CSE 4205 INDUSTRIAL TRAINING

INDUSTRIAL TRAINING REPORT

ON
Endpoint & Cloud Security using Wazuh
Completed at

Pentester Space
From January 1, 2023 to January 15, 2023
Submitted in partial fulfillment of the
Requirements for the award of
Degree of Bachelor of Science in
Computer Science and Engineering

Submitted By
Md Habibur Rahman
ID: 190232045
Semester: 8th
Section: A

Supervised By
Mrs Ferdous Ara
Assistant Professor
Department of Computer Science and Engineering
BGC Trust University Bangladesh
 APPROVAL

The Industrial Training Report entitled “Endpoint & Cloud Security using
Wazuh” is hereby approved as a creditable study of an engineering subject
carried out and presented in a manner satisfactory to warrant its acceptance
as prerequisite for the Degree for which it has been submitted.

It is to be understood that by this approval the undersigned do not endorse

or approved any statement made, opinion expressed, or conclusion drawn
there in; but approve the “Industrial Training Report” only for the purpose
for which it has been submitted.

______________________
Mohammad Salah Uddin Chowdhury
Assistant Professor and Chairman-In Charge
Department of Computer Science and Engineering
BGC Trust University Bangladesh

______________________
Internal Examiner
Ibrahim Khalil
Co-Founder
Pentester Space

______________________
External Examiner
Mrs Ferdous Ara
Assistant Professor
Department of Computer Science and Engineering
BGC Trust University Bangladesh

Page 1 of 40
 ACKNOWLEDGEMENT

The overall success of the training period was achieved due to valuable
contribution of various persons.

I would like to express my heartfelt gratitude towards Mrs. Ferdous Ara,

Supervisor of the Industrial Training. My utmost gratitude and respect goes
to Mr. Mohammad Salah Uddin Chowdhury, the Chairman-In Charge of
Computer Science.

I would also like to thank Mr. Ibrahim Khalil, the Co-Founder of Pentester
Space for being so flexible in matters related to training and guiding us in
every possible way.

My sincere thank is extended to all engineers and employees who were

always there to assist in technical aspects and for sharing their precious
knowledge in the field.

Most of all, I thank the Almighty for blessing me with the strength, light and
wisdom to peruse the work.

Page 2 of 40
 PREFACE

In this report, we will be discussing Wazuh, an open-source security

monitoring solution that provides real-time visibility into security threats and
vulnerabilities. Wazuh is built on top of the Elastic Stack and provides an
integrated platform for log management, intrusion detection, and compliance.

Wazuh has gained popularity in recent years due to its ability to detect and
respond to threats in real-time, as well as its compliance capabilities. The
platform is widely used by organizations of all sizes to improve their security
posture and meet regulatory requirements.

This report will cover the features and capabilities of Wazuh, as well as its
architecture, deployment options, and use cases. We will also discuss the
benefits of using Wazuh, and how it can help organizations improve their
security and compliance posture.

Overall, Wazuh is a powerful tool that can help organizations detect and
respond to security threats quickly and effectively. With its real-time
visibility, comprehensive security features, and compliance capabilities, it is a
valuable asset for any organization looking to improve its security postur

Page 3 of 40
 TABLE OF CONTENTS
Approval........................................................................................................................... 1
Preface............................................................................................................................... 2
Acknowledgement............................................................................................................. 3
Contents............................................................................................................................ 4
List of figures.................................................................................................................... 7
List of tables...................................................................................................................... 7

1. Introduction............................................................................................................... 8

1.1. Introduction..................................................................................................... 8

1.2. Company profile.............................................................................................. 8

1.3. Objectives........................................................................................................ 8

1.4. Motivation....................................................................................................... 9

1.5. Internship goal................................................................................................. 9

1.6. Summary of the report............................................................................... 9

2. Internship Enterprise.................................................................................................. 10

