Security on Life and Shell

Wazuh Digest any source!

Sun, 13 Apr 2025 09:32:36 +0000

How I Built a Custom Wazuh Log Ingest Pipeline (And Ditched the Wodle) If you’ve ever tried to push custom logs into Wazuh, you’ve probably stumbled across something called a Wodle. Wazuh uses these built-in scripts to collect and parse data—especially useful for integrations like AWS. So… Wodle for AWS? Sure, Wodle can collect AWS logs. But when I tried using it for my AWS environment, things didn’t exactly go as planned.

Running Wazuh Agents in Docker – From Traditional HIDS to Ingest Agents

Sun, 13 Apr 2025 08:56:12 +0000

Wazuh Wazuh is a powerful open-source security platform built to monitor systems for threats, intrusions, and anomalies. Traditionally, the Wazuh agent is installed on physical or virtual Linux servers to perform host-based intrusion detection (HIDS). It passively monitors the system and reports any suspicious changes or activity to the Wazuh manager. This works well in environments where systems are treated as immutable infrastructure — where servers are expected to remain unchanged.

Wazuh On Kubernetes using Helm

Sat, 12 Apr 2025 21:50:16 +0000

From OSSEC to Wazuh: My Journey and Kubernetes Setup I started a long time ago using OSSEC, and eventually transitioned over to Wazuh—back when it still relied on Elasticsearch for storage and search. Recently, when I returned to Wazuh for a new project, I was surprised to find that there was no simple way to deploy Wazuh into a local Kubernetes cluster for testing. So, I decided to revive and modernize an old Helm chart I had built a while back.

Migrate Elasticsearch helm to Elasticsearch Operator

Thu, 01 Dec 2022 13:17:35 +0000

Migrate elasticsearch helm to elasticsearch operator and from version 7 to version 8. So in the start, I used the helm chart for elasticsearch, and everything worked fine. Then elasticsearch 8 comes and the Elasticsearch operator. This broke by helm chart and kind of left me in a stalled state. But now I have to migrate my current elasticsearch that uses a helm chart to start using the operator.

Boundery on Kubernetes with Keycloak

Sat, 22 Jan 2022 11:43:24 +0000

We have 3 clusters running 2 on AWS and 1 on-prem. And to sort out connections for developers and admin the goal is to implement boundary as an access point. To verify the user we use Keycloak and 2FA, Then based on roles we give the different users access to different services inside the cluster. Service The user should be able to connect to an ssh server inside the network but also to service running inside Kubernetes like elasticsearch ore MySQL,

Vault EKS / AWS to pod The complete guide

Thu, 29 Oct 2020 09:17:42 +0000

I have bean working some time with vault and to deploy it to our EKS cluster and then to get the secrets into our pods. After many hours of searching i have found out that using kube-vault and vault-env. This gude uses tarraform to setup the resources you need in AWS. Then deploy the kubevault with ui into to cluster that will use a s3 bucket and backend and autoseal it self during boot

Running Counter-strike 1.6 and CSGO in kubernetes !

Wed, 29 Apr 2020 14:09:45 +0000

Yee so it was a long time ago when I spend days playing counter strike 1.6. And now when i got some more power full servers and some time I was thinking of setting up a some counter-strike server for me and some friends so we can play. I have a nice kubernetes cluster in my garage and a run all my stuff inside kubernetes so it was natural to make them into a kubernetes deploy.

Mesos cluster with Marathon running Docker

Fri, 11 Dec 2015 21:47:19 +0000

Hi So for hosting docker in large scale i have tested mesos cluster. Here is a guide for setting up 3 nodes in mesos running Centos 7. And the adding Marathon to controll the dockers running. The network mesos-master 172.0.0.10 mesos-slave1 172.0.0.11 mesos-slave2 172.0.0.12 The node also have on nic connect to the network with internet access. Security For this guide stop iptables and turn selinux off setenforce 0 systemect stop firewalld

Python DOS protection (iptables,dos)

Fri, 06 Nov 2015 15:18:51 +0000

here are a small script I use to have some sort of dos protection on my webservers. import subprocess whitelist=['192.168.1.2'] blockvalue=2 alertvalue=1 proc = subprocess.Popen("netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n", shell=True,stdout=subprocess.PIPE) running = proc.stdout.read() runing_sorted = running.split('\n') for r in runing_sorted: con =r.split() if len(con) ==2: #If ip has more conenctions then block value ip block if con[0] <= blockvalue: print "

Foreman provision to bare and libvirtd (Centos7, foreman, libvirtd, KVM)

