When are you deploying via containers in your environment? Is it for ease of deployment, updates, and what are your thoughts on performance vs VMs.

Posts
-
Conatainers (Docker) vs VMs - When and Why?
-
HIDS for Docker Host
I am in the process of configuring wazuh for docker hosts. I would like to brainstorm a bit on here and figure out what may be important to monitor on these hosts vs standard VMs.
Some of the things I have come up with so far:
-
Changes to any containers - create, start, stop, delete, etc
-
Any privilege escalation - docker containers should never be run as root. If root access is some how achieved within the container, they will have root access to the host. So any sudo or commands run as root would be REALLY bad
-
File Integrity Monitoring - Files should not change on hosts outside normal maintenance windows. Any file change on the host that isnt a log file or temp directory could be a really bad thing.
So I am also monitoring all the same stuff I would on a normal host. I am just trying to think of any security challenges that may be unique to docker hosts.
-
-
RE: Can someone help explain this alias part to me?
@travisdh1 said in Can someone help explain this alias part to me?:
@IRJ That User_Alias is just another way to group users together within the sudoers file. Just ignore that part and use the standard system groups if you need to grant sudo permissions to multiple people. Typically wheel.
Within the sudoers file, uncomment or add
%wheel ALL=(ALL) ALL
Then add users to the wheel group
usermod -aG wheel USERNAME
That should be it, unless you need to lock things down to only running certain programs. Which is still simple, but get tedious if you aren't managing servers with a state management system of some sort.
Yeah I am trying to use minimum permission on this account. I will use groups instead of the alias thing though. Good idea
-
RE: Cannot SSH using public key
@DustinB3403 said in Cannot SSH using public key:
Why wouldn't you use
ssh-copy-id
to get the key to the public scan_user?I copied the key to my box that way, and I am still getting same error. In practice, that is no different then what I was doing anyway. Maybe less steps, but same as specifying a key, right?
-
RE: Cannot SSH using public key
@stacksofplates said in Cannot SSH using public key:
Also what distro are you logging into?
Using Ubuntu and trying to follow their broken guide :pouting_face:
https://tenable.force.com/s/article/SSH-Public-Key-Authentication
-
RE: Cannot SSH using public key
@DustinB3403 said in Cannot SSH using public key:
Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use
ssh-keygen -t dsa
. . .
This will create the following files 2 files; /home/scan_man/.ssh/new_id_rsa.pub ===> Public Key /home/scan_man/.ssh/new_id_rsa ===> Private Key
Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.
-
RE: Cannot SSH using public key
@travisdh1 said in Cannot SSH using public key:
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use
ssh-keygen -t dsa
. . .
This will create the following files 2 files; /home/scan_man/.ssh/new_id_rsa.pub ===> Public Key /home/scan_man/.ssh/new_id_rsa ===> Private Key
Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.
/agree
I figured the first one out. I guess I should make guides here once I am done, because the interwebs does not have any good documentation for this and Tenable has really screwed up.
-
RE: How to configure SSH Keys for Nessus
Updated for 100% automation. Tested on Ubuntu 18.04 and Ubuntu 16.04
-
RE: How to configure SSH Keys for Nessus
@travisdh1 said in How to configure SSH Keys for Nessus:
Thanks for posting this. I know how interesting their instructions are thanks to your adventures yesterday.
You think this would be super important to them. I guess everyone just uses password auth with sudo access :man_shrugging:
Or maybe they just use windows :man_facepalming:
-
RE: How to configure SSH Keys for Nessus
@DustinB3403 said in How to configure SSH Keys for Nessus:
@IRJ said in How to configure SSH Keys for Nessus:
Or maybe they just use windows
Those licenses aren't that expensive compared to the 15 seconds it takes to setup key access, right?
Sure, but it took me half a day with terrible documentation.
I can understand some kb articles that are outdated/broken, but you think account setup would be an extremely important article that is maintained and tested at least quarterly. Whoever wrote that article, did not only have incorrect information, but they seemed to have never made a blog post before.
Sometimes explanations came before or after the listed command, and some things had no explanations at all. It wasnt even consistent throughout the article.
-
RE: Folder Monitor and notify
Wazuh will do this for you. The configuration is different on windows, but the monitoring is the same.
-
RE: Wazuh Manager Install - Ubuntu
@wirestyle22 said in Wazuh Manager Install - Ubuntu:
A few things:
The manager label is wrong. It says manger instead of manager.
@IRJ said in Wazuh Manager Install - Ubuntu:
Install Filebeat
There are two entries for "Install Filebeat"
I tried to install Filebeat going command by command and it can't find it.
Thanks I fixed the guide.
What you need to do is this:
#*********************************************************** #Install GPG keys and add repository #*********************************************************** curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list #*********************************************************** # APT Update #*********************************************************** sudo apt update #*********************************************************** #Install Filebeat #*********************************************************** sudo apt install -y filebeat=6.7.1 #*********************************************************** #Download Filebeat config file to forward logs #*********************************************************** sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml #*********************************************************** #Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1) #*********************************************************** sed -i 's/YOUR_ELASTIC_SERVER_IP/192.168.122.181/' /etc/filebeat/filebeat.yml #*********************************************************** #Start Filebeat service and configure it to automatically start at boot #*********************************************************** sudo systemctl daemon-reload sudo systemctl enable filebeat.service sudo systemctl start filebeat.service
make sure to change
192.168.122.181
with your ip orlocalhost
if you are using a single server for wazuh and ELK -
RE: Email server options
@Obsolesce said in Email server options:
Maybe if you factor in labor, cost of Windows and MS management, time etx, perhaps cloud is better?