2.1. About Pentester Space..................................................................................... 10

3. Internship roles and responsibilities............................................................................ 11

3.1 Training and responsibilities............................................................................ 11

3.2. Introduction to cybersecurity........................................................................... 12

3.2.1. Cybersecurity.................................................................................... 12

3.3. Different types of cybersecurity....................................................................... 12

3.3.1. Network security............................................................................... 12

3.3.2. Endpoint security.............................................................................. 12

3.3.3. Cloud security................................................................................... 13

3.3.4. Application security.......................................................................... 13

3.3.5. Identity and access management....................................................... 14

3.3.6. Disaster recovery and business continuity......................................... 15

3.3.7. Compliance and regulatory............................................................... 15

3.4. Information gathering about cybersecurity companies.................................... 16

3.4.1. Cybersecurity company..................................................................... 16

Page 4 of 40
 3.4.2. Outcome........................................................................................... 16

3.4.3. Learn................................................................................................ 16

3.5. Data analysis................................................................................................... 17

3.5.1. Data analysis.................................................................................... 17

3.5.2. Outcome........................................................................................... 18

3.5.3. Learn................................................................................................ 18

3.6. Perform open source intelligence (OSINT)...................................................... 19

3.6.1. OSINT.............................................................................................. 19

3.6.2. Outcome........................................................................................... 21

3.6.3. Learn................................................................................................ 21

3.7. Introduction to Wazuh and its applications..................................................... 22

3.7.1. Wazuh............................................................................................... 22

3.7.2. Wazuh application............................................................................ 22

i. Intrusion detection and prevention........................................... 22

ii. File integrity monitoring........................................................... 23

iii. Log management and analysi................................................... 23

iv. Compliance management.......................................................... 24

v. Network security monitoring.................................................... 24

vi. Cloud security........................................................................... 25

3.7.3. Outcome........................................................................................... 25

3.7.4. Learn................................................................................................ 25

3.8. Installation guide............................................................................................. 26

3.7.1. Wazuh central component................................................................ 26

3.9. Installation wazuh-manager on virtual private server...................................... 28

3.9.1. Virtual private network..................................................................... 28

3.9.2. Installing elasticsearch...................................................................... 29

3.9.3. Installing Wazuh server..................................................................... 29

3.9.4. Installing filebeat.............................................................................. 31

3.9.5. Installing kibana............................................................................... 32

3.9.6. Outcome........................................................................................... 33

Page 5 of 40
 3.9.7. Learn................................................................................................ 33

3.10. Install and setup wazuh-agent.......................................................................... 34

3.10.1. Wazuh agent..................................................................................... 34

3.10.2. Learn................................................................................................ 35

3.11. Log analysis with Wazuh................................................................................. 36

3.11.1 Log analysis...................................................................................... 36

3.12. Incident response and mitigation attack.......................................................... 38

3.12.1. Blocking attacks with active response............................................... 39

3.12.2. Detecting the attack.......................................................................... 39

3.12.3. Defining the command...................................................................... 39

3.12.4. Defining the active response.............................................................. 40

3.12.5. Proof of concept................................................................................ 40

3.12.6. Learn................................................................................................ 40

Page 6 of 40
 LIST OF FIGURES
Figure 3.1 CSV file containing company information........................................... 16
Figure 3.2 Pie chart of Cybersecurity Categories.................................................. 18
Figure 3.3 LinkedIn Profile CSV file.................................................................... 19
Figure 3.4 Google Dork for finding marketing manager in LinkedIn.................. 21
Figure 3.5 Wazuh Architecture............................................................................ 26
Figure 3.6 Wazuh installation with Elasticsearch................................................. 27
Figure 3.7 VPS Successfully login through ssh...................................................... 28
Figure 3.8 VPS Specification................................................................................. 28
Figure 3.9 Successfully installed wazuh-manager.................................................. 30
Figure 3.10 Successfully installed filebeat................................................................ 31
Figure 3.11 Successfully installed wazuh-manager.................................................. 33
Figure 3.12 Wazuh-manager dashboard................................................................. 34
Figure 3.13 Wazuh-agent running successfully on my Laptop................................ 35
Figure 3.14 Wazuh-agent running successfully on my VPS..................................... 35
Figure 3.15 Wazuh-agent dashboard...................................................................... 36
Figure 3.16 Wazuh-agent system audit log.............................................................. 37
Figure 3.17 Wazuh-agent file integrity log.............................................................. 37
Figure 3.18 Wazuh-agent security event log............................................................ 38
Figure 3.19 Active Response reply.......................................................................... 40

LIST OF TABLES

Table 1 Training and Responsibilities................................................................ 11

