Webhook Integration – Wazuh with Microsoft Teams

Posted on by Admin

Microsoft Teams Configuration

  1. Create Teams where you want to get alerts
  2. Add Incoming-Webhook connector and configure for teams channel which you created for getting alerts
  3. Copy Web Hook URL

Wazuh configuration for Microsoft Teams Integration

  1. Create a file named custom-teams file in Wazuh Manager (Location – /var/ossec/integrations/custom-teams)
  2. Create file – custom-teams and copy the content as below
#!/bin/sh 
# Copyright (C) 2015-2020, Wazuh Inc. 
# Created by Wazuh, Inc. <[email protected]>. 
# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 

WPYTHON_BIN="framework/python/bin/python3"
SCRIPT_PATH_NAME="$0" 
DIR_NAME="$(cd $(dirname ${SCRIPT_PATH_NAME}); pwd -P)" 
SCRIPT_NAME="$(basename ${SCRIPT_PATH_NAME})"
case ${DIR_NAME} in 
    */active-response/bin | */wodles*) 
        if [ -z "${WAZUH_PATH}" ]; then 
            WAZUH_PATH="$(cd ${DIR_NAME}/../..; pwd)" 
        fi 
        PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py"
    ;; 
    */bin) 
        if [ -z "${WAZUH_PATH}" ]; then 
            WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)" 
        fi 
        PYTHON_SCRIPT="${WAZUH_PATH}/framework/scripts/${SCRIPT_NAME}.py" 
    ;; 
     */integrations) 
        if [ -z "${WAZUH_PATH}" ]; then 
            WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)" 
        fi 
        PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py"
    ;; 
esac 
${WAZUH_PATH}/${WPYTHON_BIN} ${PYTHON_SCRIPT} "$@"

3. Create file named – custom-teams.py and copy below mentioned content

#!/usr/bin/env js 

import json 
import sys 
import time 
import os 

try: 
    import requests 
    from requests.auth import HTTPBasicAuth 

except Exception as e: 
    print("No module 'requests' found. Install: pip install requests") 
    sys.exit(1) 

# ADD THIS TO ossec.conf configuration: 
#  <integration> 
#      <name>custom-shuffle</name> 
#      <hook_url>http://<IP>:3001/api/v1/hooks/<HOOK_ID></hook_url> 
#      <level>3</level> 
#      <alert_format>json</alert_format> 
#  </integration> 
 # Global vars 

debug_enabled = False 
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) 
json_alert = {} 
now = time.strftime("%a %b %d %H:%M:%S %Z %Y") 

# Set paths 
log_file = '{0}/logs/integrations.log'.format(pwd) 
def main(args): 
    debug("# Starting") 
    # Read args 
    alert_file_location = args[1] 
    webhook = args[3] 
    debug("# Webhook") 
    debug(webhook) 
    debug("# File location") 
    debug(alert_file_location) 
    
    # Load alert. Parse JSON object. 
    with open(alert_file_location) as alert_file: 
        json_alert = json.load(alert_file) 
    debug("# Processing alert") 
    debug(json_alert) 
    debug("# Generating message") 
    msg = generate_msg(json_alert) 
    if isinstance(msg, str): 
        if len(msg) == 0: 
            return 
        debug(msg) 
    debug("# Sending message") 
    send_msg(msg, webhook) 
  
def debug(msg): 
    if debug_enabled: 
      msg = "{0}: {1}\n".format(now, msg) 
      print(msg) 
      f = open(log_file, "a") 
      f.write(msg) 
      f.close() 

# Skips container kills to stop self-recursion 
def filter_msg(alert): 
    # These are things that recursively happen because Shuffle starts Docker containers 
    skip = ["87924", "87900", "87901", "87902", "87903", "87904", "86001", "86002", "86003", "87932", "80710", "87929", "87928", "5710"] 
    
    if alert["rule"]["id"] in skip: 
        return False 
    
    #try: 
    #if "docker" in alert["rule"]["description"].lower() and " 
    #msg['text'] = alert.get('full_log') 
    #except: 
    #pass 
    #msg['title'] = alert['rule']['description'] if 'description' in alert['rule'] else "N/A" 

    return True 

def generate_msg(alert): 
    level = alert['rule']['level'] 
    if (level <= 4): 
            color = "38F202" 
    elif (level >= 5 and level <= 7): 
            color = "F2EB02" 
    else: 
            color = "F22A02" 
    msg = {} 
    sections = [] 
    msg['@type'] = "MessageCard" 
    msg['themeColor'] = color 
    msg['summary'] = "WAZUH Alert: " + \
       alert['rule']['description'] if 'description' in alert['rule'] else "N/A" 
    facts = [] 
    
