Wazuh proxy setup
2,522 views
Skip to first unread message
nandha kumar
Sep 15, 2022, 6:00:58 PM9/15/22
to Wazuh mailing list
Hi all ,
Available agents:
ID: 001, Name: 9a67a918182c.mylabserver.com, IP: 172.31.19.15
ID: 002, Name: 9a67a918183c.mylabserver.com, IP: 172.31.16.208
ID: 008, Name: 9a67a918184c.mylabserver.com, IP: 172.31.19.252
I have tried to setup agents on environment without internet access which connect to manager through proxy but i am going through few issues
1. Agents registered through proxy shows proxy ip address as source ip
2. If i set below forward settings to enable agent source ip its not working
http {
real_ip_header X-Forwarded-For
;
set_real_ip_from nginx_ip;
}
Wazuh Manager :
IP: 172.31.16.122/20
Hostname: puppet.mylabserver.com
#/var/ossec/bin/manage_agents -l
Available agents:
ID: 001, Name: 9a67a918182c.mylabserver.com, IP: 172.31.19.15
ID: 002, Name: 9a67a918183c.mylabserver.com, IP: 172.31.16.208
ID: 008, Name: 9a67a918184c.mylabserver.com, IP: 172.31.19.252
Proxy Server IP : 172.31.19.252/20
Nginx conf: ( /etc/nginx/nginx.conf )
-----------------
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
real_ip_header X-Forwarded-For;
set_real_ip_from 172.31.19.252;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
stream {
upstream master {
server puppet.mylabserver.com:1515;
}
upstream mycluster {
server puppet.mylabserver.com:1514;
}
server {
listen 172.31.19.252:1515;
proxy_pass master;
}
server {
listen 172.31.19.252:1514;
proxy_pass mycluster;
}
}
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
real_ip_header X-Forwarded-For;
set_real_ip_from 172.31.19.252;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
stream {
upstream master {
server puppet.mylabserver.com:1515;
}
upstream mycluster {
server puppet.mylabserver.com:1514;
}
server {
listen 172.31.19.252:1515;
proxy_pass master;
}
server {
listen 172.31.19.252:1514;
proxy_pass mycluster;
}
}
Wazuh Agent:
--------------------
IP: 172.31.30.6
Hostname: 9a67a918184c.mylabserver.com
/var/ossec/etc/ossec.conf:
-------------------------------------
.
.
.
<ossec_config>
<client>
<server>
<address>172.31.19.252</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>rhel, rhel7, rhel7.9</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
<client>
<server>
<address>172.31.19.252</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>rhel, rhel7, rhel7.9</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
.
.
.
Issue:
Wazuh receives the request from agent via proxy where it authorizes and register agent with proxy ip instead agent source ip .
manager ossec.log:
2022/09/15 17:56:05 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:15 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:25 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:35 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:45 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:46 wazuh-authd: INFO: New connection from 172.31.19.252
2022/09/15 17:56:46 wazuh-authd: INFO: Received request for a new agent (9a67a918184c.mylabserver.com) from: 172.31.19.252
2022/09/15 17:56:46 wazuh-authd: INFO: Agent key generated for '9a67a918184c.mylabserver.com' (requested by 172.31.19.252)
2022/09/15 17:56:51 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2022/09/15 17:56:51 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2022/09/15 17:56:15 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:25 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:35 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:45 wazuh-remoted: WARNING: (1213): Message from '172.31.19.252' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2022/09/15 17:56:46 wazuh-authd: INFO: New connection from 172.31.19.252
2022/09/15 17:56:46 wazuh-authd: INFO: Received request for a new agent (9a67a918184c.mylabserver.com) from: 172.31.19.252
2022/09/15 17:56:46 wazuh-authd: INFO: Agent key generated for '9a67a918184c.mylabserver.com' (requested by 172.31.19.252)
2022/09/15 17:56:51 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2022/09/15 17:56:51 wazuh-remoted: INFO: (1410): Reading authentication keys file.
How can we make proxy to send agent source ip or either manager to recognize agent source ip instead proxy ?
Regards,
Nandha
Jorge Eduardo Molas
Sep 15, 2022, 7:27:38 PM9/15/22
to Wazuh mailing list
Hi Nandha, thanks for using Wazuh. I'll work on your use case and get back as soon as possible.
Jorge Eduardo Molas
Sep 16, 2022, 10:26:08 AM9/16/22
to Wazuh mailing list
Hi Nandha, sorry for the delay. You are configuring TCP/UDP and HTTP blocks to balance connections. You have to set only the stream block for TCP/UDP. You can follow this blog and documentation in order to achieve your use case.
Let me know if this information was helpful.
- https://wazuh.com/blog/nginx-load-balancer-in-a-wazuh-cluster
- https://documentation.wazuh.com/current/user-manual/configuring-cluster/advanced-settings.html#pointing-agents-to-the-cluster-with-a-load-balancer
Let me know if this information was helpful.
Regards.
Adam Pielak
Sep 16, 2022, 10:39:24 AM9/16/22
to Jorge Eduardo Molas, Wazuh mailing list
Change on wazuh manager
<use_source_ip>no</use_source_ip>
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/57b8fbd4-5f53-4447-8168-f446573c9d01n%40googlegroups.com.
nandha kumar
Sep 16, 2022, 11:57:56 AM9/16/22
to Adam Pielak, Jorge Eduardo Molas, Wazuh mailing list
Hi ,
I understand your point and i have already configured wazuh agent , nginx as like the same with provided document.