Table 2.1 List of Services...................................................................................... 17
Table 2.2 List of Services in Sorting order............................................................ 17

Page 7 of 40
CHAPTER 1
1. INTRODUCTION

1.1 Introduction
During my Industrial Training at Pentester Space, I had the opportunity to work with
Wazuh, an open-source security monitoring solution. I gained hands-on experience in
configuring, monitoring and troubleshooting the system. I also learned about incident
response and the importance of effective communication and teamwork in implementing
security solutions. Overall, my internship provided valuable experiences and insights into
the field of cybersecurity. This Internship Report is "Endpoint & Cloud Workload
Protection using Wazuh" at Pentester Space. This report covers the whole which I have
learned while my internship program in Pentester Space.

1.2 Company Profile

Name: Pentester Space
Address: 14th Floor, ICT Tower, E-14/X, Agargaon, Dhaka, Bangladesh
Telephone: +8801765-323081
Email: contact@pentesterspace.com
LinkedIn: https://www.linkedin.com/company/pentester-space

1.3 Objective
Cybersecurity is crucial for protecting devices, networks and information from
unauthorized access or damage. It is important to implement robust measures to protect
against cyber threats. With the increasing use of technology, the importance of
cybersecurity is paramount. My internship at Pentester Space as a cybersecurity student
provided hands-on experience with industry tools and techniques, and helped me apply
theoretical knowledge to real-world scenarios. It also gave me insight into implementing
and maintaining security solutions in real-world environments. This internship advanced
my professional development and made me a more competitive candidate in the job
market.

1.4 Motivation
As a student pursuing a BSc in CSE, I see the need to broaden my knowledge and gain a
comprehensive understanding of the subject. During my internship at Pentester Space, I
discovered that I am fully capable of understanding the basic concepts of cybersecurity. I
believe this internship will provide me with the ideal opportunity to further my career in
this field. As an intern, I actively contributed and learned as much as I could during the
program. This internship experience will give me insight into my future career and will be
a stepping stone for my future education and professional development.

Page 8 of 40
 1.5 Internship Goal
At BGC Trust University Bangladesh, where I am currently pursuing my
Bachelor of Science in Cyber Security, I understand the importance of
expanding my knowledge on international standards because it will help me
gain a broader understanding of the subjects I am studying. During my
internship at Pentester Space, I had the opportunity to work with Wazuh, an
open-source security monitoring solution. I discovered that I am proficient in
the basic components of Wazuh and its capabilities to detect and respond to
security threats. As an online content provider, I excel at communicating
with others and effectively conveying the ideas that are on the top of my
mind. This internship experience will give me insight into my future career
and will be a stepping stone for my future education and professional
development.

1.6 Summary of the Report

Day 1 01-01-2023 Introduction to Cybersecurity, Different categories of
Day 2 02-01-2023 Cybersecurity
Day 3 03-01-2023
Information Gathering about Cybersecurity companies.
Day 4 04-01-2023
Day 5 05-01-2023 Data analysis.
Day 6 06-01-2023
Perform Open Source Intelligence (OSINT)
Day 7 07-01-2023
Day 8 08-01-2023 Introduction to Wazuh and its applications.
Day 9 09-01-2023 Installation guide.
Day 10 10-01-2023
Installation Wazuh-manager on Virtual Private Server
Day 11 11-01-2023
Day 12 12-01-2023 Install and Setup Wazuh-agent
Day 13 13-01-2023 Log Analysis with Wazuh
Day 14 14-01-2023
Incident Response and Mitigation attack
Day 15 15-01-2023

Page 9 of 40
CHAPTER 2
2. INTERNSHIP ENTERPRISE

2.1 About Pentester Space

Pentester Space is a leading provider of cybersecurity services. The company is dedicated
to helping organizations protect against cyber threats by providing advanced security
solutions such as penetration testing, vulnerability assessment, and incident response.

The company was founded in 2019 with a team of 11-50 employees and is based in Dhaka,
Bangladesh. They have a website https://pentesterspace.com which provides more
information about the company. They have 9 employees on LinkedIn who are currently
employed by the company.

Pentester Space's team of security experts use cutting-edge tools and techniques to identify
vulnerabilities in their clients' systems and networks. They provide actionable
recommendations and a complete methodology to reproduce each vulnerability along
with the patches that will make the security hack-proof.