    if 'agent' in alert: 
      facts.append({ 
       'name': 'Agent', 
           'value': "({0}) - {1}".format( 
            alert['agent']['id'], 
            alert['agent']['name'] 
          )}) 

    if 'agentless' in alert: 
        facts.append({ 
            'name': 'Agentless host', 
            'value': alert['agentless']['host'] 
        }) 

    facts.append({ 
        'name': 'Location', 
        'value': alert['location'] 
    }) 

    facts.append({ 
        'name': 'Rule ID', 
        'value': "{0} _(Level {1})_".format(alert['rule']['id'], level) 
    }) 
    facts.append({ 
        'name': 'Log', 
        'value': alert.get('full_log') 
    }) 
    sections.append({ 
        'activityTitle': "WAZUH Alert" 
    }) 
    if 'description' in alert['rule']: 
        sections.append({ 
            'title': alert['rule']['description'], 
        }) 
    sections.append({ 
        'facts': facts, 
        'markdown': 'true' 
    }) 
    msg['sections'] = sections 
    return json.dumps(msg) 

def send_msg(msg, url): 
    headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'} 
    res = requests.post(url, data=msg, headers=headers) 
    debug(res) 

if __name__ == "__main__": 
    try: 
        # Read arguments 
        bad_arguments = False 
        if len(sys.argv) >= 4: 
            msg = '{0} {1} {2} {3} {4}'.format( 
                now, 
                sys.argv[1], 
                sys.argv[2], 
                sys.argv[3], 
                sys.argv[4] if len(sys.argv) > 4 else '', 
            ) 

            debug_enabled = (len(sys.argv) > 4 and sys.argv[4] == 'debug') 
        else: 
            msg = '{0} Wrong arguments'.format(now) 
            bad_arguments = True 

        # Logging the call 
        f = open(log_file, 'a') 
        f.write(msg + '\n') 
        f.close() 
        if bad_arguments: 
            debug("# Exiting: Bad arguments.") 
            sys.exit(1) 

        # Main function 
        main(sys.argv) 
    except Exception as e: 
        debug(str(e)) 
        raise

4. Now setup ownership and permission for created files

chmod 750 /var/ossec/integration/custom-teams
chmod 750 /var/ossec/integration/custom-teams.py
chown root:wazuh /var/ossec/integration/custom-teams
chown root:wazuh /var/ossec/integration/custom-teams.py

5. Edit your ossec.conf file in your wazuh manager and add following content, kindly replace “URL” with your webhook url and also update rule level for the alerts.

 <integration>
    <name>custom-teams</name>
    <hook_url>URL</hook_url>
    <level>12</level>
    <alert_format>json</alert_format>
 </integration>

6. Restart Wazuh Manager and check

Wazuh – https://wazuh.com/
Wazuh Setup Video – https://youtu.be/WqQUIz5XRpQ

UpBrightSkills Blogs – https://www.upbrightskills.com/
Go Language Programs – https://www.golangprograms.com/

Migrate From CentOS 8 to Rocky Linux 8

Posted on by Admin

Rocky Linux 8 is one to one RHEL binary compatible Linux OS, its latest stable release 8.4 has been released. Thus, if you want to migrate from CentOS 8 to Rocky Linux, then here is the tutorial using the official migrate2rocky script.

Steps to migrate CentOS 8 to Rocky Linux 8

Before performing the below CentOS 8 to Rocky migration commands, make sure you have a backup for your system. Because many times few applications might not work after migration, thus, it would be a wise idea to take a full system snapshot.

1. Run system update & upgrade

The first thing we have to perform is to ensure that all the packages installed on our existing CentOS 8 are up to date and have their latest version. For this run the system update and upgrade command using DNF package manager.

sudo dnf update && sudo dnf upgrade

2. Migrate CentOS to Rocky using Script

Rocky developers have created a script called  migrate2rocky available on the Github page of this Linux. Let’s download it on the existing CentOS system that we want to convert.

wget https://raw.githubusercontent.com/rocky-linux/rocky-tools/main/migrate2rocky/migrate2rocky.sh

3. Change Script Permission

Change the permission of the downloaded script, so that we can execute it on our Linux operating system.

sudo chmod +x migrate2rocky.sh

4. Execute Script

The script will automatically change the CentOS 8 Linux repositories, GPG keys, logo, and other things to Rocky Linux. It may take some time depending upon your existing system size.

sudo bash migrate2rocky.sh -r

Once the migration is completed, you will get:

Done, please reboot your system.
A log of this installation can be found at /var/log/migrate2rocky.log

Now, sync the command and then simply reboot your system.

sudo dnf distro-sync -y 
sudo reboot

5. Verify & Check OS Version

To confirm you have successfully migrated to Rocky Linux, let’s check the OS version. 

cat /etc/os-release

AWS – How to Setup VPC with Public & Private Subnet

Posted on by Admin

#aws #ec2 #publicsubnet #privatesubnet #securecloud #cloud

How to setup VPC with Public & Private Subnet.

