show code js

2025年8月22日 星期五

Wazuh SIEM

#Env Workstation, Ubuntu, Docker

:Install
# find last version
project: https://github.com/wazuh/wazuh-docker

#install git
git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0

cd wazuh-docker/single-node/

#change manager port 443(left) to your port
#modify memory limit find -Xms -Xmx 1 to 8 <= 50%
modify docker-compose.yml

sudo docker-compose -f generate-indexer-certs.yml run --rm generator

#-d backend run
sudo docker-compose up -d

#firewall config
TCP *9200, *1514, *1515, x 1516(array), *514, *55000, *9443
UPD x1514(no need), *514

sudo ufw allow 9200/tcp
sudo ufw allow 1514/tcp
sudo ufw allow 1515/tcp
#sudo ufw allow 1516/tcp x
sudo ufw allow 514/tcp
sudo ufw allow 55000/tcp
sudo ufw allow 9443/tcp
#sudo ufw allow 1514/udp x
sudo ufw allow 514/udp

#open https://ip:your_port or space(443) check status
#use default account admin and password SecretPassword to login

:Agent install, Windows or Ubuntu

Windows:install Agent and modify ip point to wazuh ip before start service

Linux:
linux agent: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html

sudo -s

#check curl be install

GPG Key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

REPO:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

CONFIG:
sudo apt-get install gnupg apt-transport-https

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

#echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

INSTALL: 0.0.0.0 is your wazuh ip
WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent

#if happen error is:The list of sources could not be read.
sudo nano /etc/apt/sources.list.d/wazuh.list, keep only one line as below:

deb [signed-by=/etc/apt/keyrings/wazuh-archive-keyring.gpg] https://packages.wazuh.com/4.x/apt/ stable main

sudo apt-get update

WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent

SERVICE:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

STOP UPDATE: agent update use manager control panel
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

echo "wazuh-agent hold" | dpkg --set-selections
=================
sudo nano /var/ossec/etc/ossec.conf
#<ossec_config>
<client>
<server>
<address>Wazuh_IP</address>

sudo tail -f /var/ossec/logs/ossec.log

:flooded
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash

#yum install nano -y

nano /var/ossec/etc/ossec.conf
# modify 3 to 5
<alerts>
<log_alert_level>5</log_alert_level>
</alerts>

#create Group:Server,Linux(Server) and ...default(PCs)

:general device
cd /var/ossec/etc/shared/default
nano internal_options.conf
#file content below
agent.buffer_send_interval=300
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768

#if you need after add it
logall=no
log_level=2
rule_level=5
log_alert_level=5

:import device
cd /var/ossec/etc/shared/[Group Name]
nano internal_options.conf
#file content below
agent.buffer_send_interval=60
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768

#if you need after add it
logall=no
log_level=2

/var/ossec/bin/wazuh-control restart

:client update
on agent client
/var/ossec/bin/agent_control -u
tail -n 50 /var/ossec/logs/ossec.log
see INFO: Downloaded file '/default/internal_options.conf'

:alarm log
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash

cd /var/ossec/etc/rules
nano local_rules.xml

# set number law <rule id="110001 ...110002 ....
<group name="windows,byself">
  <rule id="110001" level="0">
    <if_sid>wazuh:rule.id</if_sid>
    <match>full_log keyword</match>
    <description>event info</description>
    <group>byself</group>
  </rule>
</group>

/var/ossec/bin/wazuh-control restart
at 沒有留言:
Labels: , , ,

2025年2月8日 星期六

modify openwebui open file will happen error when user not admin

  • backup files.py

sudo docker exec -it open-webui /bin/bash cd /app/backend/open_webui/routers/ cp files.py files1.py
  • modify files.py
sudo docker cp open-webui:/app/backend/open_webui/routers/files.py files.py sudo nano files.py find all  if file and (file.user_id == user.id or user.role == "admin"): and add front remark like this #if file and (file.user_id == user.id or user.role == "admin"): and add code under this line if file:
  • replace files.py
sudo docker cp files.py open-webui:/app/backend/open_webui/routers/files.py
at 沒有留言:
Labels: , ,

2025年1月29日 星期三

docker clean

 #remove old container and images

  • run all container
  • remove old container and images,volume
  • docker system prune
  • docker volume prune
  • docker builder prune
  • stop all container{docker stop $(docker ps -q)}
  • stop docker desktop{Stop-Process -Name "Docker Desktop"}
  • wsl --shutdown
  • Optimize-VHD -Path C:\Users\yourname\AppData\Local\Docker\wsl\data\ext4.vhdx -Mode Full
  • Optimize-VHD -Path C:\Users\yourname\AppData\Local\Docker\wsl\main\ext4.vhdx -Mode Full
  • wsl
  • start docker desktop{Start-Process "Docker Desktop"}
  • start all container{docker start $(docker ps -aq)}

at 沒有留言:
Labels: ,

searxng

  • docker pull searxng/searxng
  • docker run -d -p 4000:8080 -e "BASE_URL=http://localhost:4000/" -e "INSTANCE_NAME=searxng" searxng/searxng

at 沒有留言:
Labels: , , ,

Install docker on ubuntu

  • sudo apt update
  • sudo apt install apt-transport-https ca-certificates curl software-properties-common
  • curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  • sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  • sudo apt update
  • sudo apt install docker-ce
  • sudo docker run hello-world
  • sudo apt install docker-compose

at 沒有留言:
Labels: ,

Fail2ban for ubuntu

 

  • sudo apt install fail2ban -y
  • sudo systemctl enable fail2ban
  • sudo systemctl start fail2ban
  • sudo systemctl status fail2ban

  • sudo -s
  • cd /etc/fail2ban/
  • sudo cp fail2ban.conf fail2ban.local
  • sudo cp jail.conf jail.local

at 沒有留言:
Labels: ,
訂閱: 文章 (Atom)