Their services includes a wide range of cybersecurity solutions such as:

➢ Information Security.
➢ Penetration Testing.
➢ Vulnerability Assessment.
➢ Security Audit.
➢ Cloud Security.
➢ Risk Assessment.
➢ Blue Team Assessment.
➢ IT Security.
➢ Ethical Hacking.
➢ Application Security.

which makes them a valuable resource for organizations looking to improve their cyber
security posture and protect themselves against threats in today's digital age.

Page 10 of 40
CHAPTER 3
3. INTERNSHIP ROLES AND RESPONSIBILITES

3.1 Training and Responsibilities

First week I learned about Cybersecurity, Services of Cybersecurity companies, Business
analytic and Open Source Information Gathering (OSINT). In Last week I learned about
Endpoint Security, Cloud Security, Blue Teaming Methods, Hands on Security Operation
with Wazuh.

Table 1: Training and Responsibilities

Day 1
Introduction to Cybersecurity, Different categories of Cybersecurity Training
Day 2
Day 3
Information Gathering about Cybersecurity companies.
Day 4
Day 5 Data analysis. Task
Day 6
Perform Open Source Intelligence (OSINT).
Day 7
Day 8 Introduction to Wazuh and its application.
Training
Day 9 Installation guide.
Day 10
Installation Wazuh-manager on Virtual Private Server.
Day 11
Day 12 Install and Setup Wazuh-agent.
Task
Day 13 Log Analysis with Wazuh.
Day 14
Incident Response and Mitigation attack.
Day 15

Page 11 of 40
DAY 1-2
3.2 INTRODUCTION TO CYBER SECURITY

3.2.1 Cyber Security

Cybersecurity refers to the practice of protecting devices, networks, and sensitive
information from unauthorized access, use, disclosure, disruption, modification, or
destruction. It encompasses a wide range of technologies, processes, and practices that are
designed to safeguard information and systems from cyber threats such as hacking,
phishing, malware, and other forms of cyber crime.

3.3 DIFFERENT TYPES OF CYBER SECURITY

There are several types of cyber security that organizations can implement to
protect against different types of cyber threats. Some of the main types of cyber security
include:

3.3.1 Network Security

This type of security focuses on protecting an organization's network from unauthorized
access and attacks. This includes implementing firewalls, intrusion detection and
prevention systems, and network segmentation.

3.3.2 Endpoint Security

This type of security focuses on protecting an organization's devices and endpoints from
malware and other types of cyber threats. This includes implementing anti-virus software
and endpoint protection platforms.

Page 12 of 40
 3.3.3 Cloud Security
This type of security focuses on protecting an organization's data and applications that
are hosted in the cloud. This includes implementing cloud access security brokers, cloud-
based firewalls, and encryption.

3.3.4 Application Security

This type of security focuses on protecting an organization's applications and software
from vulnerabilities and attacks. This includes implementing application firewalls, web
application firewalls, and secure coding practices.

Page 13 of 40
 3.3.5 Identity and Access Management
This type of security focuses on managing and protecting an organization's user identities
and access controls. This includes implementing multi-factor authentication, single sign-
on, and identity governance and administration.

Page 14 of 40
 3.3.6 Disaster Recovery and Business Continuity
This type of security focuses on ensuring that an organization can recover quickly from a
cyber attack or other disruptive event, and minimize the impact on business operations.

3.3.7 Compliance and Regulatory

This type of security focuses on ensuring that an organization is meeting the legal,
regulatory and compliance requirements related to data protection, privacy and security.

Page 15 of 40
DAY 3-4
3.4 INFORMATION GATHERING ABOUT CYBERSECURITY
COMPANIES.

3.4.1 Cyber Security Company

Cybersecurity companies provide a wide range of services to protect against cyber-attacks,
such as predicting and mitigating threats, shutting down attacks and providing solutions
for software, data, networks and devices. The task was given to me to gather information
about cybersecurity companies and their services in a csv file.

The following csv file contains Company name, valuation, date of foundation, location,
investors, company website and their services.

Figure 3.1 CSV file containing company information

3.4.2 OUTCOME
➢ This csv file contains almost 1500+ data about 34 leading companies which will
help Pentester Space in their business research.