You can create a public-facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. You can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

For More Videos Refer below mentioned links:

Wazuh – https://www.youtube.com/watch?v=WqQUIz5XRpQ&list=PLissCAcRHDmKLFYXQQxuOOFow1wypOdlP

Digital Ocean – https://www.youtube.com/watch?v=dAbHVXVql8s&list=PLissCAcRHDmKcrj6qQrks_YZFYf8bHjCN

English Tutorial – https://www.youtube.com/watch?v=7eq7rO5l4Mw&list=PLQoMV4t_lqOuaEQAxVPmWh5qDkiJFebV8

UpBrightSkills Blogs – https://www.upbrightskills.com/

GoLanguagePrograms – http://www.golangprograms.com/


magento

Install Magento on Ubuntu 18.04 with Nginx & Lets Encrypt Certificate

Posted on by Admin

Magento open source is a fantastic platform. Get your stores online with Magento Setup. This tutorial you to setup Magento with high performance Web Server – Nginx and secure the same with Lets Encrypt SSL Certificate.

Pre-Requisites
  • Server with Ubuntu – 18.0.4
  • SSH – Enabled
  • HTTP & HTTPS Ports enabled and should be accessible over the Web
SSH to your instance and let’s update and install dependencies, MySQL and Nginx
sudo apt update && sudo apt upgrade
sudo apt install unzip certbot
sudo apt-get -y install nginx
sudo apt install mysql-server
Let secure the Database & Create your DB Root Password
sudo mysql_secure_installation
Login to MySQL command line and execute the following queries to create database and user for magneto database access
CREATE DATABASE magentodb;

CREATE USER 'magentoadmin'@'localhost' IDENTIFIED BY 'yourpassword';

GRANT ALL PRIVILEGES ON magentodb.* TO ‘magentoadmin’@’localhost';

FLUSH PRIVILEGES;

exit;
Next we want to create the magneto user, group, folder and give correct permissions
sudo useradd -m -U -r -d /opt/magento magento

sudo usermod -a -G magento www-data

mkdir /opt/magento/public_html

sudo chmod 750 /opt/magento
Install PHP dependencies
sudo apt install php7.2-common php7.2-cli php7.2-fpm php7.2-opcache php7.2-gd php7.2-mysql php7.2-curl php7.2-intl php7.2-xsl php7.2-mbstring php7.2-zip php7.2-bcmath php7.2-soap
Configure PHP parameters for Magento requirements
sudo sed -i 's/memory_limit = .*/memory_limit = 2048M/' /etc/php/7.2/fpm/php.ini

sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 256M/' /etc/php/7.2/fpm/php.ini

sudo sed -i 's/zlib.output_compression = .*/zlib.output_compression = on/' /etc/php/7.2/fpm/php.ini

sudo sed -i 's/max_execution_time = .*/max_execution_time = 18000/' /etc/php/7.2/fpm/php.ini

sudo sed -i 's/;date.timezone.*/date.timezone = UTC/' /etc/php/7.2/fpm/php.ini

sudo sed -i 's/;opcache.save_comments.*/opcache.save_comments = 1/' /etc/php/7.2/fpm/php.ini
Now we will create PHP Magento Config File
vim /etc/php/7.2/fpm/pool.d/magento.conf

user = magento
group = www-data
listen.owner = magento
listen.group = www-data
listen = /var/run/php/php7.2-fpm-magento.sock
pm = ondemand
pm.max_children = 50
pm.process_idle_timeout = 10s
pm.max_requests = 500
chdir = /
Restart PHP FPM to reload the config
sudo systemctl restart php7.2-fpm
Now Let’s Download and Install composer
curl -sS https://getcomposer.org/installer -o composer-setup.php

php composer-setup.php --install-dir=/usr/local/bin --filename=composer
For better security, we want to generate a Diffie-Hellman parameters strong enough
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Now let us install Magento via the composer method
sudo su — magento

composer create-project — repository-url=https://repo.magento.com/ magento/project-community-edition /opt/magento/public_html

