Linux

Wazuh Installation on CPANEL that have Imunify360

Posted onAuthornimda

In the cyber era nowadays, when cybersecurity is one of the most important role in cyber world. We can’t be indifferent to web security. Actually , we’ve also never known what is the motives of people on the internet to trying to get into other people’s website, installing backdoor, making changes to other people website etc.

Today.. Gacor, Slot, Judi Online now is trending topic of website infection that many website of government, school, universities or even personal website have been infected by this malware or malicious code.

The effect of the intrusion of gacor, judi, slots into government, school or university websites is that their main domains are blocked by the Ministry of Communication and Information through DNS registrars who sometimes only give 1 x 24 hours to resolve it. What’s even worse is that sometimes the blocking occurs when there are a lot of online activities, as a result the activities are hampered and the Domain Registrar does not act quickly, for example, a website is indicated as gacor/gambling/slot, then it is blocked because the site contains elements of gambling, reopening the site takes 4 – 6 hours, and need to be contacted several times to request opening of a domain that is blocked by the domain registrar

In this article, we will install wazuh agent and use one of its amazing feature, namely file integration monitoring. File integration monitoring is one of the step that must be done, to monitoring if the file has been changed. With wazuh we can check the changes of the file for example, the size, the time being modified, cheksum and so on. Wazuh agent, normally can be very easy to install in Linux, Windows or Freebsd. But it will be very tricky if we want to install wazuh agent in CPanel Hosting that have imunify360 in it. Because it will conflict each other, so this is the step by step to install Wazuh on CPanel Hosting along with imunify360.

1. Identify Conflict

  • Imunify360 uses the default /var/ossec directory for its OSSEC setup, causing conflicts with Wazuh Agent.
  • To avoid conflicts, Wazuh Agent must be installed in a custom directory.

2. Download and Extract Wazuh Agent

  • Download the Wazuh Agent RPM package:
  • curl -o wazuh-agent-4.8.1-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.8.1-1.x86_64.rpm
  • Extract the RPM without installing:
  • mkdir -p /tmp/wazuh-agent-install rpm2cpio wazuh-agent-4.8.1-1.x86_64.rpm | cpio -idmv -D /tmp/wazuh-agent-install

3. Relocate Wazuh Files

  • Create a custom directory for Wazuh Agent (e.g., /opt/wazuh-agent):
    • sudo mkdir -p /opt/wazuh-agent
  • Move the extracted files to the custom directory
    • sudo mv /tmp/wazuh-agent-install/var/ossec/* /opt/wazuh-agent/
  • Set appropriate permissions:
    • sudo chown -R wazuh:wazuh /opt/wazuh-agent sudo chmod -R 750 /opt/wazuh-agent

4. Configure Wazuh Agent

Update Configuration:

Edit the configuration file /opt/wazuh-agent/etc/ossec.conf

sudo nano /opt/wazuh-agent/etc/ossec.conf

Minimal configuration:

<ossec_config> <client> <server> <address>172.16.40.166</address>

<port>1514</port> <protocol>udp</protocol>

</server> </client>

</ossec_config>

Create the wazuh User and Group: If not already created, add them :

sudo groupadd wazuh sudo useradd -r -g wazuh -d /opt/wazuh-agent -s /sbin/nologin wazuh

Set Permissions: Ensure all files are owned by wazuh:wazuh:

sudo chown -R wazuh:wazuh /opt/wazuh-agent

5. Create a Systemd Service for Wazuh Agent

sudo nano /etc/systemd/system/wazuh-agent.service

a. Create the service file:

Add the following content:

[Unit]
Description=Wazuh Agent
After=network.target

[Service]
Type=forking
ExecStart=/opt/wazuh-agent/bin/wazuh-control start
ExecStop=/opt/wazuh-agent/bin/wazuh-control stop
ExecReload=/opt/wazuh-agent/bin/wazuh-control restart
PIDFile=/opt/wazuh-agent/var/run/wazuh-agentd.pid
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

b. Reload System Daemon :

sudo systemctl daemon-reload

c. Start and enable the service:

sudo systemctl start wazuh-agent sudo systemctl enable wazuh-agent

6. Test and Verify

a. Check the Wazuh Agent service status:

sudo systemctl status wazuh-agent

b. Verify logs to ensure there are no errors:

sudo cat /opt/wazuh-agent/logs/ossec.log

c. Confirm the agent communicates with the Wazuh Manager

Key Notes

  1. Avoid Conflicts with Imunify360:
    • By installing Wazuh Agent in /opt/wazuh-agent, there’s no overlap with Imunify360’s /var/ossec.
    • Do not modify or remove /var/ossec, as it’s critical for Imunify360.
  2. SELinux Configuration: If SELinux is enabled, update its context for the new directory:

sudo semanage fcontext -a -t var_t “/opt/wazuh-agent(/.*)?”
sudo restorecon -R /opt/wazuh-agent

Here’s a summarized guide on how to install Wazuh Agent on a server running cPanel with Imunify360, ensuring there are no conflicts between Wazuh Agent and Imunify360’s use of the /var/ossec directory.

