search

wazuh / wazuh-documentation

Wazuh - Project documentation
https://wazuh.com
197 stars 356 forks source link

Add Active Response Script to Quarantine a Linux Server #6724

Open FahimOstrich opened 1 year ago

FahimOstrich commented 1 year ago

Hello team,

We recently worked on preparing an active response script to quarantine a Linux server based on any critically suspicious alert triggered for that agent. Here I am sharing the steps to configure the script and test it.

Preparing an Active Response Script

We leveraged iptables to drop all inbound and outbound traffics from the linux server and make it quarantined in this active response script. Here is the simple shell script to use:

#!/bin/bash

# Log the quarantine action
echo "`date '+%Y/%m/%d %H:%M:%S'` quarantine-ar: Successfully quarantined server" >> /var/ossec/logs/active-responses.log

#Pause action for 10 seconds to send the log to manager
sleep 10

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Allow SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT

To use this active-response script (quarantine.sh), you need to save it at /var/ossec/active-response/bin directory of the linux agent and provide it necessary permission and ownership with the below commands:

chmod 750 /var/ossec/active-response/bin/quarantine.sh
chown root:wazuh /var/ossec/active-response/bin/quarantine.sh

Configuring the Active Response Script

To make this script work as an active response based on some security events, you need to add relevant <command> and <active-response> configuration section in the wazuh-manager’s /var/ossec/etc/ossec.conf file. This should be configured as below:

<ossec_config>
  <command>
    <name>linux-quarantine-ar</name>
    <executable>quarantine.sh</executable>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>linux-quarantine-ar</command>
    <location>local</location>
    <rules_id>2501</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

Here, we configured this active response to trigger based on the rule ID 2501 (syslog: User authentication failure.) in local endpoints for testing. This can be configured for any rule ID based on specific use cases.

Moreover, add these custom rules to trigger alert based on the log generated by the quarantine.sh script. 

<group name="quarantine,">
  <rule id="100093" level="0">
    <match>quarantine-ar</match>
    <description>Quarantine active-response log.</description>
  </rule>

  <rule id="100094" level="10">
    <if_sid>100093</if_sid>
    <match>Successfully quarantined</match>
    <description>Server Quarantined due to malicious activity.</description>
  </rule>
</group>

Testing the Active Response Script

Check and confirm the linux server to have proper network access before triggering the User authentication failure rule.

iptables list image

Ping to other server: image

Ping from other server: image

Checking internet access from the browser: image

Then lock the server and try to login with a wrong credential: image

After that, check in the dashboard and you should get the alert for rule ID 2501 triggered and within a minute another alert triggered for rule ID 100094 from the linux agent. image

Now check the same things again to confirm dropping all traffics from the server and make it quarantined. iptables list: image

Ping to other server: image

Ping from other server: image

Checking internet access from the browser: image

Logs from agent’s /var/ossec/logs/ossec.log file:

2023/09/13 23:48:38 wazuh-modulesd: WARNING: Process locked due to agent is offline. Waiting for connection...
2023/09/13 23:50:34 wazuh-agentd: ERROR: (1216): Unable to connect to '192.168.189.137:1514/tcp': 'Connection timed out'.
2023/09/13 23:50:44 wazuh-agentd: INFO: Trying to connect to server (192.168.189.137:1514/tcp).
2023/09/13 23:52:53 wazuh-agentd: ERROR: (1216): Unable to connect to '192.168.189.137:1514/tcp': 'Connection timed out'.
2023/09/13 23:53:03 wazuh-agentd: INFO: Trying to connect to server (192.168.189.137:1514/tcp).

After passing the default disconnection time, the agent will be shown to be disconnected at wazuh dashboard also. image

Getting SSH access

As we dropped every traffic except the SSH using the script, we tried to login to server with SSH and got the access successfully. image

As we are getting access to the server through SSH, we can now check for the issue there and once resolved, we can also revert back the iptables setup to establish all inbound and outbound traffic back.

Process to revert back

To make this quarantined server online again by reverting back all the network settings and accept inbound and outbound traffics, you need to run these commands in the server terminal:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Can you please test this and add the steps as a documentation to quarantine linux agents using active response? Please feel free to share your feedbacks to improve as well.

Regards, Abdullah Al Rafi Fahim

NomanAbdullah commented 1 year ago

Hello @FahimOstrich,

I appreciate your initiative in creating an Active Response script to disconnect a Linux endpoint from the network. However, I'd like to offer some suggestions to enhance the script's effectiveness.

Regarding the ssh port, it may not be necessary to keep it open if your intention is to quarantine or disconnect a Linux endpoint. To improve security, I recommend configuring the iptables policies to DROP all sort of connections and only ACCEPT communication between the Wazuh agent and Wazuh Server using their defined ports (1514, 1515, 55000). I've taken the liberty to modify the custom Active Response script to reflect these changes.

Here's the updated script:

#!/bin/bash

# Log the quarantine action
echo "`date '+%Y/%m/%d %H:%M:%S'` quarantine-ar: Successfully quarantined server" >> /var/ossec/logs/active-responses.log

# Flush existing rules and set the default policies to DROP
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback traffic (important for local communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming and outgoing traffic to the Linux endpoint on ports 1514, 1515, and 55000
iptables -A INPUT -s <WAZUH_SERVER_IP> -p tcp -m multiport --sports 1514,1515,55000 -j ACCEPT
iptables -A OUTPUT -d <WAZUH_SERVER_IP> -p tcp -m multiport --dports 1514,1515,55000 -j ACCEPT

iptables -L output:

Screenshot 2023-11-06 164511

Wazuh agent remains in communication with the Wazuh server even after being disconnected from the network.

Screenshot 2023-11-06 160701

Please review and implement these changes as needed.

Regards,

MiguelCasaresRobles commented 1 year ago

Hello @NomanAbdullah,

Thank you for the suggestion. We considered it would be useful for users/customers to add this in the documentation/code as another out-of-the-box active response capability.

Please, proceed as needed.