Sun, 05 Jul 2015 21:26:46 +0000

So I have started to play around with foreman and to get it to provision my diffrent servers. I started by starting up some local virtual servers on my laptop and played around with them. The flow is i started installing foreman as a virtual server. Then i provisin a new virtual server as bare matal (I created a virtual server in virsh) ater that virtual server is prevision i installed it as a virtual host(kvm on kvm) and connected it to foreman so foreman kan provision kvm host.

vmware to kvm (OWASP broken webb app on KVM)

Tue, 09 Sep 2014 10:38:29 +0000

So I uses kvm for my virtual server. But i got OWASP broken webb app in vmware format and its not ok. But with the help from google i found some help to get the OWASP Broken Webb App on my kvm hosts. I follewed the info from this page http://blog.bodhizazen.net/linux/convert-vmware-vmdk-to-kvm-qcow2-or-virtualbox-vdi/ 1. Download and unzip Owasp Broken Webb app to you folder (It uses 7zip for some reason) https://www.

OAuth2 Server on Python (with flask on Centos)

Fri, 30 May 2014 20:04:05 +0000

So at work we have started to look at OAuth2 for our web apps. So on our creativ friday today i started looking at putting together an OAuth2 server using python and flask. I followed the guide from this page http://lepture.com/en/2013/create-oauth-server And after some work I got an working server and client running on my Centos server. The code only uses an sqlite db and are only testing the OAuth functions so for a working solutions there are some more work.

Install Pandora fms monitoring system on Centos

Sat, 22 Mar 2014 13:10:54 +0000

So for many years i use nagios to monitor my server and now im would say i can handle nagios config files good. But I fund pandora fms monitoring and this i must try. From the pandora console its mutch easy to from the webbrowser setup new task and tweek task so you alarms realy are correct. Doing this in nagios then i had to change config files and restart nagios and nrpe.

Protecting you web with ModSecurity On Centos

Tue, 04 Mar 2014 22:00:40 +0000

So it you worry about you webb then modsecurity is rely nice to have on your webbserver. I have it installed on my apache server with the regular rules from OWAS and also some rules for my own sites. But here is also how to install it. 1. Download and build modsec on your server Add some packages yum install gcc make yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel Go to http://www.

Build you first syco Module

Tue, 18 Feb 2014 22:12:56 +0000

SO from the last post you can install syco but you also need to build and update your own plugins in syco. Here is a small guide how to build you first plugin. Here om building some syco commands for controlling apache and glassfish server. the commands are run from our syco-chuck release commands center so for adding them to syco i can controll the script from sudo and do some extra test before starting and stopping the service.

Setup SYCO on you centos box

Tue, 18 Feb 2014 15:27:04 +0000

So if you care about security and stability you must have syco installed on your server. Read more about syco on the github project https://github.com/systemconsole Im staring to use syco not only production but also on my “Own” server. So more of you should really start using it and here is i guide for you to start using syco 1. Installing and setting up centos yum install git Gettings syco

Blocking unwanted traffic (ddos,scrapers) Apache, Iptables

Tue, 11 Feb 2014 23:16:22 +0000

So spent last evning blocking ip comming from packetflip to our server. Looks in our Apache access log that there was some evil scraping going on so we started blocking. But its not that funny to block many ip manually so time for some scripts. First some info to use Packetflip user agent was Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.

Apache Strong SSL config

Sun, 19 Jan 2014 22:46:53 +0000

So only enable SSL on Apache is not good enough there are some config to add to apache to make it stronger. This are the setting i use in my apache ssl configs. SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.key Header add Strict-Transport-Security "max-age=15768000" SSLCompression off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 And for generating you cert I use openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.

No more spam (Centos and postfix)

Wed, 25 Dec 2013 23:11:32 +0000

So i HATE spam and now to get rid of as so many as possible i go for 3 step. 1. Postfix Get postfix to restrict witch is to allow to send email to me. No strange name and use spam block lists. Also restrict time in how many connections you can do. 2. Greylisting So the first time some server tries to send email greylist says no resend that email.