cd ~/public_html

php bin/magento setup:install --base-url=https://yourwebsite.com/ --base-url-secure=https://mywebsite.com/ --admin-firstname=FirstName --admin-lastname=LastName --admin-email="[email protected]" --admin-user=admin --admin-password="youradminpassword" --db-host=localhost --db-name=magentodb --db-user=magentoadmin --db-password=yourdbpassword --currency=USD --timezone=America/Chicago --use-rewrites=1

php ~/public_html/bin/magento cron:install
Create Config File
sudo vim /etc/nginx/sites-available/mywebsite.com
Add below mentioned configuration in above mentioned file “mywebsite.com”
upstream fastcgi_backend {
    server unix:/var/run/php/php7.2-fpm-magento.sock;
}
server {
    listen 80;
    server_name mywebsite.com;
    include snippets/letsencrypt.conf;
    return 301 https://mywebsite.com$request_uri;
}
server {
    listen 443 ssl http2;
    server_name mywebsite.com;
    ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mywebsite.com/chain.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 30s;
    keepalive_timeout 300s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
	add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    include snippets/letsencrypt.conf;
    set $MAGE_ROOT /opt/magento/public_html;
    set $MAGE_MODE developer; # or production
    access_log /var/log/nginx/mywebsite.com-access.log;
    error_log /var/log/nginx/mywebsite.com-error.log;
    include /opt/magento/public_html/nginx.conf.sample;
}
Create Link
ln -s /etc/magento/sites-available/mywebsite.com /etc/magento/sites-enabled/
Test, Reload and Restart Nginx Service
nginx -t

sudo service nginx reload

sudo service nginx restart
Now We will secure the same using Let’s Encrypt Certificate. Switch to Root user and perform below mentioned steps
sudo su
mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
Create Config for Letsencrypt
vim /etc/nginx/snippets/letsencrypt.conf

#Add below mentioned content in above conf file.

location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type “text/plain”;
    rewrite /.well-known/acme-challenge/(.*) /$1 break;
    root /var/lib/letsencrypt/;
    try_files $uri =404;
}
Generate Certificate (Make sure – your web server is reachable using host name). Certificate generated will be valid for 90 Days.
sudo certbot certonly — agree-tos — email [email protected] — webroot -w /var/lib/letsencrypt/ -d mywebsite.com
Create Cron Job to Automatically renew your Lets Encrypt Certificate
vim /etc/cron.d/certbot

0 */12 * * * root abc -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew — renew-hook “systemctl reload nginx”
Create CRON Job to Automatically renew your Lets Encrypt Certificate
sudo service nginx reload

sudo service nginx restart

Wazuh – Setup File Integrity Monitoring

Posted on by Admin

#fim #fileintegritymonitoring #wazuh #fileintegrity

How to Setup File Integrity Monitoring (FIM) – Configure and and monitor your critical nodes / servers. Don’t miss out any critical alerts / events.

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Feature Like

  • Security Analytics
  • Intrusion Detection
  • Log Data Analysis
  • File Integrity Monitoring
  • Vulnerability Detection
  • Configuration Assessment
  • Incident Response
  • Regulatory Compliance
  • Cloud Security
  • Container Security

Wazuh – https://wazuh.com/
Wazuh Ova Download (Version 3.12) – https://documentation.wazuh.com/3.12/installation-guide/virtual-machine.html
Wazuh Agent Download – https://documentation.wazuh.com/3.12/installation-guide/installing-wazuh-agent/index.html
Wazuh Setup Video – https://youtu.be/WqQUIz5XRpQ

UpBrightSkills Blogs – https://www.upbrightskills.com/
Go Language Programs – https://www.golangprograms.com/

Wazuh – How to Setup Email Notifications

Posted on by Admin

How to Setup Email Notification – Configure and stay notified always. Don’t miss out any critical alerts / events.

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Feature Like

  • Security Analytics
  • Intrusion Detection
  • Log Data Analysis
  • File Integrity Monitoring
  • Vulnerability Detection
  • Configuration Assessment
  • Incident Response
  • Regulatory Compliance
  • Cloud Security
  • Container Security

Wazuh – https://wazuh.com/
Wazuh Ova Download (Version 3.12) – https://documentation.wazuh.com/3.12/installation-guide/virtual-machine.html
Wazuh Agent Download – https://documentation.wazuh.com/3.12/installation-guide/installing-wazuh-agent/index.html
Wazuh Setup Video – https://youtu.be/WqQUIz5XRpQ

UpBrightSkills Blogs – https://www.upbrightskills.com/
Go Language Programs – https://www.golangprograms.com/