Install Your Own Wazuh Server on Ubuntu

Wazuh has become an essential tool for security management in information systems. Thanks to its ability to detect intrusions, ensure data integrity, and monitor security, many companies and individuals choose to set up their own Wazuh server. Here I will explain how you can install and configure your Wazuh server, step by step, without using complicated lists or enumerations.

What is Wazuh and Why Should You Use It?

Wazuh is an open-source security platform that provides intrusion detection, integrity monitoring, incident response, and compliance auditing. Its versatility makes it ideal for both small businesses and large corporations. Furthermore, being open-source, Wazuh is completely free and allows modifications to meet any specific needs.

Initial Preparations Before Installation

Before you dive into the installation of Wazuh, it is crucial that you prepare your system. This involves ensuring that the operating system is updated and setting up the environment to support the installation of Wazuh through Docker. Here is how you do it:

First, it is necessary to disable the firewall to prevent it from interfering with the installation process. To do this, simply execute in the terminal:

ufw disable

This command will disable the firewall, ensuring that it will not block any of the necessary connections during the installation.

Next, you must ensure that all system packages are updated and that git is installed, as you will need it to clone the Wazuh repository. Execute:

apt update && apt install git

With these commands, your system will be updated and ready for the next phase.

Installing Docker

Wazuh in Docker simplifies dependency management and ensures that the platform can run isolated and secure. To install Docker, you can use the script provided by Docker, which sets up everything automatically:

curl -sSL https://get.docker.com/ | sh

Once Docker is installed, it is essential to ensure it automatically runs at system startup:

systemctl start docker
systemctl enable docker

These commands will start the Docker service and configure it to automatically start at each system boot.

Docker Compose

If you install Docker as previously indicated, you do not need to install this tool, but if you already have Docker and it does not support “docker compose”, you can install docker-compose like this:

curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

The following commands that have “docker compose” should be executed as docker-compose.

 

Setting Up the Wazuh Environment

With Docker already configured, the next step is to prepare the specific environment for Wazuh. Head to the optimal directory to keep organized the files related to security:

cd /opt

Now, it is time to clone the most recent version of the Wazuh repository for Docker:

git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.3

This command downloads all the necessary files to run Wazuh in a Docker container.

Generating Certificates and Starting Up Wazuh

Before starting Wazuh, you must generate the necessary certificates for the proper functioning of the Wazuh components. Navigate to the correct directory and execute the certificate generator:

cd wazuh-docker/single-node/
docker compose -f generate-indexer-certs.yml run --rm generator

With the certificates generated, you are now ready to start all the Wazuh services:

docker compose up -d

This last command lifts all the containers necessary for Wazuh to operate properly in a single-node mode, ideal for test environments or small implementations.

Verification of the Installation

Once all the previous steps are completed, it is important to verify that everything is working as expected. You can check the status of the Docker containers to ensure that all Wazuh services are active and running. Additionally, access the Wazuh web interface to start exploring the functionalities and available settings.

Customization and Monitoring

With your Wazuh server now operational, the next step is to customize the configuration to adapt it to your specific needs. Wazuh offers a wide variety of options for configuring rules, alerts, and automatic responses to incidents. Take advantage of the available documentation to explore all the possibilities that Wazuh offers.

Installing and configuring your own Wazuh server may seem like a complex task, but by following these steps, you will have a robust computer security system without needing large investments. Not only will it improve the security of your information, but it will also provide you with a powerful tool to monitor and proactively respond to any incident.

Wazuh Password Change

Stop the service using Docker Compose:

docker compose down

Generate the hash of the new password using the Wazuh container:

Run the following command to start the hash script:

docker run --rm -ti wazuh/wazuh-indexer:4.6.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

Enter the new password when prompted and copy the generated hash.

Update the internal users file with the hash of the new password:

Open the file with a text editor like vim:

vim config/wazuh_indexer/internal_users.yml

Paste the generated hash for the admin user.

Update the docker-compose.yml file with the new password:

Open the docker-compose.yml file:

vim docker-compose.yml

Enter the new password in lines 24 and 81 where it says INDEXER_PASSWORD.

Raise the services again with Docker Compose:

docker compose up -d

This restarts the service stack.

Access the container and run the security script:

Access the container:

docker exec -it single-node-wazuh.indexer-1 bash

Define the variables and run the security script:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

Exit the container:

exit

This process allows you to update the admin password for Wazuh using Docker, making sure to follow all the steps correctly to ensure the changes are effective.

Leave a Reply