Wazuh Active Response Does Not Block IP Performing Brute Force Attacks
618 views
Skip to first unread message
susui
Aug 16, 2022, 12:18:06 AM8/16/22
to Wazuh mailing list
Hello, I have a question. How to configure Active Response on wazuh.
I've done the configuration as per this documentation. But when I try to simulate the attack on the agent log detects it But the active response does not take action such as IP blocking can you tell me the right steps to block IP addresses when a Bruterforce attack occurs, please help
I've done the configuration as per this documentation. But when I try to simulate the attack on the agent log detects it But the active response does not take action such as IP blocking can you tell me the right steps to block IP addresses when a Bruterforce attack occurs, please help
here I attach my ossec configuration. I'm using ubuntu 22.04 and wazuh version 4.3.6
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
<command>firewall-drop</command>
<location>local</location>
<rules_id>5763,5710,5712,5716,5503,2502</rules_id>
<timeout>1800</timeout>
</active-response>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
<command>firewall-drop</command>
<location>local</location>
<rules_id>5763,5710,5712,5716,5503,2502</rules_id>
<timeout>1800</timeout>
</active-response>
Juan Cabrera
Aug 16, 2022, 5:47:10 AM8/16/22
to Wazuh mailing list
Hello Susui,
I have tested your configuration and it works perfectly. After eight failed authentication attempts, the manager blocks that IP.
Have you restarted the manager to apply the configuration?
How did you do the test? In my case:
- I check if there is connectivity between the attacker and the agent:
# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.216 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.426 ms
--- 10.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1030ms
- I attempted to connect to the agent by SSH several times using an invalid user:
# ssh 10.0.0.1
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
ro...@10.0.0.1: Permission denied (publickey,password).
t# ssh 10.0.0.1
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
ro...@10.0.0.1: Permission denied (publickey,password).
# ssh 10.0.0.1
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
ro...@10.0.0.1: Permission denied (publickey,password).
# ssh 10.0.0.1
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
Permission denied, please try again.
ro...@10.0.0.1's password:
ro...@10.0.0.1: Permission denied (publickey,password).
# ssh 10.0.0.1
ro...@10.0.0.1's password:
- I see on the manager side the login failed alert:
** Alert 1660641596.28781: - syslog,sshd,authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Aug 16 11:19:56 cabrera-Machine->/var/log/auth.log
Rule: 5760 (level 5) -> 'sshd: authentication failed.'
Src IP: 10.0.0.99
Src Port: 35184
User: root
Aug 16 11:19:56 cabrera-Machine sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2
- After eight failed attempts, we see the brute force attack alert and the activation of active-response:
** Alert 1660641598.29743: - syslog,sshd,authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Aug 16 11:19:58 cabrera-Machine->/var/log/auth.log
Rule: 5763 (level 10) -> 'sshd: brute force trying to get access to the system. Authentication failed.'
