Is there any method to prevent removing the wazuh agent from server
315 views
Skip to first unread message
YASHWANTH S
Nov 28, 2023, 12:39:32 AM11/28/23
to Wazuh | Mailing List
Hi
If any person has logged in to the wazuh client server and has removed the wazuh agent from that server to prevent it from monitoring completely
Is there any way to prevent this or any ssh hardening methods for it?
Please let me if there is
Thanks and Regards
Yashwanth.S
If any person has logged in to the wazuh client server and has removed the wazuh agent from that server to prevent it from monitoring completely
Is there any way to prevent this or any ssh hardening methods for it?
Please let me if there is
Thanks and Regards
Yashwanth.S
Stuti Gupta
Nov 28, 2023, 1:36:09 AM11/28/23
to Wazuh | Mailing List
Hi Yashwanth,
Hope you are doing well and thank you for using wazuh.
Yes, there are several ways to prevent unauthorized removal of the Wazuh agent and harden the SSH server to protect against unauthorized access. Here are some recommended steps:
Blocking SSH brute-force attack with active response: Wazuh uses the active response module to run scripts or executables on a monitored endpoint, taking action on certain triggers. You can simulate an SSH brute-force attack against a RHEL endpoint and configure the active response module to block the IP address of the attacker endpoint. The goal is to prevent SSH brute force attacks. https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html
Disabling a Linux user account with active response: Without knowledge of the password for an account, an adversary might opt to systematically guess the password using a repetitive or iterative mechanism. You can configure the disable-account active response to disable a Linux/Unix account subject to brute-force attacks. Wazuh uses the disable-account active response on Linux/Unix endpoints to disable the account for the user in the dstuser field of a Wazuh alert.https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/disabling-user-account.html
File integrity monitoring: File Integrity Monitoring (FIM) helps in auditing sensitive files and meeting regulatory compliance requirements. Wazuh has an inbuilt FIM module that monitors file system changes to detect the creation, modification, and deletion of files. Wazuh FIM module detect changes in monitored directories on Ubuntu and Windows endpoints. The Wazuh FIM module enriches alert data by fetching information about the user and process that made the changes using who-data audit. https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html
Root user access monitoring: Wazuh can be used to monitor whether the SSH configuration file allows root user access. You can use Wazuh to check that this file is configured NOT to allow root user login. If it turns out to be the contrary, we will see that an alert will be triggered. https://wazuh.com/blog/root-user-access-monitoring-with-ossec/
CDB list: Blocking a known malicious actor: You can block malicious IP addresses from accessing web resources on a web server. You set up Apache web servers on Ubuntu and Windows endpoints, and try to access them from an RHEL endpoint. Like public IP reputation database that contains the IP addresses of some malicious actors. An IP reputation database is a collection of IP addresses that have been flagged as malicious. The RHEL endpoint plays the role of the malicious actor here, therefore you add its IP address to the reputation database. Then, configure Wazuh to block the RHEL endpoint from accessing web resources on the Apache web servers for 60 seconds. It’s a way of discouraging attackers from continuing to carry out their malicious activities. you use the Wazuh CDB list and active response capabilities. https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html
Using password authentication: This method requires a password during the enrollment process to ensure that agents enrolled with the Wazuh manager are authenticated. In the case where the deployment architecture is using a multi-node cluster, ensure that password authorization is enabled on each manager node. This prevents unauthorized agent enrollment through an unsecured manager node. https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/using-password-authentication.html
Hope this helps,
Regards.
Hope you are doing well and thank you for using wazuh.
Yes, there are several ways to prevent unauthorized removal of the Wazuh agent and harden the SSH server to protect against unauthorized access. Here are some recommended steps:
Blocking SSH brute-force attack with active response: Wazuh uses the active response module to run scripts or executables on a monitored endpoint, taking action on certain triggers. You can simulate an SSH brute-force attack against a RHEL endpoint and configure the active response module to block the IP address of the attacker endpoint. The goal is to prevent SSH brute force attacks. https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html
Disabling a Linux user account with active response: Without knowledge of the password for an account, an adversary might opt to systematically guess the password using a repetitive or iterative mechanism. You can configure the disable-account active response to disable a Linux/Unix account subject to brute-force attacks. Wazuh uses the disable-account active response on Linux/Unix endpoints to disable the account for the user in the dstuser field of a Wazuh alert.https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/disabling-user-account.html
File integrity monitoring: File Integrity Monitoring (FIM) helps in auditing sensitive files and meeting regulatory compliance requirements. Wazuh has an inbuilt FIM module that monitors file system changes to detect the creation, modification, and deletion of files. Wazuh FIM module detect changes in monitored directories on Ubuntu and Windows endpoints. The Wazuh FIM module enriches alert data by fetching information about the user and process that made the changes using who-data audit. https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html
Root user access monitoring: Wazuh can be used to monitor whether the SSH configuration file allows root user access. You can use Wazuh to check that this file is configured NOT to allow root user login. If it turns out to be the contrary, we will see that an alert will be triggered. https://wazuh.com/blog/root-user-access-monitoring-with-ossec/
CDB list: Blocking a known malicious actor: You can block malicious IP addresses from accessing web resources on a web server. You set up Apache web servers on Ubuntu and Windows endpoints, and try to access them from an RHEL endpoint. Like public IP reputation database that contains the IP addresses of some malicious actors. An IP reputation database is a collection of IP addresses that have been flagged as malicious. The RHEL endpoint plays the role of the malicious actor here, therefore you add its IP address to the reputation database. Then, configure Wazuh to block the RHEL endpoint from accessing web resources on the Apache web servers for 60 seconds. It’s a way of discouraging attackers from continuing to carry out their malicious activities. you use the Wazuh CDB list and active response capabilities. https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html
Using password authentication: This method requires a password during the enrollment process to ensure that agents enrolled with the Wazuh manager are authenticated. In the case where the deployment architecture is using a multi-node cluster, ensure that password authorization is enabled on each manager node. This prevents unauthorized agent enrollment through an unsecured manager node. https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/using-password-authentication.html
Hope this helps,
Regards.
Reply all
Reply to author
Forward
0 new messages