Those are the very reasons for cloud solutions....lol
-
RE: Wazuh - Agents.Error. globalAgent is null
@wrx7m said in Wazuh - Agents.Error. globalAgent is null:
I didn't get the error when looking at the list of agents today. Looks like the update or reboot of the Wazuh server fixed it.
I know this is a necropost, but it's good to mention that mismatched version of manager and agent will almost always cause issues. It is recommended to comment out the repository until you are ready to update agents and manager at the same time.
-
RE: Help finding pid file for a service
Welp found another solution that is working
#*********************************************************** # Monitoring wazuh agent #*********************************************************** check process wazuh-execd matching "ossec-execd" check process wazuh-agentd matching "ossec-agentd" check process wazuh-syscheckd matching "ossec-syscheckd" check process wazuh-logcollector matching "ossec-logcollector" check process wazuh-modulesd matching "wazuh-modulesd"
When i stop, I now get an email
-
Zabbix and ELK integration?
@black3dynamite mentioned zabbix when I was testing
monit
last week.monit
works great for what I want to do, but it does not have any json logs out of the box. So it does not integrate will with ELK.I want to monitor a few services on a small network, so i wasnt really looking forward to spinning up a new server for this. However if Zabbix has decent ELK integration out of the box, it may be worth it.
-
LEMP , WP , SSL install and configuration on Ubuntu 18.04
Install Nginx
sudo apt install -y nginx
Install and Configure Maria DB
sudo apt install -y mariadb-server sudo systemctl enable mariadb sudo systemctl start mariadb
Setup WP database
sudo mysql_secure_installation mysql -u root -p
Then create database and user
CREATE DATABASE wp_db; CREATE USER wpuser IDENTIFIED BY 'Passw0rd2'; GRANT ALL ON wp_db.* TO `wpuser`;
Install Certbot
sudo apt install python-certbot-nginx -y
Install PHP
sudo apt install -y php sudo apt install -y php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-mysql php-mbstring php-xml libapache2-mod-php
Configure PHP
sudo sh -c "sed -i '/cgi.fix_pathinfo=1/c\cgi.fix_pathinfo=0' /etc/php/7.2/fpm/php.ini" sudo sh -c "echo '' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo '' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo ';***********************************************************' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo '; Wordpress Settings ' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo ';***********************************************************' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo 'upload_max_filesize = 500M' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo 'post_max_size = 2000M' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo 'memory_limit = 2000M' >> /etc/php/7.2/fpm/php.ini" sudo sh -c "echo 'max_execution_time = 120' >> /etc/php/7.2/fpm/php.ini"
Create Website Configuration
sudo sh -c "cat > /etc/nginx/sites-available/mywebsite.com <<\EOF server { listen 80; listen [::]:80; root /var/www/html; index index.php index.html index.htm; server_name mywebsite.com www.mywebsite.com; client_max_body_size 500M; location / { try_files \$uri \$uri/ /index.php?\$args; } location = /favicon.ico { log_not_found off; access_log off; } location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; include fastcgi_params; } } EOF "
Configure site link for nginx
sudo sh -c "ln -s /etc/nginx/sites-available/mywebsite.com /etc/nginx/sites-enabled/" sudo sh -c "rm -f /etc/nginx/sites-available/default" sudo sh -c "rm -f /etc/nginx/sites-enabled/default" sudo systemctl restart nginx
Install Wordpress
sudo sh -c "wget https://wordpress.org/latest.tar.gz -o /var/www/html/latest.tar.gz" sudo sh -c "tar -zxvf latest.tar.gz -C /var/www/html/ --strip-components=1" sudo sh -c "rm -rf /var/www/html/latest.tar.gz" sudo sh -c "cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php"
Set permissions
sudo chown -R www-data:www-data /var/www/html/* sudo chmod -R 755 /var/www/html/*
Set WP config
sudo sh -c "sed -i '/database_name_here/c\define\( '\''DB_USER'\'', '\''wpuser'\'' \);' /var/www/html/wp-config.php" sudo sh -c "sed -i '/username_here/c\define\( '\''DB_NAME'\'', '\''wp_db'\'' \);' /var/www/html/wp-config.php" sudo sh -c "sed -i '/password_here/c\define\( '\''DB_PASSWORD'\'', '\''Passw0rd2'\'' \);' /var/www/html/wp-config.php"
Install SSL
Note: you must point your DNS to this server to your server before completing this step. Otherwise you will not be able to prove domain ownership
sudo certbot --nginx -m [email protected] -d mywebsite.com -d www.mywebsite.com
-
RE: Massive speed increase when switching WordPress from apache to nginx
@stacksofplates said in Massive speed increase when switching WordPress from apache to nginx:
I've always found NGINX to be much lighter weight and performant than Apache.
My website is ultra fast now. https://cloudsecuritylife.com
Almost instant loading
-
RE: Massive speed increase when switching WordPress from apache to nginx
I also should mention that I used
yui-compressor
on js files. -
RE: Massive speed increase when switching WordPress from apache to nginx
@scottalanmiller said in Massive speed increase when switching WordPress from apache to nginx:
@IRJ said in Massive speed increase when switching WordPress from apache to nginx:
@stacksofplates said in Massive speed increase when switching WordPress from apache to nginx:
I've always found NGINX to be much lighter weight and performant than Apache.
My website is ultra fast now. https://cloudsecuritylife.com
Almost instant loading
That does load fast!
I went from about 3-4 seconds load time to about 700ms in total. Nginx and nginx caching is most of the difference, but
yui-compressor
on all the js files helped some, too!