Fail2Ban on Centos

Mon, 16 Dec 2013 20:58:10 +0000

Fail2Ban is a small service to block unwanted traffic to you server. I use it to block ssh,and postfix loggins in to my virtual hosts. Fail2Ban scans the service loggfiles and if it find any strange traffik like ssh bruteforce. That ip will be blocket for some time. All settings are done in /etc/fail2ban/ folder. Install Have epel repo aktivated on server tha run yum install fail2ban Then do your local config in

Install Diaspora one Centos 6.4 with Apache

Sun, 24 Nov 2013 21:25:42 +0000

So Im going to test diaspora on one of my virtual server with run centos 6.4. Setup Centos Setup Repos wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm" Install packages yum install tar make automake gcc gcc-c++ git net-tools libcurl-devel libxml2-devel libffi-devel libxslt-devel tcl redis ImageMagick npm mysql-server mysql-devel httpd mod_ssl libyaml libyaml-devel patch readline-devel libtool bison Start services chkconfig --level 3 httpd on chkconfig --level 3 mysqld on chkconfig --level 3 redis on

Private GIT server on centos 6

Tue, 15 Oct 2013 14:40:50 +0000

So i need to have an private git server. The plan is to fill the git server with my backups so I can see changes done to my git server. Set up the local GIT server Users adduser git passwd git Become the git user and go to home folder su git cd ~ Create the repo mkdir myrepo.git cd myrepo.git/ git --bare init So now the repo is done lets connect to it and start using it.

Securing Apache – TRACE TRACK XSS

Mon, 07 Oct 2013 15:12:50 +0000

So i will tryi to updated with some tips on securing apache as I stumbel over them. This will be the first one in not so many I hope (Apache will be secure ) I always scan my servers every month with Openvas as one of my PCI-DSS task. And this week I locking down my Apache servers. Add this in you vhost file ore in the welcome.conf file and rerun you scan.

Set up Openvpn client on Centos 6.4

Sun, 21 Jul 2013 22:39:45 +0000

I often use Openvpn to connect my servers toghter over several cloud servers provider. This is my small how to for setting up the openvpn client. Install the openvpn server yum install wget wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6-8.noarch.rpm yum install openvpn Set up the Vpn client In /etc/openvpn extract you vpn config Save you openvpn config file as client.conf Test you vpn openvpn --config client.conf Now when its working restart you openvpn with

Openvpn on Raspberry Pi

Mon, 17 Jun 2013 08:12:52 +0000

So sommar is comming and I planning to be away as mutch as possible. But I need an door in to my server at home for some work. When Im of i only will have an 3g/4g connections so its mutch nicer to work against my server home at a stabel 100 line. So for making this possibel I install en openvpn server on my PI sitting in my closet.

Installing PfSense on Clavister

Sat, 15 Jun 2013 12:17:54 +0000

After we change our server location and install some new servers and firewalls (Firewall now in centos with iptables) we got one Clavister over. We needed a new firewall in our office but did not want to use the Clavister firewall software so we decided to see if we could get PfSense running on the hardware. We open the Clvister up and made some hardware changes to it. Incresning the memeory from 512mb to 2g.

Extracting HP-Switch running config

Mon, 10 Jun 2013 15:29:02 +0000

Every so othen I have to extract my running-config from my hp switches. And put them under OSSEC file monitoring. And to verify so that no changes has bean done to the original running-config. So here is an small script for extracting my running-config and mf5 check that they are the same as my standard config. Make you own changes to the script to work in you system 🙂

Testing OSSEC / Syslog auth

Mon, 03 Jun 2013 20:38:35 +0000

Im runing and PCI DSS Level 1 system. And during our PCI Audit i have to provide evidence that our monitoring system (OSSEC) can log logins that fails. So or testing this and to provide evidence for our audit I made a small python script. the Scripts tries to login to th host specified in and text field and tries to run an command on them. (You can alter this to the correct username / password and then run commands on all server)

DNS Verify new ns servers

Sun, 02 Jun 2013 17:06:10 +0000

The dns tester scripot lets you check so that you dns name are correct checking first used names today and then verify the names with you new DNS server. You will need an file of you doman names first to run in the script. #!/usr/bin/env python import socket import dns.resolver #v=”yes” g_dns=”88.80.170.189″ o_dns=”81.201.209.55″ def test_dns(name,typ,v): print “===================================================================” try: answers = dns.resolver.query(name,typ ) for rdata in answers: if v ==”yes”: print “Your DNS = ” + str(rdata) except dns.

Send logs to localsyslog (Apache,Mysql,Glassfish)

Thu, 30 May 2013 15:04:34 +0000

Adding you logfiles to an syslog server is an easy way to get all logs collected in one place. I Use to set all my service (apache,mysqlmmm) to log there logs to the local syslog server. Then I config the local syslog to send al its log to an central logserver. This way I get all my logs collected and displayd at one place. Apache In the file httpd.con fins the line ErrorLogs and replace the line with ErrorLog syslog:local1 Mysql

SELINUX Allow rules

Wed, 29 May 2013 11:46:53 +0000

SELINUX Small guide to allow rules from the host in selinux. Look in you audit.log file to se what selinux is doing on you system. Allow rules from the log file. Install yum packages yum install policycoreutils-python Cat you audit log file into audit 2 allow to build rules. cat /var/log/audit/audit.log | audit2allow -M mailreplay Now audit2allow will show you want rules it wants to updates / install. Install them with semodule -i mailreplay.

