Installing Wazuh agent on Debian with CSF firewall

Installing Wazuh agent on Debian with CSF firewall

Introduction:

Wazuh is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, macOS, Solaris and Windows. Wazuh has a centralized, cross-platform architecture allowing multiple systems to be monitored and managed. (source: [wikipedia.org])

This article will show you how to easily add wazuh agent on host you want to monitor (debian linux distribution)

Configuring CSF firewall

Configuring CSF firewall on wazuh server

edit /etc/csf/csf.allow:

#wazuh monitoring
tcp|in|d=1514|d={IP of wazuh manager}
tcp|in|d=1515|d={IP of wazuh manager}
tcp|in|d=1516|d={IP of wazuh manager}
tcp|in|d=514|d={IP of wazuh manager}
csf -r

Configuring CSF firewall on host which needs to be monitored

edit /etc/csf/csf.allow:

#wazuh monitoring
tcp|out|d=1514|s={IP of your host you want to monitor}
tcp|out|d=1515|s={IP of your host you want to monitor}
tcp|out|d=1516|s={IP of your host you want to monitor}
tcp|out|d=514|s={IP of your host you want to monitor}

Installing wazuh agent on monitored host (Debian distribution)

sudo apt-get install curl apt-transport-https lsb-release -y
sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
sudo apt-get install wazuh-agent
vi /var/ossec/etc/ossec.conf 

edit:

<ossec_config>
  <client>
    <server>
      <address>MANAGER_IP</address>
      <port>1514</port>
...

replace MANAGER_IP with your own wazuh server

/var/ossec/bin/agent-auth -m {IP of wazuh manager}

Service needs to be restarted

service wazuh-agent restart