Example Setup for Wazuh Active Response

This guide summarizes how to configure Wazuh’s active response to defend against Secure Shell (SSH) brute-force attacks.

Overview

Wazuh can automatically block IP addresses attempting SSH brute-force attacks using its active response module. This feature executes scripts on monitored endpoints when specific triggers occur.

Configuration Steps

• Verify Default Script

  • Check for firewall-drop script in /var/ossec/active-response/bin/ on Linux/Unix systems.

• Configure Command in wazuh_manager.conf

  Note: This command (firewall-drop) already exists. However, you can create custom scripts located in the active response/bin path and add new command entries in the .conf located at wazuh_manager.conf located at: /opt/lme/config/wazuh_cluster/wazuh_manager.conf

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  

• Set Up Active Response

  • Locate the active-response options here section in the .conf file.

  • Copy and paste the full configuration block below that commented line. You can continue to add more active response configs below this entry.

    <active-response>
      <command>firewall-drop</command>
      <location>local</location>
      <rules_id>5763</rules_id>
      <timeout>180</timeout>
    </active-response>
    

  • This configures a local response, triggering on rule 5763 (SSH brute-force detection) with a 180-second block.

• Restart Wazuh Manager

  podman restart lme-wazuh-manager
  

How It Works

• When rule 5763 triggers (detecting SSH brute-force attempts), the firewall-drop script executes.

• The script uses iptables to block the attacker’s IP address for the specified timeout period.

• Wazuh logs this action in /var/ossec/logs/active-responses.log.

Monitoring

• The Wazuh dashboard displays alerts when rule 5763 triggers and when an active response occurs.

• The active response alert is typically associated with rule ID 651. These alerts will be displayed in Kibana in the Wazuh alerts dashboard.

Testing

• Use a tool (e.g., Hydra) to simulate a brute-force attack, or SSH into the machine repeatedly until it triggers. You will need eight failed SSH attempts to trigger the brute-force rule. (This threshold can be adjusted in the ruleset manually.)

• Verify that the attacker’s IP is blocked by attempting to ping the target machine.

Custom Responses

• You can create custom scripts for different actions.

• For custom scripts, ensure you create corresponding rules to analyze the generated logs.

This setup provides an automated defense against SSH brute-force attacks, enhancing the security of your Linux/Unix systems monitored by Wazuh.

Reference the Wazuh Ruleset for a list of Wazuh rules that trigger.

Consult Wazuh documentation for more on active response configuration.

• ←Previous
• Next→