Wazuh SIEM

#Env Workstation, Ubuntu, Docker

:Install
# find last version
project: https://github.com/wazuh/wazuh-docker

#install git
git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0

cd wazuh-docker/single-node/

#change manager port 443(left) to your port
#modify memory limit find -Xms -Xmx 1 to 8 <= 50%
modify docker-compose.yml

sudo docker-compose -f generate-indexer-certs.yml run --rm generator

#-d backend run
sudo docker-compose up -d

#firewall config
TCP *9200, *1514, *1515, x 1516(array), *514, *55000, *9443
UPD x1514(no need), *514

sudo ufw allow 9200/tcp
sudo ufw allow 1514/tcp
sudo ufw allow 1515/tcp
#sudo ufw allow 1516/tcp x
sudo ufw allow 514/tcp
sudo ufw allow 55000/tcp
sudo ufw allow 9443/tcp
#sudo ufw allow 1514/udp x
sudo ufw allow 514/udp

#open https://ip:your_port or space(443) check status
#use default account admin and password SecretPassword to login

:Agent install, Windows or Ubuntu

Windows:install Agent and modify ip point to wazuh ip before start service

Linux:
linux agent: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html

sudo -s

#check curl be install

GPG Key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

REPO:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

CONFIG:
sudo apt-get install gnupg apt-transport-https

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

#echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

INSTALL: 0.0.0.0 is your wazuh ip
WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent

#if happen error is:The list of sources could not be read.
sudo nano /etc/apt/sources.list.d/wazuh.list, keep only one line as below:

deb [signed-by=/etc/apt/keyrings/wazuh-archive-keyring.gpg] https://packages.wazuh.com/4.x/apt/ stable main

sudo apt-get update

WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent

SERVICE:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

STOP UPDATE: agent update use manager control panel
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

echo "wazuh-agent hold" | dpkg --set-selections
=================
sudo nano /var/ossec/etc/ossec.conf
#<ossec_config>
<client>
<server>
<address>Wazuh_IP</address>

sudo tail -f /var/ossec/logs/ossec.log

:flooded
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash

#yum install nano -y

nano /var/ossec/etc/ossec.conf
# modify 3 to 5
<alerts>
<log_alert_level>5</log_alert_level>
</alerts>

#create Group:Server,Linux(Server) and ...default(PCs)

:general device
cd /var/ossec/etc/shared/default
nano internal_options.conf
#file content below
agent.buffer_send_interval=300
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768

#if you need after add it
logall=no
log_level=2
rule_level=5
log_alert_level=5

:import device
cd /var/ossec/etc/shared/[Group Name]
nano internal_options.conf
#file content below
agent.buffer_send_interval=60
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768

#if you need after add it
logall=no
log_level=2

/var/ossec/bin/wazuh-control restart

:client update
on agent client
/var/ossec/bin/agent_control -u
tail -n 50 /var/ossec/logs/ossec.log
see INFO: Downloaded file '/default/internal_options.conf'

:alarm log
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash

cd /var/ossec/etc/rules
nano local_rules.xml

# set number law <rule id="110001 ...110002 ....
<group name="windows,byself">
  <rule id="110001" level="0">
    <if_sid>wazuh:rule.id</if_sid>
    <match>full_log keyword</match>
    <description>event info</description>
    <group>byself</group>
  </rule>
</group>

/var/ossec/bin/wazuh-control restart

modify openwebui open file will happen error when user not admin

• backup files.py

sudo docker exec -it open-webui /bin/bash cd /app/backend/open_webui/routers/ cp files.py files1.py

• modify files.py

sudo docker cp open-webui:/app/backend/open_webui/routers/files.py files.py sudo nano files.py find all  if file and (file.user_id == user.id or user.role == "admin"): and add front remark like this #if file and (file.user_id == user.id or user.role == "admin"): and add code under this line if file:

• replace files.py

sudo docker cp files.py open-webui:/app/backend/open_webui/routers/files.py

Install docker on ubuntu

• sudo apt update
• sudo apt install apt-transport-https ca-certificates curl software-properties-common
• curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
• sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
• sudo apt update
• sudo apt install docker-ce
• sudo docker run hello-world
• sudo apt install docker-compose

Fail2ban for ubuntu

 

• sudo apt install fail2ban -y
• sudo systemctl enable fail2ban
• sudo systemctl start fail2ban
• sudo systemctl status fail2ban

• sudo -s
• cd /etc/fail2ban/
• sudo cp fail2ban.conf fail2ban.local
• sudo cp jail.conf jail.local

iRedMail Renew Cert

Connect MailServer 

• check certs
  sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/your_domain/fullchain.pem
• Stop service
  sudo systemctl stop nginx
  sudo systemctl stop postfix
  sudo systemctl stop dovecot
• check http port can connect
  firewall open http
  sudo ufw allow http
• Renew cert
  sudo certbot certonly --standalone -d your_domain --preferred-challenges http
• check cert
  sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/your_domain/fullchain.pem
• close http port
  sudo ufw delete allow http
  firewall close http
• cert permission
  sudo chown root:root /etc/letsencrypt/live/your_domain/privkey.pem
  sudo chmod 600 /etc/letsencrypt/live/your_domain/privkey.pem
• Start service
  sudo systemctl start nginx
  sudo systemctl start postfix
  sudo systemctl start dovecot

Auto Renew Config

• sudo crontab -e
• choose 1, and add below line in end
  0 3 * * * /usr/bin/certbot renew --quiet && systemctl reload nginx postfix dovecot
• save

postgresql

•  ubuntu 24.04 install postgresql

• sudo apt install postgresql postgresql-contrib > Y
• sudo systemctl enable postgresql.service
• sudo systemctl start postgresql.service

• test
• sudo -i -u postgres
• psql
• \q
• exit

• create user
• sudo -i -u postgres
• createuser --interactive
• >myuser
• >n,n,n
• createdb mydb
• psql
• sudo -u postgres psql
• ALTER USER myuser WITH PASSWORD 'pass';
• GRANT ALL PRIVILEGES ON DATABASE mydb TO myuser;
• \q

• connect config
• sudo nano /etc/postgresql/XX/main/postgresql.conf
• listen_addresses = '*'
• sudo nano /etc/postgresql/16/main/pg_hba.conf
• IPV4
• host    db       user       ip           mode:md5(trust)

• firewall config
• sudo ufw enable
• sudo ufw start
• sudo ufw allow ssh
• sudo ufw allow 5432/tcp
• sudo ufw status numbered
• sudo ufw logging on

• debug can not connect
• sudo lsof -i :5432
• test connect
• psql -h out_host -U user -d database  

• Note
• $ sudo -u postgres psql
• postgres=# CREATE DATABASE yourdbname;
• postgres=# CREATE USER youruser WITH ENCRYPTED PASSWORD 'yourpass';
• postgres=# GRANT ALL PRIVILEGES ON DATABASE yourdbname TO youruser;

install ubuntu

• install ubunto 24.04.1 

• sudo apt-get install openssh-server
• sudo systemctl start ssh
• sudo systemctl enable ssh

• sudo ufw enable
• sudo ufw allow ssh

• sudo reboot

• sudo apt upgrade -y && sudo apt update -y
• sudo apt upgrade -y && sudo apt update -y

iRedMail Old to New

Ubuntu 24.04

Install iRedMail : https://docs.iredmail.org/install.iredmail.on.debian.ubuntu.html

Check : Important things you MUST know after installation

Conf : https://docs.iredmail.org/file.locations.html

Addtion: https://spiderd.io/ 

• Roundcube webmail: https://your_server/mail/
• SOGo Groupware: https://your_server/SOGo
• Web admin panel (iRedAdmin): https://your_server/iredadmin/