3.4.3 LEARN
➢ Understand real world job market.
➢ Learned different types of services.
➢ Learned how to gather information.
➢ Time management and Communication skill

Page 16 of 40
DAY 5
3.5 DATA ANALYSIS

3.5.1 Data Analysis

Data analysis is the process of examining, cleaning, transforming, and modeling data with
the goal of discovering useful information, suggesting conclusions, and supporting
decision making. Data analysis is a crucial step in the data science process and can be
applied to a wide range of fields such as business, finance, healthcare, and many more.
There are various techniques and tools used for data analysis such as statistical analysis,
data visualization, machine learning, and more. The goal of data analysis is to extract
insights and knowledge from data and to help inform decision making and strategic
planning.

This day my task was analyzing data which I have stored in csv file.

Table 2.1 : List of Services Table 2.2 : List of Services in Sorting order

This data is a summary of the number of different categories of cybersecurity services

offered by a certain company. It lists 8 categories, and the number of services offered in
each category. The categories include: Application Security (1 service), Cloud security (8
services), Data Security (6 services), Endpoints Security (9 services), Identity & Access
management (8 services), Infrastructure Security (13 services), Risk Compliance (7
services) and Security Operations & Incident Response (13 services).
Overall, the company seems to have a good range of services in different areas of
cybersecurity, with most categories having more than 7 services. The highest number of
services is in the category of Infrastructure Security and Security Operations & Incident
Response with 13 services each, which means the company is well equipped to provide a
wide range of services in these areas.

The data showed in table 2.1 are calculated by =COUNTIF(H2:K35,"Application

Security") function from range H2 to K35. And table 2.2 are sorted by
=SORTN(F41:G48,8,0,G41:G48,0) function which is depended on table 2.1. Figure
2.1 shows the total scenario of the csv file based on services.

Page 17 of 40
 Figure 3.2 Pie chart of Cybersecurity Categories

3.5.2 OUTCOME
➢ This data will help Pentester Space in their business model and research.

3.5.3 LEARN
➢ Understand real world job market.
➢ learned different types of services.
➢ Learned how to gather information.
➢ Time management and Communication skill
➢ Learned Data analysis using Google spreadsheets
➢ Learned Business acumen

Page 18 of 40
DAY 6-7
3.6 PERFORM OPEN SOURCE INTELLIGENCE (OSINT)

3.6.1 OSINT
OSINT stands for Open-Source Intelligence. It is the practice of gathering, analyzing, and
disseminating information that is available to the general public. OSINT is used in a
variety of fields, including business, law enforcement, intelligence, and security. The
information collected through OSINT can come from a wide range of sources such as the
internet, social media, newspapers, and books. OSINT is useful in identifying potential
threats, understanding the activities of competitors, and tracking the spread of
misinformation. The goal of OSINT is to provide actionable intelligence that can be used
to make strategic decisions. It is a cost-effective and efficient way of gathering
information, as the sources are readily available and do not require any special clearance.

After completing data collection and data analysis another task was given to me to collect
company’s Marketing Lead/Manager LinkedIn profile.

Figure 3.3 LinkedIn Profile CSV file

I collected information about 424 companies which cloud be a huge time consuming if I
don’t using Web Scraping method.

I used a python script to scrap data from this url https://www.blackhat.com/us-22/event-

sponsors.html

Page 19 of 40
Here is my code where I used requests for sending HTTP request, BeautifulSoup for web
scraping and pandas for data formatting.

import requests
from bs4 import BeautifulSoup
import pandas as pd

url = 'https://www.blackhat.com/us-22/event-sponsors.html'
page = requests.get(url)

# print(page.text)
soup = BeautifulSoup(page.content, "html.parser")
results = soup.find(id='ExhibitorListTable0')
results = soup.find_all('a', string=lambda text: 'www' in
text.lower())
print(results.prettify())
s = []
for link in soup.find_all('a'):
if type(link.get('name')) == str:
s.append(link.get('name'))

# print(sorted(set(s))) #sorting and unique

title = [x.title() for x in sorted(set(s))]

new_list = list(map(lambda x: x.replace('-', ' '), title))

print(new_list)

l = []
for link in soup.find_all('a'):
if type(link.get('href')) == str:
# l.append(link.get('href'))
print(link.get('href'))

print(l)
# writing data into csv file done
dict = {'Company Name': new_list}
df = pd.DataFrame(dict)
df.to_csv("/home/b1ack_c0de/Downloads/example.csv", index=False)

Page 20 of 40
 Figure 3.4 Google Dork for finding marketing manager in LinkedIn

Due to policy reason I had to find & add LinkedIn profile link manually. I used Google
Dork method to find specific company’s Marketing manager profile

3.6.2 OUTCOME
➢ This data will help Pentester Space in their future events to find valuable sponsors.
➢ It also helps Pentester Space to build a strong connection with international
companies.

