before completing this step. Otherwise you will not be able to prove domain ownership

sudo certbot --nginx -m [email protected] -d mywebsite.com -d www.mywebsite.com

@stacksofplates said in Massive speed increase when switching WordPress from apache to nginx:

I've always found NGINX to be much lighter weight and performant than Apache.

My website is ultra fast now. https://cloudsecuritylife.com

Almost instant loading

I also should mention that I used yui-compressor on js files.

@scottalanmiller said in Massive speed increase when switching WordPress from apache to nginx:

@IRJ said in Massive speed increase when switching WordPress from apache to nginx:

@stacksofplates said in Massive speed increase when switching WordPress from apache to nginx:

I've always found NGINX to be much lighter weight and performant than Apache.

My website is ultra fast now. https://cloudsecuritylife.com

Almost instant loading

That does load fast!

I went from about 3-4 seconds load time to about 700ms in total. Nginx and nginx caching is most of the difference, but yui-compressor on all the js files helped some, too!