Tabla de contenido
- 1 What is Wazuh and Why Should You Use It?
- 2 Initial Preparations Before Installation
- 3 Installing Docker
- 4 Docker Compose
- 5 Setting Up the Wazuh Environment
- 6 Generating Certificates and Starting Up Wazuh
- 7 Verification of the Installation
- 8 Customization and Monitoring
- 9 Wazuh Password Change
- 9.1 Generate the hash of the new password using the Wazuh container:
- 9.2 Update the internal users file with the hash of the new password:
- 9.3 Update the docker-compose.yml file with the new password:
- 9.4 Raise the services again with Docker Compose:
- 9.5 Access the container and run the security script:
Wazuh has become an essential tool for security management in information systems. Thanks to its ability to detect intrusions, ensure data integrity, and monitor security, many companies and individuals choose to set up their own Wazuh server. Here I will explain how you can install and configure your Wazuh server, step by step, without using complicated lists or enumerations.
What is Wazuh and Why Should You Use It?
Wazuh is an open-source security platform that provides intrusion detection, integrity monitoring, incident response, and compliance auditing. Its versatility makes it ideal for both small businesses and large corporations. Furthermore, being open-source, Wazuh is completely free and allows modifications to meet any specific needs.
Initial Preparations Before Installation
Before you dive into the installation of Wazuh, it is crucial that you prepare your system. This involves ensuring that the operating system is updated and setting up the environment to support the installation of Wazuh through Docker. Here is how you do it:
First, it is necessary to disable the firewall to prevent it from interfering with the installation process. To do this, simply execute in the terminal:
ufw disable
This command will disable the firewall, ensuring that it will not block any of the necessary connections during the installation.
Next, you must ensure that all system packages are updated and that git is installed, as you will need it to clone the Wazuh repository. Execute:
apt update && apt install git
With these commands, your system will be updated and ready for the next phase.
Installing Docker
Wazuh in Docker simplifies dependency management and ensures that the platform can run isolated and secure. To install Docker, you can use the script provided by Docker, which sets up everything automatically:
curl -sSL https://get.docker.com/ | sh
Once Docker is installed, it is essential to ensure it automatically runs at system startup:
systemctl start docker systemctl enable docker
These commands will start the Docker service and configure it to automatically start at each system boot.
Docker Compose
If you install Docker as previously indicated, you do not need to install this tool, but if you already have Docker and it does not support “docker compose”, you can install docker-compose like this:
curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
The following commands that have “docker compose” should be executed as docker-compose.
Setting Up the Wazuh Environment
With Docker already configured, the next step is to prepare the specific environment for Wazuh. Head to the optimal directory to keep organized the files related to security:
cd /opt
Now, it is time to clone the most recent version of the Wazuh repository for Docker:
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.3
This command downloads all the necessary files to run Wazuh in a Docker container.
Generating Certificates and Starting Up Wazuh
Before starting Wazuh, you must generate the necessary certificates for the proper functioning of the Wazuh components. Navigate to the correct directory and execute the certificate generator:
cd wazuh-docker/single-node/ docker compose -f generate-indexer-certs.yml run --rm generator
With the certificates generated, you are now ready to start all the Wazuh services:
docker compose up -d
This last command lifts all the containers necessary for Wazuh to operate properly in a single-node mode, ideal for test environments or small implementations.
Verification of the Installation
Once all the previous steps are completed, it is important to verify that everything is working as expected. You can check the status of the Docker containers to ensure that all Wazuh services are active and running. Additionally, access the Wazuh web interface to start exploring the functionalities and available settings.
Customization and Monitoring
With your Wazuh server now operational, the next step is to customize the configuration to adapt it to your specific needs. Wazuh offers a wide variety of options for configuring rules, alerts, and automatic responses to incidents. Take advantage of the available documentation to explore all the possibilities that Wazuh offers.
Installing and configuring your own Wazuh server may seem like a complex task, but by following these steps, you will have a robust computer security system without needing large investments. Not only will it improve the security of your information, but it will also provide you with a powerful tool to monitor and proactively respond to any incident.
Wazuh Password Change
Stop the service using Docker Compose:
docker compose down
Generate the hash of the new password using the Wazuh container:
Run the following command to start the hash script:
docker run --rm -ti wazuh/wazuh-indexer:4.6.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
Enter the new password when prompted and copy the generated hash.
Update the internal users file with the hash of the new password:
Open the file with a text editor like vim:
vim config/wazuh_indexer/internal_users.yml
Paste the generated hash for the admin user.
Update the docker-compose.yml file with the new password:
Open the docker-compose.yml file:
vim docker-compose.yml
Enter the new password in lines 24 and 81 where it says INDEXER_PASSWORD.
Raise the services again with Docker Compose:
docker compose up -d
This restarts the service stack.
Access the container and run the security script:
Access the container:
docker exec -it single-node-wazuh.indexer-1 bash
Define the variables and run the security script:
export INSTALLATION_DIR=/usr/share/wazuh-indexer CACERT=$INSTALLATION_DIR/certs/root-ca.pem KEY=$INSTALLATION_DIR/certs/admin-key.pem CERT=$INSTALLATION_DIR/certs/admin.pem export JAVA_HOME=/usr/share/wazuh-indexer/jdk bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl
Exit the container:
exit
This process allows you to update the admin password for Wazuh using Docker, making sure to follow all the steps correctly to ensure the changes are effective.