Overview #
This guide demonstrates how to prevent malicious IP addresses from accessing web servers using Argus. In this example, Apache web servers are set up on Ubuntu and Windows machines, and attempts to connect are made from a Red Hat Enterprise Linux (RHEL) machine acting as the attacker.
A public IP reputation database is used to identify and block malicious actors. The RHEL machine’s IP address is added to this database, and Argus is configured to block the malicious IP for 60 seconds. This setup leverages Argus’s CDB list and Active Response features to deter malicious activity effectively.
System Setup #
Endpoint Roles #
RHEL 9.0 – Simulates an attacker. Its IP is flagged as malicious using Argus’s CDB list capability.
Ubuntu 22.04 – Hosts an Apache web server. Argus’s Active Response is used to block connections from malicious actors.
Windows 11 – Hosts an Apache web server. Argus’s Active Response is used to block connections from malicious actors.
Step-by-Step Instructions #
Setting up the Ubuntu Web Server #
1. Install Apache:
sudo apt update
sudo apt install apache2
2. Enable Web Access Through Firewall:
sudo ufw allow ‘Apache’
3. Verify Apache is Running:
sudo systemctl status apache2
4. Test the Web Server:
Use a browser or curl command:
curl http://<UBUNTU_IP>
5. Monitor Logs with Argus Agent:
Add this to /var/ossec/etc/ossec.conf :
<localfile>
<log_format>syslog</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
6. Restart Argus Agent:
sudo systemctl restart wazuh-agent
Configuring the Windows Web Server #
Install Apache #
1. Install Visual C++ Redistributable.
2. Download and extract the Apache ZIP installer.
3. Copy the Apache24 folder to C:.
4. Start Apache using an administrator PowerShell terminal:
.\httpd.exe
5. Allow firewall access and verify by opening http://<WINDOWS_IP> in a browser.
Configure Argus Agent #
1. Edit ossec.conf in the agent’s directory:
<localfile>
<log_format>syslog</log_format>
<location>C:\Apache24\logs\access.log</location>
</localfile>
2. Restart the agent:
Restart-Service -Name wazuh
Argus Manager Setup #
Configuring CDB List #
1. Install wget:
sudo yum update && sudo yum install -y wget
2. Download IP Reputation Database:
sudo wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset
3. Add Attacker IP:
echo “<ATTACKER_IP>” | sudo tee -a /var/ossec/etc/lists/alienvault_reputation.ipset
4. Convert IP List to CDB Format:
sudo wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py
sudo /var/ossec/framework/python/bin/python3/tmp/iplist-to-cdblist.py/var/ossec/etc/lists/alienvault_reputation.ipset/var/ossec/etc/lists/blacklist-alienvault
5. Set File Permissions:
sudo chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault
Setting Up Active Response #
1. Define Rules in local_rules.xml:
<group name=”attack”>
<rule id=”100100″ level=”10″>
<if_group>web|attack|attacks</if_group>
<list field=”srcip” lookup=”address_match_key”>etc/lists/blacklist-alienvault</list>
<description>IP found in AlienVault database.</description>
</rule>
</group>
2. Link the CDB List in ossec.conf:
<ossec_config>
<ruleset>
<list>etc/lists/blacklist-alienvault</list>
</ruleset>
</ossec_config>
3. Configure Active Response for Ubuntu:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
4. Configure Active Response for Windows:
<active-response>
<command>netsh</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
5. Restart Argus Manager:
sudo systemctl restart wazuh-manager
Testing the Setup #
1. From the RHEL machine, access the web servers:
curl http://<WEBSERVER_IP>
2. Verify that initial connections succeed but subsequent attempts are blocked for 60 seconds.
Viewing Alerts #
1. Access the Argus dashboard.
2. Navigate to Threat Hunting and search:
– Ubuntu: rule.id:(651 OR 100100)
– Windows: rule.id:(657 OR 100100)