3.6.3 LEARN
➢ Learned about Web Scraping with python.
➢ Understand value of open source data.
➢ Google Dorking.
➢ Learned importance of consistence and attention to details during this task.

Page 21 of 40
DAY 8
3.7 INTRODUCTION TO WAZUH AND ITS APPLICATIONS

3.7.1 Wazuh
Wazuh is an open-source security solution that provides an integrated platform for threat
detection, incident response, and compliance management. It is built on top of the Elastic
Stack (formerly known as ELK stack) and provides real-time visibility into the security of
an organization's IT infrastructure.

3.7.2 Wazuh Applications

Wazuh can be applied to various use cases in the field of cybersecurity. Some of the key
applications of Wazuh include:

i. Intrusion Detection and Prevention

Wazuh can detect and alert on security threats, such as unauthorized access attempts,
malware infections, and system anomalies, in real-time.

Page 22 of 40
 ii. File Integrity Monitoring
Wazuh can monitor critical files and system configurations for unauthorized changes,
helping organizations detect and respond to internal and external threats.

iii. Log Management and Analysis

Wazuh can collect and analyze log data from various sources across an organization's IT
infrastructure, allowing security teams to detect and investigate security incidents.

Page 23 of 40
 iv. Compliance Management
Wazuh can help organizations ensure compliance with industry and government
regulations, such as PCI-DSS, HIPAA, and NIST, by providing automated reports and
alerts on compliance-related security events.

v. Network Security Monitoring

Wazuh can help detect and alert on network-based attacks and other security threats by
integrating with network security tools such as Suricata and Snort.

Page 24 of 40
 vi. Cloud Security
Wazuh can also be used to monitor and secure cloud environments, providing security
visibility and incident response capabilities for cloud-based resources and workloads.

Wazuh is a powerful and versatile security solution that can help organizations protect
against cyber threats, detect and respond to security incidents, and ensure compliance
with industry and government regulations.

3.6.7 OUTCOME
➢ This Training session help interns to understand basic idea of Wazuh and its
interfaces.

3.6.7 LEARN
➢ Learned different applications of Wazuh.
➢ Realized Wazuh’s capability and effectiveness.
➢ Learned importance of fast learning and adaptability.

Page 25 of 40
DAY 9
3.8 INSTALLATION GUIDE.

3.8.1 Wazuh central components

Wazuh indexer
The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central
component indexes and stores alerts generated by the Wazuh server.

Wazuh server
The Wazuh server analyzes data received from the agents and processes it using threat
intelligence.A single server can analyze data from thousands of agents, and scale when set
up as a cluster. It is also used to manage the agents, configuring them remotely when
necessary.

Wazuh dashboard
The Wazuh dashboard is the web user interface for data visualization, analysis, and
management. It includes dashboards for regulatory compliance, vulnerabilities, file
integrity, configuration assessment, cloud infrastructure events, among others.

Figure 3.5 Wazuh Architecture

Page 26 of 40
Wazuh can be installed using various method such as
➢ Virtual Machine (OVA file)
➢ Amazon Machine Images
➢ Deployment on Docker and Kubernetes
➢ Offline Installation
➢ Installation from sources
➢ Installing with Elastic Stack
➢ Installing with Splunk

I was trained to install with Elastic Stack from their source link
https://documentation.wazuh.com/

Wazuh server and Elastic Stack are installed on the same host. This type of deployment is
appropriate for testing and small working environments.

Figure 3.6 Wazuh installation with Elasticsearch

The following components will be installed:

➢ The Wazuh server, including the Wazuh manager as a single-node cluster, and
Filebeat.

➢ Elastic Stack, including Elasticsearch as a single-node cluster, and Kibana,

including the Wazuh Kibana plugin.