Thinstataion PXE Ubuntu

Mon, 12 Nov 2012 18:48:30 +0000

Hämta thinstation: apt-get install git mkdir /opt/thinstation cd /opp git clone –depth 1 git://thinstation.git.sourceforge.net/gitroot/thinstation/thinstation Sätt upp chroot thinstation: cd /opt/thinstation ./setup-chroot Bygg din första thinstatin cd /ts/5.1 ./build Sätt upp thinstation med våra paket Öppna upp build.conf. I denna fil måste du lägga i de hårdvaru paket som körs. Vi vill hålla start avbilden så liten som möjligt det gör att för att den ska vara snabb så väljer vi bara de moduler som vi verkligen behöva.

Ubuntu tftp Server

Mon, 12 Nov 2012 18:42:57 +0000

Installera paketen: sudo apt-get install xinetd tftpd tftp Skapa katalogen tftp jobbar med sudo mkdir /tftpboot sudo chown -R nobody.nogroup /tftpboot sudo chmod -R 777 /tftpboot Editera xinet konfigen: sudo nano /etc/xinetd.d/tftp service tftp { protocol = udp port = 69 socket_type = dgram wait = yes user = nobody server = /usr/sbin/in.tftpd server_args = /tftpboot disable = no } Starta om xinit: sudo /etc/init.d/xinetd restart Prova om det fungerar:

Ossec agent auto multi installation

Thu, 06 Sep 2012 09:31:32 +0000

Ossec är det övervakninsg system som jag använder mest. En sak som dock ställer till det lite att man hela tiden måste para ihop agneten med server. Det fungerar kalas om man bara har några få servrar. Men har man en massa blir det lite mekigare. Men nu så kan man scripta upp så man kan installera agenter automatist. Börja med att skapa nycklarna på ossec server Det första vi ska göra är att skapa upp nycklarna på ossec server.

Få Ossec att logga sina loggar till syslog

Wed, 05 Sep 2012 13:14:50 +0000

En bra sak är att samla alla sina loggar i syslog server. Och en av de loggar man vill ha är ju ossecs loggar. Det kan man göra lätt genom att låta ossec logga till syslog. Jag har nu satt upp min syslog med tls och ossec kan inte skicka loggar med tls. Så det jag gör är att jag lägger ossec server på min syslog server. Sedan låtar jag ossec servern logga på loopback nätet ner till min syslog server.

Rsyslog TLS mellan server och klient

Wed, 05 Sep 2012 12:53:33 +0000

Syslog är i vanligt fall en öppen stadard vilket gör att om man skulle kunna kolla i traffiken mellan klineten och server. Men från rsyslog version 3? så kan man kryptera traffiken mellan server och klient. Viktoig då man skapar nycklar och ca till de olika servrana är att man hålelr reda på dns namn och server namn. Anger man fel namn i certifikaten mot vad server heter komm det inte fungera.

Sätta upp vlan med dhcpd server med ubuntu

Sat, 21 Apr 2012 20:06:15 +0000

Vlan kan användas för att kunna prata med moderana switchar och nätverkutrustning. I de kan man tex sätta att en port eller trådlöst nätverk ska använa sig av tex “vlan1”. Då när jag sätter upp ett nytt lan på min ubuntu kommer jag ha en nätverks port som kan prata med de andra som också använder vlan1 och går genom den port eller trådlösa som är taggade som vlan1. På så sätt kan vi sepparera nät från varandra.

Sätt upp en egen repo

Sun, 15 Apr 2012 18:53:37 +0000

Sätt upp en egen repo underlättar ganska mycket för en. I denna guide så visar hur man sätter upp en repo. I nästa guide blir det hur man skapar och gör egna paket för att sedan lägga i sin repo. Börja med att installera reprepro på din ubuntu hoj sudo apt-get install reprepro mkdir /srv/reprepro cd /srv/reprepro mkdir conf dists incoming indices logs pool project tmp files Sedan behöver vi vi lite filer till våran repo.