Ubuntu: 

• sudo systemctl enable ufw 
• sudo ufw allow smtps pop3s
• sudo reboot

Use old dkim : https://docs.iredmail.org/sign.dkim.signature.for.new.domain.html#use-existing-dkim-key-for-new-mail-domain

• copy pem from oldsvr, path /var/lib/dkim/domain.pem to newsvr(use:sudo su)
• modify newsvr /etc/amavis/conf.d/50-user before # Disclaimer settings(see oldsvr /etc/amavisd/amavisd.conf)
  dkim_key('domain.com', 'dkim', '/var/lib/dkim/domain.com.pem');
  @dkim_signature_options_bysender_maps = ({
      # 'd' defaults to a domain of an author/sender address,
      # 's' defaults to whatever selector is offered by a matching key
      # Per-domain dkim key
      #"domain.com"  => { d => "domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
      # catch-all (one dkim key for all domains)
      '.' => {d => 'domain.com',
                 a => 'rsa-sha256',
                 c => 'relaxed/simple',
                 ttl => 30*24*3600 },
      });
• sudo reboot
• sudo amavisd testkeys (=>pass)

Fail2Ban

• modify /etc/fail2ban/jail.local
• modify /etc/postfix/helo_access.pcre
• sudo su, cd /opt/iredapd/tools
  python wblist_admin.py --list --whitelist for oldsvr to list....
  sudo python3 wblist_admin.py --list --whitelist for newsvr ....
  >> sudo python3 wblist_admin.py --add --whitelist ip or domain from oldsvr

Create Cert

Let's Encrypt offers FREE SSL certificate.

https://docs.iredmail.org/letsencrypt.html

• sudo apt install -y certbot
• sudo certbot certonly --webroot --dry-run -w /var/www/html -d mail.domain.com
• sudo certbot certonly --webroot -w /var/www/html -d mail.domain.com

Backup Cert

• mv /etc/ssl/certs/iRedMail.crt /etc/ssl/certs/iRedMail.crt.bak
• mv /etc/ssl/private/iRedMail.key /etc/ssl/private/iRedMail.key.bak

Use New Cert

• ln -s /etc/letsencrypt/live/mail.domain.com/fullchain.pem /etc/ssl/certs/iRedMail.crt
• ln -s /etc/letsencrypt/live/mail.domain.com/privkey.pem /etc/ssl/private/iRedMail.key

Restart Service

• sudo systemctl restart postfix dovecot nginx

Fail2Ban With Ubuntu

 Fail2Ban

1. sudo apt install fail2ban -y

2. sudo systemctl status fail2ban.service

3. cd /etc/fail2ban

4. sudo cp jail.conf jail.local

5. sudo nano jail.local

modify bantime, findtime and maxretry

modify enabled = false to true

find [sshd] after add line: enabled = true

find [nginx-http-auth] after add line: enabled = true 

6. sudo systemctl enable fail2ban.service

7. sudo systemctl start fail2ban.service

8. sudo systemctl status fail2ban.service

if u start with error

1. sudo rm jail.local

2. sudo nano jail.local 

[sshd]

enabled  = true

port     = ssh

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 5

findtime = 60m

bantime  = 60m

from: 

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04

AWS VPS

Create AWS Account

Getin Free project

https://aws.amazon.com/tw/free/

Choose one of EC2 and Active

1、setting name

2、choose ubuntu

3、Storage can setting 30GB(Max) for free

4、Create certificate*

Active

1、SSH Client

2、use ssh to login and use certificate*

Frist 

1、sudo apt clean

2、sudo apt update -y

3、sudo apt upgrade -y

4、sudo apt-get clean

5、sudo apt-get update -y

6、sudo apt-get upgrade -y

7、sudo apt-get dist-upgrade -y

8、sudo apt-get autoremove -y

Install Editor

1、sudo apt-get install nano -y

Comfirm Version

lsb_release -a