Page 27 of 40
DAY 10-11
3.9 INSTALLATION WAZUH-MANAGER ON VIRTUAL PRIVATE
SERVER

3.9.1 Virtual Private Network

After training about installation I got a task to install Wazuh-manager on a virtual
private server. A VPS was assigned to me with private key.

Figure 3.7 VPS Successfully login through ssh

Figure 3.8 VPS Specification

Page 28 of 40
 3.9.2 Installing Elasticsearch
Elasticsearch is a highly scalable full-text search and analytics engine.

Install the GPG key:

# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --
no-default-keyring --keyring gnupg-
ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644
/usr/share/keyrings/elasticsearch.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg]
https://artifacts.elastic.co/packages/7.x/apt stable main" | tee
/etc/apt/sources.list.d/elastic-7.x.list

Update the package information:

# apt-get update

Install the Elasticsearch package:

# apt-get install elasticsearch=7.17.6

Download the configuration file /etc/elasticsearch/elasticsearch.yml as follows:

# curl -so /etc/elasticsearch/elasticsearch.yml
https://packages.wazuh.com/4.3/tpl/elastic-
basic/elasticsearch_all_in_one.yml

Enable and start the Elasticsearch service

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

3.9.3 Installing Wazuh Server

The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh
manager, the Wazuh API and Filebeat.

Install the GPG key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-
default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --
import && chmod 644 /usr/share/keyrings/wazuh.gpg

Page 29 of 40
Add the repository:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg]
https://packages.wazuh.com/4.x/apt/ stable main" | tee -a
/etc/apt/sources.list.d/wazuh.list

Update the package information:

apt-get update

Install the Wazuh manager package:

apt-get install wazuh-manager

Enable and start the Wazuh manager service:

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Run the following command to check if the Wazuh manager is active:

systemctl status wazuh-manager

Figure 3.9 Successfully installed wazuh-manager

Page 30 of 40
 3.9.4 Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events
to Elasticsearch.

Install the Filebeat package:

apt-get install filebeat=7.17.6

Download the pre-configured Filebeat config file used to forward Wazuh alerts to
Elasticsearch:
curl -so /etc/filebeat/filebeat.yml
https://packages.wazuh.com/4.3/tpl/elastic-
basic/filebeat_all_in_one.yml

Download the alerts template for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json
https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elastics
earch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-
0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

Edit the file /etc/filebeat/filebeat.yml and add the following line:

output.elasticsearch.password: <elasticsearch_password>

Enable and start the Filebeat service:

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

To ensure that Filebeat has been successfully installed, run the following command:
filebeat test output

Figure 3.10 Successfully installed filebeat

Page 31 of 40
 3.9.5 Installing kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and
archives stored in Elasticsearch.

Install the Kibana package:

apt-get install kibana=7.17.6

Copy the Elasticsearch certificates into the Kibana configuration folder:

mkdir /etc/kibana/certs/ca -p
cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/
cp /etc/elasticsearch/certs/elasticsearch.key
/etc/kibana/certs/kibana.key
cp /etc/elasticsearch/certs/elasticsearch.crt
/etc/kibana/certs/kibana.crt
chown -R kibana:kibana /etc/kibana/
chmod -R 500 /etc/kibana/certs
chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*

Download the Kibana configuration file:

curl -so /etc/kibana/kibana.yml
https://packages.wazuh.com/4.3/tpl/elastic-
basic/kibana_all_in_one.yml

Edit the /etc/kibana/kibana.yml file:

elasticsearch.password: <elasticsearch_password>

Create the /usr/share/kibana/data directory:

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana

Link Kibana's socket to privileged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Enable and start the Kibana service:

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

Page 32 of 40
Access the web interface using the password generated during the Elasticsearch
installation process:

URL: https://35.175.143.184
user: elastic
password: XXXXXXXXX

Figure 3.11 Successfully installed wazuh-manager

3.9.6 OUTCOME
➢ Previous training season was good enough to show its outcome.

3.9.7 LEARN
➢ Learned installation method of Wazuh-manager.
➢ Learned various linux command.
➢ Learned importance of fast learning and adaptability.

Page 33 of 40
DAY 12
3.10 INSTALL AND SETUP WAZUH-AGENT

3.10.1 Wazuh agent

After installing Wazuh-manager, I installed Wazuh-agent in Endpoint to monitor them.