Syco pyton kodning. Lite små script för att testa last minne och anslutningar

Tue, 13 Mar 2012 15:49:22 +0000

Dagens kodning är avslutet. Idga har jag byggt en del funktioner för att testa lite olika saker. Hare n funktion som testar om en tjänst svarar på en port kan vara både udp eller tcp. Sedan så plockar jag ut last och minnes använing på server så jag kan se hur mycket minne apache drar. Och så för att kunna kontrollera så att mina webbsidor är uppe så ett liten function för att kolla om en text sträng finns på en webbsida.

Thinstation.org på Ubbe 12.04

Tue, 13 Mar 2012 09:26:00 +0000

Thinstation är en grym palltfrom för att bota tunna klienter mopt en server. Den klarar tror fan alla olika protokoll vilket gör att det är underbar att ha som bas. Jag ska sätta upp den för att boota mot en nx server som finns på en ubuntu desktop. Men man kan lika lätt sätt upp den mot att köra bara en firefix eller chrome webbläsare. Eller att bara boota up den mot en windows eller ssh.

koha bibliotek till OpenLDAP

Mon, 12 Mar 2012 21:08:43 +0000

Hur man kopplar ihop koha bibliotek med din openldap server. För att få det att fungera fick jag trixa till lite i koden. 1 Börja med att editera koha configfilen. Min fanns under den bibliotek jag gjort på växthuset vi /etc/koha/sites/vaxthuset/koha-conf.xml börja med att aktivera ldap genom att ändra o tille n 1och läggs sedan in följande under taggen OBS fick ta bort lite < så man kan visa taggarna i wordpress useldapserver>1/useldapserver> ldapserver id=”ldapserver” listenref=”ldapserver”> hostname>10.

mail till script Zimbra tex zimbra till redmine

Mon, 12 Mar 2012 16:20:58 +0000

Så Äntligen Efter en dags hårdargenade har jag äntligen hittat hur man gör för att köra ett script då man mailar till en använare i zimbra. Jag använder det till så man kan maila till tex arenden@fareoffice.com så kommer det som ett ärende in till redmine. 1. Fixa till din transport i zimbra. Öpna filen vi /opt/zimbra/postfix/conf/transport ######REDMINE adding arenden@fareoffice.com local: arenden@fareonline.net local: issues@fareoffice.com local: Sedan så fixar vi till transport databasen

Dra upp TLS på openldap server ubuntu 12.04

Fri, 17 Feb 2012 20:41:05 +0000

Daxs att sätta upp openldap server och lägga på TLS på den. Första steget fixa till så det finns certifikat till server. installera lite paket som behövs sudo apt-get install gnutls-bin ssl-cert Fixa en ca nyckel som kommer vara som en bas sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem" skapa en fil som heter /etc/ssl/ca.info och lägg följande i den cn = Example Company ca cert_signing_key Daxs att göra en nyckel till server och signa den med våran ca nyckel

Openldap Server ubuntu 12.04

Thu, 16 Feb 2012 20:22:07 +0000

hur man installerar Openldap server på en ubuntu 12.04. Obs se datumen ubuntu 12.04 är inte ute än så denna är lite innan kan man säga. När man installerat oepnldap server har dom kommit på den supersmarta iden att man ska ta den domän som finns i hostfilen och bygga ett ldap träd av det. så /etc/hosts för mig ser ut så här. 127.0.0.1 localhost 127.0.1.1 vh-hv-bas2.elinofied.se vh-hv-bas2 vilket gör att nu då jag installerar slapd så kommer den fixa et träd från början som heter

Jfokus 2012

Tue, 14 Feb 2012 14:56:55 +0000

Sitter på jfokus 2012 och väntar på sista föreläsningen för dagen om säkerhet i ria.

Backtrack hack wep

Sat, 11 Feb 2012 15:11:44 +0000

Att hacka wep är en ganska lätt sak. WEP har nämligen ett fel i sig som gör att samlar man på sig tillräckligt många paket så kan man från paketen läsa ut vad wep nyckeln är. För att gör adet så behöver man först lyssna på en bassation som använder sig av WEP. Efter det är det bara att hitta så många paket som man behöver runt 20 000 stycken.

Backtrack uppe

Sat, 11 Feb 2012 14:59:38 +0000

För att hålla mig lite uppdaterad brukar jag försöka köra lite Backtrack. På securitytube finns en jävlit bra video kurs i trådlöst att gå och för att kunna labba ordentligt har jag fixat ett bra trådlöst kort och flera bra antenner så man kan få in många nätverk. Jag startar min bärbara på en usb sticka med Backtrack på och som också har en kryptad del där jag kan spara lite info på.