Src IP: 10.0.0.99
Src Port: 35186
User: root
Aug 16 11:19:57 test-agent sshd[28786]: Failed password for root from 10.0.0.99 port 35186 ssh2
Aug 16 11:19:57 test-agent sshd[28786]: Failed password for root from 10.0.0.99 port 35186 ssh2
Aug 16 11:19:56 test-agent sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2
Aug 16 11:19:55 test-agent sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2
Aug 16 11:19:54 test-agent sshd[28708]: Failed password for root from 10.0.0.99 port 35182 ssh2
Aug 16 11:19:54 test-agent sshd[28708]: Failed password for root from 10.0.0.99 port 35182 ssh2
Aug 16 11:19:52 test-agent sshd[28660]: Failed password for root from 10.0.0.99 port 35180 ssh2
Aug 16 11:19:52 test-agent sshd[28660]: Failed password for root from 10.0.0.99 port 35180 ssh2
** Alert 1660641598.31002: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,
2022 Aug 16 11:19:58 test-agent->/var/ossec/logs/active-responses.log
Rule: 651 (level 3) -> 'Host Blocked by firewall-drop Active Response'
2022/08/16 11:19:58 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-16T11:19:58.434+0200","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Authentication failed.","id":"5763","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"test-agent"},"manager":{"name":"test-agent"},"id":"1660641598.29743","previous_output":"Aug 16 11:19:57 test-agent sshd[28786]: Failed password for root from 10.0.0.99 port 35186 ssh2\nAug 16 11:19:56 test-agent sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2\nAug 16 11:19:55 test-agent sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2\nAug 16 11:19:54 test-agent sshd[28708]: Failed password for root from 10.0.0.99 port 35182 ssh2\nAug 16 11:19:54 test-agent sshd[28708]: Failed password for root from 10.0.0.99 port 35182 ssh2\nAug 16 11:19:52 test-agent sshd[28660]: Failed password for root from 10.0.0.99 port 35180 ssh2\nAug 16 11:19:52 test-agent sshd[28660]: Failed password for root from 10.0.0.99 port 35180 ssh2","full_log":"Aug 16 11:19:57 test-agent sshd[28786]: Failed password for root from 10.0.0.99 port 35186 ssh2","predecoder":{"program_name":"sshd","timestamp":"Aug 16 11:19:57","hostname":"test-agent"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.0.99","srcport":"35186","dstuser":"root"},"location":"/var/log/auth.log"},"program":"active-response/bin/firewall-drop"}}
version: 1
origin.name: node01
origin.module: wazuh-execd
command: add
parameters.extra_args: []
parameters.alert.timestamp: 2022-08-16T11:19:58.434+0200
parameters.alert.rule.level: 10
parameters.alert.rule.description: sshd: brute force trying to get access to the system. Authentication failed.
parameters.alert.rule.id: 5763
parameters.alert.rule.mitre.id: ["T1110"]
parameters.alert.rule.mitre.tactic: ["Credential Access"]
parameters.alert.rule.mitre.technique: ["Brute Force"]
parameters.alert.rule.frequency: 8
parameters.alert.rule.firedtimes: 1
parameters.alert.rule.mail: false
parameters.alert.rule.groups: ["syslog", "sshd", "authentication_failures"]
parameters.alert.rule.gdpr: ["IV_35.7.d", "IV_32.2"]
parameters.alert.rule.hipaa: ["164.312.b"]
parameters.alert.rule.nist_800_53: ["SI.4", "AU.14", "AC.7"]
parameters.alert.rule.pci_dss: ["11.4", "10.2.4", "10.2.5"]
parameters.alert.rule.tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
parameters.alert.agent.id: 000
parameters.alert.agent.name: test-agent
parameters.alert.manager.name: test-agent
parameters.alert.id: 1660641598.29743
parameters.alert.previous_output: Aug 16 11:19:57 test-agent sshd[28786]: Failed password for root from 10.0.0.99 port 35186 ssh2
Aug 16 11:19:56 test-agent sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2
Aug 16 11:19:55 test-agent sshd[28745]: Failed password for root from 10.0.0.99 port 35184 ssh2
Aug 16 11:19:54 test-agent sshd[28708]: Failed password for root from 10.0.0.99 port 35182 ssh2
Aug 16 11:19:54 test-agent sshd[28708]: Failed password for root from 10.0.0.99 port 35182 ssh2
Aug 16 11:19:52 test-agent sshd[28660]: Failed password for root from 10.0.0.99 port 35180 ssh2
Aug 16 11:19:52 test-agent sshd[28660]: Failed password for root from 10.0.0.99 port 35180 ssh2
parameters.alert.full_log: Aug 16 11:19:57 test-agent sshd[28786]: Failed password for root from 10.0.0.99 port 35186 ssh2
parameters.alert.predecoder.program_name: sshd
parameters.alert.predecoder.timestamp: Aug 16 11:19:57
parameters.alert.predecoder.hostname: test-agent
parameters.alert.decoder.parent: sshd
parameters.alert.decoder.name: sshd
parameters.alert.data.srcip: 10.0.0.99
parameters.alert.data.srcport: 35186
parameters.alert.data.dstuser: root
parameters.alert.location: /var/log/auth.log
parameters.program: active-response/bin/firewall-drop
- I check if there is connectivity between the attacker and the agent:
# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
^C
--- 10.0.0.1 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10224ms
The IP has been blocked.
