SIEM deployment: Wazuh + SSH Brute-Force

Intro

Plateform / Tools Version

• Kubernetes 1.28
• Wazuh: Server & Agent 4.5.0

Action plan ⚔️

1. Open-Source SIEM system creation SIEM with kustomize on a kubernetes cluster (kubeadm)
2. Brute-force attempts with hydra on one of my Kube cluster servers
3. Being notified of these attempts on a specific Mattermost channel

Wazuh Installation

Kustomize

Having previously deployed my Kubernetes cluster, I chosed Kustomize using Wazuh’s official Github repository: https://github.com/wazuh/wazuh-kubernetes.git

1
2
3

git clone https://github.com/wazuh/wazuh-kubernetes.git
cd wazuh-kubernetes
kubectl apply -k envs/local-env/

Dashboard

• Once deployed, I retrieved the EXTERNAL-IP of dashboard kubernetes service to add an entry on my local /etc/hosts.
• Then I can access to Wazuh Server homepage:

• Currently I have deployed 11 agents on each of my servers, allowing me to collect all log files relating to security issues.

• Specific server overview:

Scenario

Brute-Force

• To test whether an alert has been raised, simulate an attack attempt with hydra

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$ sudo hydra -l badguy -P rockyou.txt 192.168.122.224 ssh
[sudo] password for admin: 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-31 19:11:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20 login tries (l:1/p:20), ~2 tries per task
[DATA] attacking ssh://192.168.122.224:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-31 19:12:27

Observability

• En allant sur Security Events j’applique un rule.id à 5710 et je peux retrouver mes tentatives:

Alerting

• Raising alerts within Wazuh is one thing, but being notified externally is another, and is paramount. I chose mattermost as my target for receiving alerts.

• Process:

  1. Channel creation of #wazuh-alerts in mattermost
  2. Création d’un webhook dans mattermost. Liaison avec le channel #wazuh-alerts
  3. Configure the wazuh/wazuh_managers/wazuh_conf/worker.conf file to add the integration section with the mattermost webhook and the localfile section specifying the /var/log/auth,log of the agent servers in question:

  1 2 3 4 5 6

  <integration> <name>slack</name> <hook_url>https://mattermost.example.com/hooks/your-webhook-token</hook_url> <rule_id>5710</rule_id> <alert_format>json</alert_format> </integration>

  • Here, I specified the 5710 rule_id which concerns authentication_failed ssh:
  • By connecting to my POD, I retrieved Wazuh rules list:

  1 2	root@wazuh-manager-worker-0:/var/ossec/ruleset/rules# ll | grep ssh -rw-r----- 1 root wazuh 19149 Aug 4 2023 0095-sshd_rules.xml

  • Inside 0095-sshd_rules.xml file, I can find my 5710 rule I want to match:

  1 2 3 4 5 6 7 8 9 10 11

  <rule id="5710" level="5"> <if_sid>5700</if_sid> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user</description> <mitre> <id>T1110.001</id> <id>T1021.004</id> <id>T1078</id> </mitre> <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule>

  • By launching hydra again I can receive Mattermost alerts:

  

Conclusion

Wazuh obviously does a lot more than just analyzing SSH connection attempts, but that was the aim of this short and concise post. Still discovering the tool, more to come in other posts.

Useful links

• Wazuh github: https://github.com/wazuh/wazuh-kubernetes.git
• Documentation: https://documentation.wazuh.com/current/index.html