you need this FREE CyberSecurity tool

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
This cybersecurity tool is amazing. You need to deploy it. Not only is it free and open source, which I don't know how that's possible, but you're gonna learn so much about hacking and security while also protecting your stuff. It's a no-brainer. I deployed the server in about five minutes and then deployed agents to all of my computers and servers, Mac, windows, Lennox. Now these agents are like the tattletales in school. They tell me everything. Things like security configuration are all my devices misconfigured? I don't know, but I do Now it'll check for known vulnerabilities, malware, and then this is kind of nuts. It can track a directory and see if any changes occurred, files added removed, documents edited, and this is even crazier. It can track the changes to the Windows registry. Are you kidding me? It's amazing. So all these devices send all the information to my server and I can see everything from one location. I get alerts, which can come at me via email or Slack or whatever. I can do things in response to those alerts. Active response. So not only can I detect a brute force attack, I can do something about it. Block that IP, address. This server or this tool is called waza. It's a type of cybersecurity tool called asim, security Information and Event Management. But I so badly wanna call it a siem. I'm gonna call it a siem. I don't care. This type of tool is what the blue team or defensive side of cybersecurity will use to defend against the bad guys to stop the hackers. So on this video, I'm gonna show you how to deploy this cuz you need to. It's amazing. Again, not only will you be protecting your stuff, but you're gonna learn so much and it's also kind of addicting. And seriously, this is something you could probably put on your resume. This is a project like, hey, I run my own seam, sim seam seam seams. Pretty cool, doesn't it? <laugh>, I That was lame. I'm sorry. So you're convinced, let's talk about what you need. Really only two things. A Linux server or computer and something to monitor. So other computers, most flavors of Lennox are supported. I'll be installing it on Ubuntu. And more specifically, I'll be on a cloud machine in ano. That's what I prefer. So I can monitor everything with ease and also it's ridiculously easy. I'll walk you through it here in a bit. But it can also be on-prem, on a server you already have. Or it can be on a Docker container. Lemme get some room here, already got a room, scoot down. There we go. And they even have an ova for easy deployment on virtual box. Now as far as system requirements for the Wza server, lemme show you what they recommend. At minimum, they want two gigs of RAM and two CPU cores. That'll work for most people. If you got a lot of devices, if you're gonna be collecting lots of logs, you wanna go larger. Four gigs of Ram and eight CPU cores. Now again, I'm gonna walk you through the cloud option and then also sprinkle in a little bit of dog or two just for fun. Oh, almost forgot the most important thing. Coffee. Everything in it requires coffee. It's just the rules. Network. Chuck.coffee first. All we'll set up. Waza or wsu, I'm not sure. I'm just gonna call it waza in the cloud. So let's head on over to od.com/network chuck or check the link below. Now not only is LY node the sponsor of this video, but they are my favorite cloud provider. Like I'm not lying, check this up. I have way too many virtual machines in the cloud because I just go in here and spin up something. Anytime I have a project, anytime I wanna mess with something, I just go to LE Node, spin up a quick virtual machine in seconds. Now if you're new to LE Node, this is gonna be free for you. For the first 60 days, they're gonna give you $100 credit to go crazy and play around with it. So if you haven't already, go ahead and get signed up right now and then get signed in and meet me back here. Now the other reason I love Le Node is they make deploying virtual machines like waza. Super stinking easy. Check this out. I'm gonna go to create Lin node. I'll click on Marketplace and then I'll search for waza. There it is. Let's go and click on that and just have it selected and we'll scroll down a bit. Now time for just a little bit of config First put an email address then for the SSL certificate. Then a limited pseudo user account, Bernard hack. Well this can be anything. Just make it up. Put a password in and we'll scroll down just a little bit until we see. Select an image. We're using Ubuntu Perfect region. Select somewhere close to you. Leno is a cloud provider. So they have data centers everywhere. Pick somewhere close to you so it'll be nice and fast. I'm in Dallas. And finally our LE node plan. From here, let's click on share. At cpu, they're cheaper. And here we have our plans or the size of our virtual machine. Now normally I would pick this one right here. It's five bucks a month, super cheap. But for