How did you simulate the attack?
Regards,
Juan Cabrera
Message has been deleted
Jonathan José Levy Gil
Aug 22, 2022, 9:23:17 AM8/22/22
to Wazuh mailing list
Hi Susui,
Also, the responses (scripts) are placed on endpoint side, when you install the agent some OOTB scripts will be included, for example, firewall-drop.
Make sure they have the appropriate permissions and ownerships, like this:
[root@cent43-AIO-0-56-centos-8 ~]# ll /var/ossec/active-response/bin/
total 336
-rwxr-x---. 1 root wazuh 25010 May 31 22:19 default-firewall-drop
-rwxr-x---. 1 root wazuh 21551 May 31 22:19 disable-account
-rwxr-x---. 1 root wazuh 21971 May 31 22:19 firewalld-drop
-rwxr-x---. 1 root wazuh 25010 May 31 22:19 firewall-drop
-rwxr-x---. 1 root wazuh 22921 May 31 22:19 host-deny
-rwxr-x---. 1 root wazuh 20709 May 31 22:19 ip-customblock
-rwxr-x---. 1 root wazuh 21500 May 31 22:19 ipfw
-rwxr-x---. 1 root wazuh 20336 May 31 22:19 kaspersky
-rwxr-x---. 1 root wazuh 14429 May 31 22:19 kaspersky.py
-rwxr-x---. 1 root wazuh 21580 May 31 22:19 npf
-rwxr-x---. 1 root wazuh 21797 May 31 22:19 pf
-rwxr-x---. 1 root wazuh 1003 May 23 09:52 remove-threat.sh
-rwxr-x---. 1 root wazuh 1399 May 31 22:19 restart.sh
-rwxr-x---. 1 root wazuh 20340 May 31 22:19 restart-wazuh
-rwxr-x---. 1 root wazuh 20610 May 31 22:19 route-null
-rwxr-x---. 1 root wazuh 21517 May 31 22:19 wazuh-slack
[root@cent43-AIO-0-56-centos-8 ~]# ll /var/ossec/active-response/bin/
total 336
-rwxr-x---. 1 root wazuh 25010 May 31 22:19 default-firewall-drop
-rwxr-x---. 1 root wazuh 21551 May 31 22:19 disable-account
-rwxr-x---. 1 root wazuh 21971 May 31 22:19 firewalld-drop
-rwxr-x---. 1 root wazuh 25010 May 31 22:19 firewall-drop
-rwxr-x---. 1 root wazuh 22921 May 31 22:19 host-deny
-rwxr-x---. 1 root wazuh 20709 May 31 22:19 ip-customblock
-rwxr-x---. 1 root wazuh 21500 May 31 22:19 ipfw
-rwxr-x---. 1 root wazuh 20336 May 31 22:19 kaspersky
-rwxr-x---. 1 root wazuh 14429 May 31 22:19 kaspersky.py
-rwxr-x---. 1 root wazuh 21580 May 31 22:19 npf
-rwxr-x---. 1 root wazuh 21797 May 31 22:19 pf
-rwxr-x---. 1 root wazuh 1003 May 23 09:52 remove-threat.sh
-rwxr-x---. 1 root wazuh 1399 May 31 22:19 restart.sh
-rwxr-x---. 1 root wazuh 20340 May 31 22:19 restart-wazuh
-rwxr-x---. 1 root wazuh 20610 May 31 22:19 route-null
-rwxr-x---. 1 root wazuh 21517 May 31 22:19 wazuh-slack
Regards,
On Tuesday, August 16, 2022 at 6:18:06 AM UTC+2 susui wrote:
Reply all
Reply to author
Forward
0 new messages