The Wazuh agent is multi-platform and runs on the endpoints that the user wants to
monitor. It communicates with the Wazuh server, sending data in near real-time through
an encrypted and authenticated channel.

I installed two Wazuh-agent one in my laptop and the another one in my VPS.

Figure 3.12 Wazuh-manager dashboard

The installation process for linux as follows

# curl -so wazuh-agent-4.3.10.deb

https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-
agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='35.175.143.184' dpkg
-i ./wazuh-agent-4.3.10.deb

Start the agent

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Page 34 of 40
 Figure 3.13 Wazuh-agent running successfully on my Laptop

Figure 3.14 Wazuh-agent running successfully on my VPS

3.10.2 LEARN
➢ Learned installation method of Wazuh-agent.
Page 35 of 40
DAY 13
3.11 LOG ANALYSIS WITH WAZUH

3.11.1 Log analysis

Log analysis is the process of collecting, parsing, and analyzing log data from various
sources. The goal of log analysis is to extract valuable insights and information from log
data, such as identifying security threats, troubleshooting issues, and monitoring system
performance. Log analysis is an important part of cybersecurity and IT operations, as log
data can provide valuable information about the state of a system and any potential issues.

A day spend to analyse log data and understanding what is going on the endpoint(vps).

Figure 3.15 Wazuh-agent dashboard

Figure 3.15 shows the dashboard for Agent 001 (VPS) contacting summary of the system
based on log. We can see various events running on this vps.
Page 36 of 40
 Figure 3.16 Wazuh-agent system audit log

Figure 3.16 telling about this system getting some sort of attack on SSH protocol.

Figure 3.17 Wazuh-agent file integrity log

Figure 3.17 shows files added, files modified and files deleted for last 24hr. It helps to find
malicious activity and protect files integrity.
Page 37 of 40
DAY 14-15
3.12 INCIDENT RESPONSE AND MITIGATION ATTACK

Figure 3.18 Wazuh-agent security event log

Page 38 of 40
From figure 3.15 - 3.18 we can see that there is an attack going on this endpoint. Wazuh
manager saying its a SSH authentication attack. To stop this attack I applied Active
Response method.

3.12.1 Blocking attacks with Active Response

Active response allows Wazuh to run commands on an agent in response to certain
triggers. In this use case, we simulate an SSH Brute Force attack and configure an active
response to block the IP address of the attacker.

3.12.2 Detecting the attack

First of all, we need to know when to execute the response. We can use one of the
following options:

➢ Rule ID: The response will be executed on any event with the defined ID.
➢ Rule group: The response will be executed on any event in the defined group.
➢ Level: The response will be executed on any event with this level or higher.

In this use case, we want to prevent SSH brute force attacks, so when the rule 5712
- SSHD brute force trying to get access to the system is triggered, it will
execute the proper active response to block the IP address of the attacker.

3.12.3 Defining the command

We know when the active response will be executed. Now, we have to define what it will
do. You can create your own script to block an IP, or any other action, but Wazuh comes
with a set of common scripts used in active response. These scripts are in
/var/ossec/active-response/bin/. We are going to use the firewall-drop script
that works with common Linux/Unix operating systems and it allows blocking of a
malicious IP address using the local firewall.

Define the command in the ossec.conf of your Wazuh manager:

<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

Page 39 of 40
 3.12.4 Defining the active response
Configure Wazuh to run the active response. The main fields are:

➢ command: The command previously defined (firewall-drop).

➢ location: Where the command should be executed. We want to execute the

command on the agent that reported the event. So, we use local.

➢ rules_id: The command is executed if the rule 5712 is fired.

➢ timeout: Block the IP address for 1800 seconds on the firewall (iptables, ipfilter,
etc).

Define the active response in the ossec.conf of your Wazuh manager:

<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712</rules_id>
<timeout>1800</timeout>
</active-response>

3.12.5 Proof of concept

After applying the active response we can see in Figure 3.18 that there are
some promote message saying Host blocked by firewall-drop Active Response.

Figure 3.19 Active Response reply

3.12.6 LEARN
➢ Learned how to apply incident response on SSH attack.
➢ Understand the Active Response rules
➢ Learned real life Blue team work

Page 40 of 40