waza, you want something a bit beefier, a bit bigger, something more like the LE node, four gigabyte. Now if you don't select the four gigabyte option for this WASA installation, it just won't work. I tried it. So just make sure you select this. Now if you do wanna go for a smaller option, like the LE node, two gigabyte, I actually got that working with Docker and it worked pretty well. I'll walk you through that here in a second. Well, let's go ahead and do this. It's really not much more. It's so easy. So select four gigabyte. Scroll down just a bit, label this sucker, whatever you want. Enter a root password. And finally we'll scroll down and click on create LE node at the bottom right. Ready, set, go. Now it's gonna do its thing. It's gonna bake you a VM in the cloud. Quick coffee break, it'll be a few minutes. And once you see that your LE node is running, we can try and connect to it. Over here we have our SSH access command. We're gonna go ahead and copy this right here and then launch your terminal Windows, Mac and Linux. It'll all work. And paste that in there. Enter, accept all fingerprints. Put your password in and we're in. But it may not be quite ready. Waza is still going through its installation. We can monitor it kind of right now by typing in H top H T O P. And we'll see right at the top there, the top process. D P K G or D package. That's how apps on Linux are installed and that's what's happening right now. So we can kinda sit there and watch that until that stops. And we can try to connect here in a moment and like see here, we have some wza stuff there. The WZA index year is being installed. There's a bunch of pieces to it. It's amazing. But again, quick coffee break and watch the magic happen. Now at this point it's been about six minutes. Let's see if it's done. And we'll start with grabbing our password. By the way, I hit control C to get out of that, if we type in LS dash al and our terminal here, we should see a dot deployment dash secrets dot txc file. There it has our secrets or our passwords. Let's go ahead and cap that. Cats dot deployment secrets, blah blah. Got it. Bam. There's our passwords right there. The first one we want is the admin password at the top. Got our admin username and our admin password. Cool, keep that there. Let's go back to our LE node dashboard here. And we're gonna grab our LE node reverse DNS name or R D N S. So here Leno node. Click on the network tab. Scroll down just a little bit until we see the IP addresses section. And then we have the reverse DNS right here. There it is. Just go and grab that, copy it. Open a new tab and go to https colon whack whack paste that in <laugh> <laugh>. Here we go. It's there. Now let's get logged in. Use your name admin password. Let's grab that from the terminal there. It's copy and paste. It's gonna check and make sure things are good. Almost there or good. Awesome. This seems pretty cool. Last time I'll do that joke. Probably not. Seems like a ock. Sorry <laugh>. It's terrible. Now before we move on, I'm gonna show the docker install. It's super easy. If you don't care about that, that's fine. Just skip ahead. I've got timestamps below. Now here's the docker install. Perfect. Four on-prem or a smaller machine on LE node, which is what I'll be doing here. Leno. I'm gonna click on create le node. I'll just deploy a standard Ubuntu 2204 lts machine, shared cpu. I know that the LE node, two gigabyte plan will work. I tried it on the one gig, the containers just wouldn't run. Don't try it. But the two gig plan, it worked great. So click that, label it something fun, put a password in and then click on create le node. How fast was that? Now if you're doing this on-prem, just have a server that's running Docker and of course if you want to run the ova, I'll put a link below and wass documentation. After a moment or two, you should see that your machine is running. Let's go and connect to it. We'll grab our SSH access command over here. Just copy that. Launch my terminal, paste it, head enter, accept all fingerprints, password. And we're in. Couple things we'll do real quick. First we'll update our repositories. Pseudo a P t update. Now many of you're gonna go, why is he doing pseudo? You're route. I always do pseudo cause I don't know what you're using. You may not be root right now. I just wanna make it simple. Anyways, I digress. Pseudo PT update to update our repositories. Once that finishes up, we'll do a pseudo PT and install docker.io and docker dash compose. We'll do a dash y at the end. This is going to install docker and Docker compose. So let's go. Should be fairly quick. More of a coffee sip here. Awesome, it is finished. The next step, I've got a link below. Go ahead and pull up the Waza documentation for a docker deployment. Well one two punch this real quick. First we'll clone the get repository one command. Let's copy that. Go back to your terminal, paste that command assuming you have get installed. Most oss do clone. Awesome type in