how to block malicious ip addresses in wazuh agent machines

[B21DCAT138_NGÔ VĂN NAM]

Hi Wazuh Team,

Configure Wazuh to block malicious IP addresses from accessing the Web Server. Now I want to configure wazuh to block malicious IP addresses to wazuh agent machines. Now what should I do?

[Antonio Kim (Wazuh)]

Hi

B21DCAT138_NGÔ VĂN NAM

Thanks for using Wazuh.

To configure Wazuh to block malicious IP addresses on Wazuh agent machines, you can follow these steps:

1. Update Wazuh Rules:

   • Ensure that you have the latest set of Wazuh rules installed. You can update your rules using the Wazuh manager.
   • The rules should contain definitions for detecting malicious activities, such as brute force attacks or other suspicious behavior from specific IP addresses.

2. Modify Rules Configuration:

   • Modify the rules configuration to include specific conditions that define what constitutes a malicious IP address. For example, you might want to block IP addresses that have a high number of failed login attempts.
   • You can customize rules or create custom rules for your specific use case.
     

3. Implement Active Responses:

   • Configure active responses in your Wazuh rules. Active responses allow Wazuh to take automated actions when specific conditions are met.
   • In this case, you can configure an active response to block the malicious IP addresses detected by your rules. For example, you can use firewall rules to block incoming traffic from those IP

Here you have some official documentation:
Decoders and Rules
Active Response

This documentation might be helpful for you as well; it's a step-by-step guide for what you're trying to achieve

Blocking a known malicious actor

If you have any questions, feel free to ask.

Antonio