Wazuh Default change
105 views
Skip to first unread message
John Carry
Apr 4, 2023, 1:23:44 AM4/4/23
to Wazuh mailing list
Dear Wazuh Team,
Just to confirm and want your suggestion is it a good practice to change the wazuh default port like changing 1515 to something to Dynamic port > 49151.
The scenario in our case is we have a public reachability to our wazuh server and thats the business requirement and we want to at least the mitigate the risk by changing the default pot to something less obvious.
Matias Braida
Apr 4, 2023, 6:25:43 AM4/4/23
to Wazuh mailing list
Hello John,
First of all, thanks for using Wazuh.
Changing default port numbers is a good practice when forwarding ports.
It will give some little extra protection against nontargeted opportunistic and amateur-type attacks.
But it is not a strong defense against targeted attacks or if your computer is port scanned.
So if you are planning to forward ports, take a look at wazuh default port numbers:
https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports
Hope this helps,
Regards
First of all, thanks for using Wazuh.
Changing default port numbers is a good practice when forwarding ports.
It will give some little extra protection against nontargeted opportunistic and amateur-type attacks.
But it is not a strong defense against targeted attacks or if your computer is port scanned.
So if you are planning to forward ports, take a look at wazuh default port numbers:
https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports
Hope this helps,
Regards
John Carry
Apr 5, 2023, 12:26:51 AM4/5/23
to Wazuh mailing list
Hello Matias,
Thanks for the explanation, as previously mentioned please let us know the recommended method to change the Default port i-e 1515 in our case that would result in no operational or performance issue.
Matias Braida
Apr 5, 2023, 10:50:04 AM4/5/23
to Wazuh mailing list
Hello John,
The communication between the manager and the agents involves 2 ports:
* authd listening port (1515 as the default value). This port is used by agents for enrollment purposes.
* remoted listening port (1514 as the default value). This port is used by agents to send events to the manager after the enrollment process is complete.
These 2 ports are the ones you need to forward and the ones that agents must reach. To operate successfully both manager and agents must have the same port numbers configured.
To set in manager configuration the listening "authd" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#port
To set in agent configuration the manager server "authd" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment-manager-port
To set in manager configuration the listening "remoted" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#port
To set in agent configuration the manager server "remoted" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html?#port
As the ports are going to be public, then some additional security options are recommended.
- If agent enrollment is automatic (via authd port), then additional security options are recommended:
https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/index.html
- Also agent enrollment could be manual (via manager API). This option requires more configuration work on agents, but this way, you don't need to expose authd port (default 1515).
https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html
Hope this gives you more information to make a better design decision,
Regards
The communication between the manager and the agents involves 2 ports:
* authd listening port (1515 as the default value). This port is used by agents for enrollment purposes.
* remoted listening port (1514 as the default value). This port is used by agents to send events to the manager after the enrollment process is complete.
These 2 ports are the ones you need to forward and the ones that agents must reach. To operate successfully both manager and agents must have the same port numbers configured.
To set in manager configuration the listening "authd" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#port
To set in agent configuration the manager server "authd" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment-manager-port
To set in manager configuration the listening "remoted" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#port
To set in agent configuration the manager server "remoted" port number, use this setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html?#port
As the ports are going to be public, then some additional security options are recommended.
- If agent enrollment is automatic (via authd port), then additional security options are recommended:
https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/index.html
- Also agent enrollment could be manual (via manager API). This option requires more configuration work on agents, but this way, you don't need to expose authd port (default 1515).
https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html
Hope this gives you more information to make a better design decision,
Regards
Reply all
Reply to author
Forward
0 new messages