Ls. We'll see a new directory called waza Docker. Let's go ahead and CD into that cd, waza, Docker type in LS once more. And we have one more directory we wanna jump into. It's the single node directory because we're deploying one single node or computer cd single node. Perfect. Now the next thing we'll have to do is generate some self sign certificates. They make that super easy for us. They even have a Docker compose file to run and do that for us. And all we have to do is copy and paste this command. So copy this command right here, paste that in there, hit enter. It's gonna pull those images down. Run, compose. And then that was it. That's done. Now for our next step, all we have to do is do the docker dash compose command with the up option. And then we'll do a dash D to launch it in the background. This will do everything for us. This is our last step in deploying this. It's super easy. I love docker. Ready, set, go. This will take a moment. It's deploying a multi-tier application, pulling all the images, a lot of stuff going on. Little coffee break. We'll give it some time here. Okay, deployment is done, done, done. Let's confirm real quick by typing in docker stats. Get a realtime view of those suckers running. Let's go get logged in. Let's check it out. We'll get back to our Leno dashboard here. Go to the network tab. Scroll down just a little bit, find our reverse DNS name right here in the IP addresses section. Go ahead and copy that and we'll open up a new tab. Type in https, colon whack whack, paste that in there. Let's go. Fingers crossed. Okay, this is a self-signed cert. We'll get this little error message. No big deal. Should proceed. Was that sorry. Um, this video has so many lame jokes. Let's get logged in. Default. Login will be admin password will be according to. Was it documentation? What was it? Was it <laugh>? Sorry. Sorry, not sorry. Oh, it's uh, secret password. Capital S. Capital P. Easy enough. Just gotta check and make sure things are good. Almost. Okay, things are good. Now that we have, was it installed? Let's get some agents added. Computers that we can monitor. So right here we'll click on add agent right here in the dashboard. And then right here we'll have the option to deploy a new agent. Go ahead and click on that. This is super straightforward and easy. We'll start with the Linux host first. Again, I'm gonna do Ubuntu and we'll do a Windows after this. By the way, Ubuntu 15 or more architecture is X 86. But notice we have options for everything. It's awesome. Then we'll put our was a server address in here. This will simply be your LE node, reverse DNS name if you did it with me or it could be an IP address. Just something that the agent can have access to. So I'll copy that server. Address the F Q D N fully qualified domain name just like this. I will name that agent. It's optional but I like to Callie underscore Linux. We'll select a group. I'll put it in the default group. And then on step six they give you one command to install the agent. Super cool. Super easy. Let's copy that. Copy command. And then here in Cali I'll launch my terminal. Paste that command head, enter pseudo password and it's done. Cool. One more thing we have to do, getting back to the was a dashboard. We need to enable this as a service. We'll just copy this. Command all system, CTL commands, paste those commands in there, head enter and done. Awesome. So now getting back to the WASA dashboard. We can go to the top left here on this drop down and click on agents. There it is right there. My first little guy, Callie Lennox, his IP address os. And it's gonna show us so much more. Oh, I can't wait to show you this, but first, before we do that, let's add Windows real quick. But notice how fast and easy this is and Windows. It's just as easy. Let's go ahead and do uh, deploy new agent. Once more this time we'll click on Windows. Goodness, they still have Windows XP in here. <laugh>. I guess you need a scene for this man. But anyways, I'm on Windows seven or more or greater. No Windows arm support, sad, fully qualified domain name would be our same. I uh, domain name or IP address. Again, just something your agent can have access to. I'll name it default group. And finally at step six, just like Linux, we're gonna have our little one-liner command using PowerShell. Keeping in mind you will need to run this as administrator cause you will need admin privileges. So I'll just copy that command, jump into my Windows computer here. So here in Windows I'll launch my Windows terminal. Keeping in mind I'll have to launch it as admin. So right click this and click on run as administrator. Pace my command in there, hit enter. Gonna do its thing. And then one more command. We'll have to start the service here on Windows. Just like Linux net start was a SVC was a is starting and we're off to the races. Let's go check Waza, the Waza dashboard. We'll go to our agents. Oh there it is. It's still coming up. Let's click on refresh over here on the right. Refresh, refresh, refresh. Come on. Connect. I'm impatient. And after a billion refreshes. No, I'm just kidding. It was like three. Um, it's up. Awesome. And here's our two machines at Lennox and Windows. And you know what, I wanna add one more just for fun. Ready Go. It was seriously actually almost that fast. So here we have our agents and now let's click on one of these and see what's going on. This is gonna be fun. So I'm gonna click on the new one. I just added the Circs network. Chuck, that's from my CIRCS search video. It's a public box and it's gonna be kind of fun to look at. It's click on that guy. And here's our agent dashboard for this one computer, this one server. There's a lot going on. But just keep in mind at the top here in Waza, we kind of have breadcrumbs and I love this. We've got agents and we're drilled down into the specific agent we're looking at. And then here at the dashboard, so much going on. Now I'm not gonna show you everything. There's way too much, way too much fun to be had. But I will point out a few things that are like kind of wow. First the Mitre framework. The Mitre attack framework. We won't go too deep into this, but just know it's a database of hacking techniques that hackers will use to attack machines. This will look at that framework and tell you, Hey, your machine might be vulnerable to this, these tactics or your machine is actively being attacked in these ways. And notice, um, some things are happening to mine. We'll take a look at those here in a bit. And then quick drive by here. Compliance. Many companies have to obey certain compliance standards like pci, gdpr, nist, hipaa. This will check all your computers, all your servers and tell you what's going on. That's kind of crazy. Now, you may not care about policies. You should if you wanna get into security, but it may not be important for you right now. Scroll down a bit. What about configuration? Is your server or your computer configured securely? Do you know that for a fact? Well this will tell you <laugh>. It has a module called SCA or secure configuration. I think it's audit or assessment, secure configuration assessment. And it will pull out a C I S assessment. This is for buntu Linux and tell you how good you are. Um, 39% on my score failed 715 of these. Now let me give you like kind of a baseline for what that means. Let's jump into this report. Notice here in the breadcrumbs, I did jump into the security configuration assessment section and it'll tell me all the things I failed at. Let me actually sort by. Uh, good stuff. It's gonna be a small list. And most of this is like default. So like App Armor is installed cool, but it'll go deeper and tell you things like hey you should disable USB storage. If that drill down to SSH cuz you can search for specific things like that. Keyword <laugh>. It'll tell me things like, hey don't install Telenet. U F W is not enabled. Disable ssh sh root login. So not only is it showing you like hey you're insecure, but it's also teaching you. Cause if I click on any one of these, it'll tell me like, Hey here's the rationale, here's why we're telling you this. Here's how you fix it, here's how you check it. And then it shows you all the mire techniques that can be used against having that misconfiguration. That's so freaking powerful. Are you kidding me? It's okay, I'm getting a little excited coffee, you'll calm me down. That's just one module speed mode. Let's get back to our agent dashboard here. Here on the menu we have security events showing you things like authentication failures, which could be brute force attacks. It'll show you top five alerts. It'll give you a list of security alerts. Super powerful. And then here's something you're not gonna see right away. If I click on more, we have vulnerabilities. It'll check your system for vulnerabilities but it's not enabled by default. I'll show you how to do this here in a moment. But I have another system I already had up and running and if I look at vulnerabilities for that one, it's gonna check all my applications and tell me like, Hey, are there known CBEs out there or common vulnerabilities? And I've got a bunch <laugh> like a lot. But just look at this, deploy this for your house or your servers or whatever you have and play security admin. Go in here and go, oh wow, I've got 170 critical CDEs. I should go figure out how to fix those. The learning opportunity. Are you kidding me? And then here on my server I already had going. I do wanna show you one thing here on one of my Windows hosts or Windows agents. This is kind of fun. I have my daughter's computer here, this is amazing. Check this out. I'll click on Chloe. And the one thing you're gonna love about Windows Host is the integrity monitoring module. Oh my gosh, thing's amazing. Check it out. The sucker's gonna monitor all the important files and registry keys that are normally modified when something's being hacked. It's gonna look at things and tell you when things are being