Steps to Install Wazuh Agent in cPanel with Imunify360

1. Identify Conflict

  • Imunify360 uses the default /var/ossec directory for its OSSEC setup, causing conflicts with Wazuh Agent.
  • To avoid conflicts, Wazuh Agent must be installed in a custom directory.

2. Download and Extract Wazuh Agent

  1. Download the Wazuh Agent RPM package:bashCopy codecurl -o wazuh-agent-4.8.1-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.8.1-1.x86_64.rpm
  2. Extract the RPM without installing:bashCopy codemkdir -p /tmp/wazuh-agent-install rpm2cpio wazuh-agent-4.8.1-1.x86_64.rpm | cpio -idmv -D /tmp/wazuh-agent-install

3. Relocate Wazuh Files

  1. Create a custom directory for Wazuh Agent (e.g., /opt/wazuh-agent):bashCopy codesudo mkdir -p /opt/wazuh-agent
  2. Move the extracted files to the custom directory:bashCopy codesudo mv /tmp/wazuh-agent-install/var/ossec/* /opt/wazuh-agent/
  3. Set appropriate permissions:bashCopy codesudo chown -R wazuh:wazuh /opt/wazuh-agent sudo chmod -R 750 /opt/wazuh-agent

4. Configure Wazuh Agent

  1. Update Configuration: Edit the configuration file /opt/wazuh-agent/etc/ossec.conf:bashCopy codesudo nano /opt/wazuh-agent/etc/ossec.conf Minimal configuration:xmlCopy code<ossec_config> <client> <server> <address>172.16.40.166</address> <port>1514</port> <protocol>udp</protocol> </server> </client> </ossec_config>
  2. Create the wazuh User and Group: If not already created, add them:bashCopy codesudo groupadd wazuh sudo useradd -r -g wazuh -d /opt/wazuh-agent -s /sbin/nologin wazuh
  3. Set Permissions: Ensure all files are owned by wazuh:wazuh:bashCopy codesudo chown -R wazuh:wazuh /opt/wazuh-agent

5. Create a Systemd Service for Wazuh Agent

  1. Create the service file:bashCopy codesudo nano /etc/systemd/system/wazuh-agent.service
  2. Add the following content:iniCopy code[Unit] Description=Wazuh Agent After=network.target [Service] Type=forking ExecStart=/opt/wazuh-agent/bin/wazuh-control start ExecStop=/opt/wazuh-agent/bin/wazuh-control stop ExecReload=/opt/wazuh-agent/bin/wazuh-control restart PIDFile=/opt/wazuh-agent/var/run/wazuh-agentd.pid Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
  3. Reload the systemd daemon:bashCopy codesudo systemctl daemon-reload
  4. Start and enable the service:bashCopy codesudo systemctl start wazuh-agent sudo systemctl enable wazuh-agent

6. Test and Verify

  1. Check the Wazuh Agent service status:bashCopy codesudo systemctl status wazuh-agent
  2. Verify logs to ensure there are no errors:bashCopy codesudo cat /opt/wazuh-agent/logs/ossec.log
  3. Confirm the agent communicates with the Wazuh Manager (172.16.40.166).

Key Notes

  1. Avoid Conflicts with Imunify360:
    • By installing Wazuh Agent in /opt/wazuh-agent, there’s no overlap with Imunify360’s /var/ossec.
    • Do not modify or remove /var/ossec, as it’s critical for Imunify360.
  2. SELinux Configuration: If SELinux is enabled, update its context for the new directory:bashCopy codesudo semanage fcontext -a -t var_t "/opt/wazuh-agent(/.*)?" sudo restorecon -R /opt/wazuh-agent
  3. Firewall Configuration: Ensure the firewall allows traffic to the Wazuh Manager on port 1514/udp:bashCopy codesudo firewall-cmd --add-port=1514/udp --permanent sudo firewall-cmd --reload

This setup ensures Wazuh Agent and Imunify360 work seamlessly without interfering with each other. Hope Everything gone well

Leave a Reply

Your email address will not be published. Required fields are marked *