Secure Your Self-Hosted Network with Wazuh

Yeah, I like to get an idea of where I am going before I go on a trip.

Let me know how you get on! Keen to hear other opinions on it :)

Awesome, glad you liked it!

Traefik seems to be pretty well requested. I’ll get a video sorted for ya!

@@Techdox will Wazuh work well with tailscale?

I personally have had no issues

I would love too, but it's a bit too deep for my channel I think. Happy to answer questions you have though

If you wanted to, you do it the same way as any other server. This would be https and then the IP address of Wazuh and that should be the config you need. Join the Discord if you need more help.

Sure, it's nothing fancy :)

Hey, you can deploy it as a container if you wish as well :) documentation.wazuh.com/current/deployment-options/docker/index.html

No I haven’t, are they worth looking into?

@@Techdox They are great for performing continuous scans of your network environment and catching known vulnerabilities as soon as they are disclosed

Only if the package has a vulnerability so under Vulnerabilities, where it asks you to select an agent, look next to Inventory and select events. Here you can filter on a package name

Interesting, in this install it was done on a fresh installed VM so maybe you have conflicts? What distro are you using or how are you installing it?

Not sure about wazuh specifically but the way I do it with other containers is to place it on the same docker network as caddy and then add the docker container name to the caddyfile then reload.

Hey. This is why I suggested to run it on its own dedicated server to avoid classes with other services you are running :)

Really good question, it just runs Debian so I don’t see why not, I’ll give it a try. What issues did you face?

@@Techdox wazuh-agent service just failed to start, some of the issues i found possibly with some group membership missing. Didn't get too far after trying to mess with that, hope you have more success.

@@viernester I also tried and failed. Will look into it some more. Most likely missing dependencies

@@viernesterworking fine for me on prox 8! Ensure you install on a full Ubuntu VM and not a container.

100% fair - While no system can be entirely risk-free, using open-source solutions like Wazuh, where there is visibility into the codebase, can offer a level of reassurance. But, like anything you do your own research to see if your comfortable with it

I have exactly the same issue. Even solar winds was susceptible to this. I think any organization large enough to become a target whether for profit or open-source or whatever are susceptible to nation backed attacks or even against another well funded and driven malicious entity.

@Techdox guess you got to do layers and some of your systems should be on Wiresharked listened into local networks to validate installs and that yea you still own the systems you got the Wazuh instances and no one else is getting remote access to said instance. Probably benchmark things every time you update to insure the same or similar behavior. Idk there are probably more steps you can take to ensure your remote command and control system with Wazuh. The fact it is open source auditable and used not just by your company might have some points in more secure.

Agreed. Supply chain attacks affect proprietary software as well, and there's less transparency.

My excuse is that I trust podman+SELinux.

100% unless your a company aiming for certification compliance, a lot of these are overkill, but still good to implement some of them

Absolutely, it's a valid point to be cautious about who has root access to your servers. But if you think about it, that's a concern with pretty much any third-party service or application we use, not just Wazuh. It really comes down to trust and verifying the security practices of any company you're considering. Plus, with open-source solutions like Wazuh, there's a community keeping an eye on things, which can sometimes offer an additional layer of scrutiny and security. It's all about finding the right balance that works for you!

Great question. I’ll make sure to include this in videos from now on. For me, I followed their social pages, verified their company and customers. wazuh.com/our-customers/
After six years of running, I’m sure if they were not legit they would have been called out by now. Gartner is also a good place to check out tooling www.gartner.com/reviews/market/security-information-event-management/vendor/wazuh/product/wazuh-the-open-source-security-platform

That would be because Wazuh is not supported on ARM, which is what your Raspberry Pi uses - www.reddit.com/r/Wazuh/comments/16gwtt7/wazuhdashboard_on_rpi/

@@Techdox thx, I guess the tutorials I followed were just clickbait for ads.
Hopefully it gets support one day..👍

@@-someone-. yeah, especially for agents

@@Techdox have you tried?
doesn’t the “linux agents” cover pi’s.

@@-someone-. when I checked there was no ARM option which would be needed for the Pi’s

Not exactly a random link, in this case I have an active server running from this same script and verified it's legit. This is something I mention a lot on this channel, making sure you actually know what is going on. I mentioned in this video this script installs the 3 components of Wazuh and showcase you can actually install the components individually as well. Valid point still

@@Techdox Thanks for the reply, you made a great point. I got a couple of suggestions for follow ups:
1. Like anyone installing automated tools you practically drown in warnings and errors. How do you deal with it in the best way?
2. A simple walk-through of an install script, what it does and what to look out for. Maybe framed for the Linux community as a whole. I am of course referring to the debacle that led up to CVE-2024-3094.

I just tested it, still works. - discord.com/invite/8mX2KRxDw8

The font and layout gave it away for me as well.

It uses Opensearch for the Indexer and Dashboard.

It does it's based on elastic

I think it’s just that enterprise UI feel haha

@@Techdox i like it anyway

Someone asked the same below this was my reply :)
“Not exactly a random link, in this case I have an active server running from this same script and verified it's legit. This is something I mention a lot on this channel, making sure you actually know what is going on. I mentioned in this video this script installs the 3 components of Wazuh and showcase you can actually install the components individually as well. Valid point still”

What steps are you using to upgrade?

Keen to hear more about that use case and how it doesn’t work? :)

@@Techdox use case as enterprise that makes heavy use of spot instances that auto-register. Wazuh doesn’t scale in these cases very well. Imagine thousands of instances that instantiate and terminate a day. Primarily for data operations, etl.

@@trollingdirty8910 yeah, in this case they would be container based most likely and in that case the image itself would go through the testing for vulnerabilities etc

@@Techdox Negative. Fat EC2 instances heavy compute. The AMI is baked and already scanned, primary concern is FIM.

Haha, fair enough. Pretty sure you can get browser extensions to do that if it’s a big issue for you

Wow. So no dark mode is the killer here? Like what??? I guess network security tools rely on things being dark, before things actually go dark?? What a crazy comment.....

Wearing a hoody much? 😂

I will not discount software outright for no dark mode, but I really hate using a web app that is constantly flash banging me.

Clearly a bot