adjusted. So like check this out. If I go to events, it'll tell me each time a register key is changed. Like this one was deleted firewall policy. I don't know why that happened. Now some of these are automatic, like the Windows OS is doing it, but others can be bad <laugh>. It's gotta crazy. And it's not just registry keys. If I go to inventory over here, I can see that it has inventory of the files, it's monitoring and all the registry keys, it's monitoring and what they're currently set to. Is it not insane? And here in a moment I'll show you how you can s uh, monitor specific keys and get alerts on those keys and files too. It's so fun. Now at this point your seam seems to be doing great. I lied, I was gonna do it one more time. It seems to be doing pretty good. Pretty much all you have to do is set it up, connect an agent to it and it collects information and you can go crazy and learn cybersecurity and start to protect your stuff. But you can also tinker with this quite a bit. You can enable more modules, set up more alerts, monitor more things. So if you're interested in that, we're gonna walk through a few more options here. Now the first thing we'll do is look at file monitoring through Windows. It's so powerful and so cool. So back here at the WASA incense, I deployed with you right now in this video. Couple things real quick just before we jump into that. If I click on the home icon, it's gonna take me to the WASA dashboard and it's gonna show me like all the modules I could jump into. So for example, if I wanna jump into security events, it's gonna show me security events. But right now it's being filtered to look at one agent. I can unpin that to where it's showing me everything from every agent. That's pretty cool. And you can do that with most modules. Let's go back home. Now let's click on Waza once more. Will Waza drop down here? Let's click on agents. Now again, I'm not going over everything. Every little thing you can do and you don't have to know all these things, but you can play around with it. You can go crazy. I'm just giving you enough to get started and have a little bit of fun and things I got really excited about. So let's click on agents here. We'll click on my Windows machine. A couple things I'm gonna show you real quick. If I click on Integrity Monitoring, this is the module that we'll use to monitor files. Notice I don't have any events right now. I've got it filtered right now by the last 24 hours and I've just connected this thing, nothing's happened. But if I go to the inventory, I can see that it already has scanned and inventoried all the default files. It'll look for in the directories. And my registry keys. I believe it's set to scan everything every 12 hours. And if it notices a change, it'll let you know. It'll alert you. Pretty cool. But with files we can also do real time notification and rule set. Check this out. I'm gonna jump into my Windows host and change some configuration for the agent file. Now you can find that here. I'm gonna go to my Windows Explorer, go to my C Drive, go to program files X 86. Now if this is all like weird for you, like oh man Windows file system, I don't know what's going on. I do detail a lot of what this means and how it's organized in my Windows Fundamentals course on my academy. Check it out, link below. Anyways, let's continue. It's an X 86 and in a folder called OS sec Agent, jump in there. Continue. You gotta have admin access. If I scroll down just a bit, I'll see a file named os sec.com. That's your configuration file for your agent. Let's go to open that with notepad. Open with notepad. Oh, by the way, you can do the same thing on Linux. I'll put documentation below. It's pretty much the same process, just editing the same type of agent file. But let's walk through this real quick here in this file, I'm just gonna search for sis check to get to the SIS check section. That's hard to say. <laugh>. And here right uh, you can see that I have the file integrity monitoring section. And you can see right here all the directories that is by default set to monitor. So what we'll do here is we'll just choose a place amongst all these directory options and we'll add a little configuration here. We'll type in directories and we'll add an option that'll give us real time alerts. It's really simple what's called real time, just like that. Have it equal yes in quotes. We'll add one more option report underscore changes. Have that equal yes in quotes and we'll add one more check underscore all and have that equal yes as well. So just to make sure we're all on the same page here, we're specifying a directory and we're giving it these options real time. Yes, report changes, yes. And check all. Yes, we'll close that out. And then add the directory. We're gonna monitor with all these options. Let's see to our desktop. So we'll do CE colon slash users slash your username. Mine is network check slash desktop. And then we'll close that out with a left arrow forward slash directories just like this. So now we'll save this file, file save. And then we'll restart the service by launching our terminal as administrator. Right click run as administrator and we'll say restart service. Dash name waza. Cool. So that should be good. So I'm gonna open up my Waza dashboard real quick. Make sure I'm on the events tab. Notice and look at the last 24 hours, nothing's happened. Let's change something on our desktop. This is so cool and powerful. I hope this illustrates how cool this is. She's gonna go to my desktop and I'm gonna add a new file, new text document. Can you see this? Just take about five seconds. One, two, let's take a look. Let's refresh this. <laugh>. There it is. No, it's weird. I said added, deleted, added. Oh I think because they changed the name in real time. But look, it monitored that I add a new, uh, a new file. Um, check this out. So that's, that's one alert. If I change anything about it, let's open it up. Say, Hey, I'm changing stuff. We'll save it, we'll see if the new alert comes in. I'll refresh my options here or refresh my page. There it is sis check event modified. And it's like, Hey, the check sum changed on this. It'll even tell me down here what I changed the text I added. How crazy is that? Now we can do the same kind of thing with the Windows registry. Now it won't be real time, they don't have that option, but it will scan every 12 hours. You can change that interval. Let me share real quick. We can specify. So right now Pilic was an inventory, right? We can see that it does have an inventory. Look at our new file. It does have an inventory of registered keys that automatically monitors, but we can add specific ones that we want to have seen. So let's add a custom one real quick. I'll open up a red edit here in Windows to edit my registry. Let's add one inside. Uh, I don't know, hq, local machine. We'll go to software, maybe classes. And let's add one right here, right click say New key, we'll say Bernard Hack. Well bam, we'll change the value to something fun. So what I'll do here is I'll right click this key and say copy key name and then we'll go back to our agent configuration file. And you'll notice just under that same kind of section where we're adding directories, we also have registry keys we can add. So I'll go kind of towards the bottom here, just underneath the last registry entry and right before the entry to ignore, I'll line myself up with everything else, type in Windows registry, paste my key name, and then close it out with a left arrow forward slash Windows registry and a right arrow. Cool, that should be all we need. And it'll change the frequency cuz like I said, it's gonna take 12 hours to find this. We don't want it to do that. So up here we have frequency that CIS check is executed by default every 12 hours. 43, 200. Let's change that from that to 60. So every, every minute. Actually let's do 30 seconds. Let's be quick. So I'll save this file. I'll restart my service. My was a service to once some more restart. Service name was a Got it go. Cool. So getting back to our WASA dashboard here in our integrity monitoring section for our Windows machine. I'm gonna go over here to inventory and just see if it finds that new registry key. I'll go to registry, I'll search for, what do we name it Bernard? Nothing yet. Way for it to find it. There it is right there. So it found the key. It's looking at it, it's monitoring it. Cool. Now let's go to events. Now you see that we've got some registry changes, mainly time and we're getting that because we were setting it to every 30 seconds. Notice nothing about a registry key here. Let's go change it. Let's go modify it. Hammer Bernard, hack. Well I'll change the value to something else. Fun or you got hacked. Cool, let's change it there. It'll take about 30 seconds. Take a little coffee break and let's monitor our was the dashboard. I'll refresh it a few times. And oh there it is. Register key modified. How killer is that? Now you may be wondering, okay, big deal Chuck, I'll barely even know there. But when does registry is, why do I care if it's changed? And first of all, the registry like has these settings for the configuration of your operating system. So if things are changed here, it's changing everywhere else. Some common things you might see changed, especially with malware. Is this key here? Does it seem Microsoft Windows? Where's it at? Where's it at? Windows Current version. There's a lot of keys in here man. And we have run and run once these keys are changed, when you add like a new startup application for your system. So what malware will do is I'll go in here and add a new key new string value. Call this, I'll call this bad stuff and I'll just say internet explorer <laugh>. Let's, let's copy that location. Okay? And looking back at Waza, it does monitor that by default. And here in the events, if I refresh it, there it is. Register key added and modified. There's the name of it right there. Bad stuff. That's pretty powerful, right? The next thing I wanna show you actions. They're so powerful. Check this out. Let's go to our agents here and I'll jump into my Linux machine here. Circs Network, Chuck. Now let's go to security events and I'll jump to events. Now there'll be a lot of events here because this machine's public. Now I'm getting things like attempt to log in using a non-existent user. Getting Bruteforce from Russia using the user name Pie <laugh>. That's funny. Anyways, we can do something with that. And actually I wanna try it myself. I'm gonna try in brute force, I'm gonna launch my Callie Linux machine here and I'll use hydro to brute force the login and I'll use the username, uh, Bernard Hack. Well and we'll see if it sees us. Ready, set, go after a pseudo password. Here we go. Okay, it's attacking. We should see a log. Let's go look at the logs here. Security events. Events. This happened just now. Let's see if it was us. Use your name. Bernard Hack Wall. So there, there we are. How cool was that? Let's stop that nonsense. Let's real quick. See if I try to log into it. Okay, so I, I'm getting a password prompt so I'm not being blocked. So clearly I can sit here and just try and try and try again to my heart's content. But what if I had our seam actively respond to that and add it to the block list, drop it, add it to the firewall. We can do that. Check it out. It's called active response, which can be used for so many things. But I wanna demo this real quick. Now, to change this, we're gonna go to the configuration of our was a server. So we're gonna go here to the was a menu, go to management and then click on configuration. From here we're gonna go to the top right and click on edit configuration. And we're gonna scroll down a bit until we see a section called active response. Actually, you know, why am I tripping? I'm just gonna search for it. Active response. Cool, there it is. Active response. So scroll down a bit until I see this right here. It's kinda giving you a format for what it should look like. And I'm gonna copy this config from the documentation. Thank you Waza. Check it out here. Command is firewall, drop location, the server. It's uh, the rule is executing on and then it's gonna look at a rule or it's looking for a rule. This rule is what triggers this firewall drop. Now when we tried to brute force what rule was triggered? Let's go find out. I'm gonna jump to uh, our agents. Go back to my circ Circs, go to security Events. Events and let's see, it was just earlier, right? Like at 33. Yeah. So here's the alert. You can see yes, it was Bernard Hack. Well and there's the alert ID right there. The rule ID 57 10. That's what we want it to alert off of. So let's go back to our configuration thing here and we'll change that rule from 57 63 to 57 10 and this will time it out or add the firewall rule. And the time out here is 180 seconds. It'll block the attacker for 180 seconds. Pretty cool. So let's save that. Click on save, restart our manager. Just give that a little, little bit of time. Here're starting, please wait, coffee break. Okay, it's restarted. Now what we wanna do now is go back to our agent, go back to Search network Chuck and we'll go to security events and go to events. So last thing we saw agent started and stopped. Refresh that. Okay, we're here now let's go and try to brute force it one more time. Actually real quickly, see if we can log in. So this time I'm gonna use Root. I know a real user on that system. Let's see if it lets me. Okay, so we're, it's allowing us right now. Now we don't have to brute force. We can just try to log in with Bernard Hack. Well what that should do is trigger. Now it's right now it's 1203. It should trigger that new active rule. Let's go see. Bam. There it is. So 1203 attempt. Attempt to log in with non-existent user. Bernard Hack. Well immediately the firewall at drop active response blocks me. So now, right now for 180 seconds anyway, if I even try to log in, even with a real user, I get nothing. I'm blocked. I can't even ping it. <laugh>, it's kinda crazy. Let's do a continuous ping and see when it lets me out outta jail here. Oh, we're back. We're back. Okay, so how cool is that? And just so you know, you can do those active responses based on a variety of rules. It's so custom. That's why this is so powerful. You can even do it off of like a certain command was run or a certain log came about in, in the system you can run a a, an active response. It's so crazy. Now two more things I wanna show you real quick. First is vulnerabilities. Um, right now if I go to my search network, Chuck and I go to Vulnerabilities. Nothing there. Why? Because it's not enabled by default. The system does not search for that. So it's really, really easy to set this up. We'll go to waza management configuration. Just like before we'll go to edit configuration. And here we're gonna search for vulnerability detector. Right there. It tells us enabled. No, let's change that to yes, we definitely want that. Then we click on save and restart Manager, confirm now. So once this restarts, notice the options it has here. It'll run a full scan every six hours. It'll also run on Start when the service starts up. So once this finishes, we'll restart our service and Windows and Linux and see what happens. Okay, cool. It's done there. I'm gonna go to Windows, restart my service here and we're restart my service here. I restarting was at Agents. Cool. So now at this point, and if we check our agents, I'll just go to my Windows machine here, go to vulnerabilities. Cool. So scan's complete, didn't find anything. Now the reason for that is that my Windows machine has like no apps installed on it, but just know to enable the vulnerability scanning you have to enable it on the system, on the Waza server. But the agents have that configured by default. Now if I go back to my other server that has all kinds of fun stuff configured, I gotta get logged back in here. Chloe, she has a bad version of vlc, media player, high severity cde. Wow, look at that, dude, this is fun. Gives you all the details of it. Oh my gosh, it's so cool. But I wouldn't have known that if I didn't have this on her system and it just tells me automatically. Now speaking of telling you automatically you'll need some sort of alert, right? Waza has that. They've got email alerts and Slack alerts. I'm gonna show you Slack real quick. How to set that up. The first one I'll do is open on Slack and create a new channel just for waza Waza alerts. Now I'll go out to Slack and create a new app. Now this will not be a tutorial on how Slack apps work. I'll just walk you through the basics you need to know about right now. And this goes without saying you do need a Slack account. So I'll click on create new app from name it was uh, alerts, select my workspace, create the app. And then all I wanna add really is an incoming webhook. Activate it. And then at the bottom I'll click on add new webhook to workspace. I'll click on new channel Waza Alerts Allow. And that's it. And all I need from this is this webhook url. I'll copy that, get back to my Wza dashboard. And I'm gonna go back to that configuration page where we were at before where we spent a lot of time. Click on Wza, go to management, and then go to configuration. Same thing as before. Click on edit configuration. And here I'm gonna search for integrations or just integration. And it looks like I don't have a section for that. I'll just add it here. So I'll just go to the top and just under global and I'll paste this config from the documentation. The only thing I'll change here is pasting my webhook right there, which I need to copy again, paste it there. And actually there is one more thing I wanna change just in case you don't wanna be killed with alerts because this default <laugh> setting will have a bunch of alerts sent to me based on like all the events. And of course you can change the severity level of events that are sent to you or even just specify a specific rule ID you're looking for. So for example, right underneath here I can add rule id. And what do you say we do? 57 10. That same rule as earlier that we are doing the action roll off of. Cool. So we have our web hook in place, the url we have our rule to alert off of Save it, save and restart manager. Once that is restarted, we'll do our little test here in a moment. And real quick, look, there's nothing in the uh, waza alerts yet. It's kind of quiet here. Cool, it's restarted. Now let's try and log in with Bernard Hack. Well again, that should block us. And then over here, BAM was alert. Actually hit my watch too. Was I alert? Look at that invalid user. Bernard Hack. Well, from this IP address, which I'm gonna have Nick or Austin block right now, that's awesome, right? So, okay, this is probably a long video, I realize that. But waza is a powerful tool that will not only help you protect your family, your own lab, your business, but it'll teach you a ton about security, about hacking about Blue team and the fact that it's free and open source that I just did all of this, it costs me nothing except for the hosting, which you could do it on-prem, it's gonna be free for you. It's just kind of crazy. So I hope you have as much fun with this tool as I have and we'll continue to have fun with. Let me know your thoughts below. What do you think? Let me know how your was a installation, implementation went. I wanna know all about it. Anyways, that's all I have. Thank you for joining me in this video. Thank you for having a little bit of coffee with me. I'll see you in the next video.
Info
Channel: NetworkChuck
Views: 1,233,711
Rating: undefined out of 5
Keywords: Wazuh, cybersecurity, docker, docker compose, searx, search, open source, free, hacking, security, server, siem, linux server, computer, ubuntu, on prem, cloud, OVA
Id: 3CaG2GI1kn0
Channel Id: undefined
Length: 32min 5sec (1925 seconds)
Published: Wed Jul 19 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.