My point is that agent registered to manager with correct hostname but with ip address of nginx server since its a proxy and source ip remains proxy one.
If i have to overcome this situation . i have to change the use_source_ip as "No" on manager side and that shows ip address as any .
But my question is like if such scenario that agent node moved to different subnet and ip got changed , will manager add the same agent again since request from different ip address.?
wazuh manager:
# ip a | grep ens5
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
inet 172.31.16.122/20 brd 172.31.31.255 scope global noprefixroute dynamic ens5
# grep source_ip /var/ossec/etc/ossec.conf
<use_source_ip>yes</use_source_ip>
ossec.log ( manager )
2022/09/16 11:27:47 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:27:57 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:08 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:18 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:28 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:28 wazuh-authd: INFO: New connection from 172.31.19.252
2022/09/16 11:28:28 wazuh-authd: INFO: Received request for a new agent (9a67a918184c.mylabserver.com) from: 172.31.19.252
2022/09/16 11:28:28 wazuh-authd: INFO: Agent key generated for '9a67a918184c.mylabserver.com' (requested by 172.31.19.252)
2022/09/16 11:28:38 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2022/09/16 11:28:38 wazuh-remoted: INFO: (1410): Reading authentication keys file.
# /var/ossec/bin/manage_agents -l
I understand your point and i have already configured wazuh agent , nginx as like the same with provided document.
My point is that agent registered to manager with correct hostname but with ip address of nginx server since its a proxy and source ip remains proxy one.
If i have to overcome this situation . i have to change the use_source_ip as "No" on manager side and that shows ip address as any .
But my question is like if such scenario that agent node moved to different subnet and ip got changed , will manager add the same agent again since request from different ip address.?
wazuh manager:
# ip a | grep ens5
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
inet 172.31.16.122/20 brd 172.31.31.255 scope global noprefixroute dynamic ens5
# grep source_ip /var/ossec/etc/ossec.conf
<use_source_ip>yes</use_source_ip>
ossec.log ( manager )
2022/09/16 11:27:47 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:27:57 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:08 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:18 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:28 wazuh-remoted: WARNING: (1408): Invalid ID 013 for the source ip: '172.31.19.252' (name 'unknown').
2022/09/16 11:28:28 wazuh-authd: INFO: New connection from 172.31.19.252
2022/09/16 11:28:28 wazuh-authd: INFO: Received request for a new agent (9a67a918184c.mylabserver.com) from: 172.31.19.252
2022/09/16 11:28:28 wazuh-authd: INFO: Agent key generated for '9a67a918184c.mylabserver.com' (requested by 172.31.19.252)
2022/09/16 11:28:38 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2022/09/16 11:28:38 wazuh-remoted: INFO: (1410): Reading authentication keys file.
# /var/ossec/bin/manage_agents -l
Available agents:
ID: 001, Name: 9a67a918182c.mylabserver.com, IP: 172.31.19.15
ID: 002, Name: 9a67a918183c.mylabserver.com, IP: 172.31.16.208
<ossec_config>
<client>
<server>
<address>172.31.19.252</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>rhel, rhel7, rhel7.9</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
Nginx server:
[root@9a67a918185c ~]# cat /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
[root@9a67a918185c ~]# cat /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
stream {
upstream master {
server puppet.mylabserver.com:1515;
}
upstream mycluster {
server puppet.mylabserver.com:1514;
}
server {
listen 172.31.19.252:1515;
proxy_pass master;
}
server {
listen 172.31.19.252:1514;
proxy_pass mycluster;
}
}
upstream master {
server puppet.mylabserver.com:1515;
}
upstream mycluster {
server puppet.mylabserver.com:1514;
}
server {
listen 172.31.19.252:1515;
proxy_pass master;
}
server {
listen 172.31.19.252:1514;
proxy_pass mycluster;
}
}
Regards,
Nandha
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/fgyDPyKRTmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAM4pHQRYx7FVNEw%3DaCPWDRRp4v-4JkdCQiVTPur%3DL8uxctjg9w%40mail.gmail.com.
Adam Pielak
Sep 16, 2022, 12:30:00 PM9/16/22
to Wazuh mailing list
001 indexer any 4d2a6189ac83b470793cfa3f4621057acd8720d077085a3e5bc5eaa08fadc767
003 windowsAgent 10.0.0.126 4c84dbacaba317a724ec651482fc3ea07ccc7d210e869386fa5c05e190dde53c
005 linuxAgent 10.0.0.4 673bc4d694a34e50571ed8c00e9c6edd301ab327cb0ebd18bce885f5b84ff89a
Looking at the client.keys file, we can see that one agent (indexer) is on a dynamic ip address (dhcp) therefore it is connected to the manager through “any” and for the Linux Agent we have a dedicated static IP address, 10.0.0.4 This is essential, because the wazuh-remoted process is looking for a key to decrypt the message. The goal is to find the right corresponding key, therefore the remoted process opens the client.key files and looks either for an IP address (if specified) or when only “any” is used, it looks for the agent ID, which displayed between two exclamation marks !001!
The rest of the captured message is useless to us, because its content is encrypted. This was just to demonstrate what the encrypted network communication between the manager and the agents looks like.
Reply all
Reply to author
Forward
0 new messages