Phil<p><span>I have a very strange issue with my VPS.<br><br>I am setting up wazuh for my personal use, and while the software seems to run just great, I'm unable to connect agents to it. <br><br>1. Wazuh </span><i>does</i><span> bind the ports (1514, 1515) properly. At least, netstat tells me to.<br>2. I can tcpdump on these ports, and see activity on 1515 (agent registration port).<br>3. The SYN packets never get a response from my VPS. It's like Wazuh is binding the ports, but isn't getting the packets or responding to them. <br><br>I'm completely out of ideas. The Wazuh community Discord has been unhelpful, so far. <br><br>I suspect ghosts.<br><br>Any help?<br><br></span><a href="https://fed.bajsicki.com/tags/wazuh" rel="nofollow noopener noreferrer" target="_blank">#wazuh</a> <a href="https://fed.bajsicki.com/tags/sysadmin" rel="nofollow noopener noreferrer" target="_blank">#sysadmin</a> <a href="https://fed.bajsicki.com/tags/linux" rel="nofollow noopener noreferrer" target="_blank">#linux</a> <a href="https://fed.bajsicki.com/tags/selfhosted" rel="nofollow noopener noreferrer" target="_blank">#selfhosted</a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
freeatlantis.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Administered by:
Server stats:
199active users
freeatlantis.com: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.6
#wazuh
1 post · 1 participant · 0 posts today
walkman<a class="hashtag" href="https://vocalfry.social/tag/wazuh" rel="nofollow noopener noreferrer" target="_blank">#wazuh</a> crashed, wtf.
walkmanAnyone using <a class="hashtag" href="https://vocalfry.social/tag/wazuh" rel="nofollow noopener noreferrer" target="_blank">#WAZUH</a> with Palo Alto Strata or FortiGates?
kravietz 🦇<p><span class="h-card"><a class="u-url mention" href="https://dadalo.pl/@dadalo_admin" rel="nofollow noopener noreferrer" target="_blank">@<span>dadalo_admin</span></a></span> </p><p>Large part of my work is in the infrastructure security sector and I think I can help at least with some of these challenges you described:</p><ul><li>there are databases of IP addresses and subnets that are known to run dumb, persistent scanners, bruteforcers etc - these should be blocked right away at the firewall level and that’s the first line of defense; the lists are usually updated every hour or daily</li><li>more sophisticated spam/hacking teams cycle their IP addresses, use Tor or set up dedicated infrastructure for your campaign only, but then so are the intrusion detection tools - <a class="hashtag" href="https://agora.echelon.pl/tag/wazuh" rel="nofollow noopener noreferrer" target="_blank">#Wazuh</a> and <a class="hashtag" href="https://agora.echelon.pl/tag/crowdsec" rel="nofollow noopener noreferrer" target="_blank">#Crowdsec</a> are two solutions I have been using a lot that will allow you to block an IP address instantly when a suspicious pattern is detected <em>in your logs</em>, which basically allows you to block them on the spot</li></ul><p>These tools deal with HTTP server logs or application logs, so you can usually do whatever kind of matching you can come up with and write custom signatures such as “a 10 characters long alphanumeric usernames created from the same IP over 15 minutes”. They are not silver bullets as any such tool can be bypassed by a sufficiently resourced and sophisticated team, but they <em>significantly</em> increase the cost of the campaign for the attacker.</p><p>I don’t have any Mastodon instances but have implemented them for Pleroma, NextCloud and many other solutions, so happy to help with deployment for your Mastodon instance if interested.</p><p><span class="h-card"><a class="u-url mention" href="https://infosec.exchange/@briankrebs" rel="nofollow noopener noreferrer" target="_blank">@<span>briankrebs</span></a></span> <span class="h-card"><a class="u-url mention" href="https://oisaur.com/@renchap" rel="nofollow noopener noreferrer" target="_blank">@<span>renchap</span></a></span> <span class="h-card"><a class="u-url mention" href="https://mastodon.bentasker.co.uk/@ben" rel="nofollow noopener noreferrer" target="_blank">@<span>ben</span></a></span></p>
kravietz 🦇<p>I have been using <a class="hashtag" href="https://agora.echelon.pl/tag/wazuh" rel="nofollow noopener noreferrer" target="_blank">#Wazuh</a> for <a class="hashtag" href="https://agora.echelon.pl/tag/infosec" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> host-intrusion detection systems for most of the last decade, now testing <a class="hashtag" href="https://agora.echelon.pl/tag/crowdsec" rel="nofollow noopener noreferrer" target="_blank">#CrowdSec</a> and it looks pretty smart.</p><p>Wazuh does <em>a lot</em> but it’s plagued by inconsistent legacy code (doesn’t support IPv6 for one thing) and <em>very</em> inconsistent rules and decoders syntax.</p>
kravietz 🦇<p>There’s nothing more f(*&@#$d up in the world than the <a class="hashtag" href="https://agora.echelon.pl/tag/wazuh" rel="nofollow noopener noreferrer" target="_blank">#Wazuh</a> decoders syntax but their logic 😩</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload