Getting Started with Wazuh: Setting Up Your Lab Environment for XDR and SIEM”

In today’s cybersecurity landscape, having a robust and flexible security information and event management (SIEM) system is crucial.
Wazuh, an open-source security platform, offers comprehensive solutions for threat detection, integrity monitoring, incident response, and compliance.

Wazuh has an interesting history. In 2015, the Wazuh team decided to fork OSSEC, an open-source host-based Intrusion Detection System (IDS), to expand its core functionalities with additional features, enhancements, and a user-friendly interface.
Wazuh has grown significantly since its inception. It is now a comprehensive, open-source security platform that provides unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. The platform is designed to monitor infrastructures, detect threats, respond to incidents, and ensure regulatory compliance.

This blog will guide you through setting up Wazuh in a lab environment, focusing on its basic capabilities in Extended Detection and Response (XDR) and SIEM.
Whether you’re a cybersecurity professional or an enthusiast, this step-by-step guide will help to get started with Wazuh to secure your systems effectively.
We start with the defaults to make the lab-setup not more complex as necessary.

My Lab-env is as follows:

HostIPOS
Wazuh-Server10.50.100.76Ubuntu 24 LTS
Wazuh-Agent10.50.100.110RHEL 9
Wazuh-Agent10.50.100.111RHEL 9
Wazuh-Agent10.50.100.201Windows

Basic setup of Wazuh-Server

with root rights execute curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Example output:

30/01/2025 08:07:17 INFO: Starting Wazuh installation assistant. Wazuh version: 4.10.1
30/01/2025 08:07:17 INFO: Verbose logging redirected to /var/log/wazuh-install.log
30/01/2025 08:07:22 INFO: Verifying that your system meets the recommended minimum hardware requirements.
30/01/2025 08:07:22 INFO: Wazuh web interface port will be 443.
30/01/2025 08:07:27 INFO: --- Dependencies ----
30/01/2025 08:07:27 INFO: Installing apt-transport-https.
30/01/2025 08:07:30 INFO: Installing debhelper.
30/01/2025 08:07:43 INFO: Wazuh repository added.
30/01/2025 08:07:43 INFO: --- Configuration files ---
30/01/2025 08:07:43 INFO: Generating configuration files.
30/01/2025 08:07:44 INFO: Generating the root certificate.
30/01/2025 08:07:44 INFO: Generating Admin certificates.
30/01/2025 08:07:44 INFO: Generating Wazuh indexer certificates.
30/01/2025 08:07:44 INFO: Generating Filebeat certificates.
30/01/2025 08:07:44 INFO: Generating Wazuh dashboard certificates.
30/01/2025 08:07:45 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
30/01/2025 08:07:45 INFO: --- Wazuh indexer ---
30/01/2025 08:07:45 INFO: Starting Wazuh indexer installation.
30/01/2025 08:08:23 INFO: Wazuh indexer installation finished.
30/01/2025 08:08:23 INFO: Wazuh indexer post-install configuration finished.
30/01/2025 08:08:23 INFO: Starting service wazuh-indexer.
30/01/2025 08:08:35 INFO: wazuh-indexer service started.
30/01/2025 08:08:35 INFO: Initializing Wazuh indexer cluster security settings.
30/01/2025 08:08:38 INFO: Wazuh indexer cluster security configuration initialized.
30/01/2025 08:08:38 INFO: Wazuh indexer cluster initialized.
30/01/2025 08:08:38 INFO: --- Wazuh server ---
30/01/2025 08:08:38 INFO: Starting the Wazuh manager installation.
30/01/2025 08:10:10 INFO: Wazuh manager installation finished.
30/01/2025 08:10:10 INFO: Wazuh manager vulnerability detection configuration finished.
30/01/2025 08:10:10 INFO: Starting service wazuh-manager.
30/01/2025 08:10:22 INFO: wazuh-manager service started.
30/01/2025 08:10:22 INFO: Starting Filebeat installation.
30/01/2025 08:10:28 INFO: Filebeat installation finished.
30/01/2025 08:10:28 INFO: Filebeat post-install configuration finished.
30/01/2025 08:10:28 INFO: Starting service filebeat.
30/01/2025 08:10:30 INFO: filebeat service started.
30/01/2025 08:10:30 INFO: --- Wazuh dashboard ---
30/01/2025 08:10:30 INFO: Starting Wazuh dashboard installation.
30/01/2025 08:11:22 INFO: Wazuh dashboard installation finished.
30/01/2025 08:11:22 INFO: Wazuh dashboard post-install configuration finished.
30/01/2025 08:11:22 INFO: Starting service wazuh-dashboard.
30/01/2025 08:11:23 INFO: wazuh-dashboard service started.
30/01/2025 08:11:24 INFO: Updating the internal users.
30/01/2025 08:11:27 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
30/01/2025 08:11:35 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
30/01/2025 08:12:00 INFO: Initializing Wazuh dashboard web application.
30/01/2025 08:12:01 INFO: Wazuh dashboard web application initialized.
30/01/2025 08:12:01 INFO: --- Summary ---
30/01/2025 08:12:01 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: PblablablablaB7n3vfwq
30/01/2025 08:12:01 INFO: Installation finished.

Please note the autogenerated User/Password to get later access to the Dashboard.

Linux: Basic setup of Wazuh-Agent

with root rights execute:

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF


run the Agent installer (10.50.100.76 = Wazuh-Server)

WAZUH_MANAGER="10.50.100.76" yum install wazuh-agent

example output:

[root@rhel-wazuh-agent ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
[root@rhel-wazuh-agent ~]# WAZUH_MANAGER="10.50.100.76" yum install wazuh-agent
Updating Subscription Management repositories.
EL-9 - Wazuh                                                      19 MB/s |  32 MB     00:01
Last metadata expiration check: 0:00:09 ago on Thu 30 Jan 2025 11:33:51 AM CET.
Dependencies resolved.
=================================================================================================
 Package                   Architecture         Version                Repository           Size
=================================================================================================
Installing:
 wazuh-agent               x86_64               4.10.1-1               wazuh               8.9 M

Transaction Summary
=================================================================================================
Install  1 Package

Total download size: 8.9 M
Installed size: 26 M
Is this ok [y/N]: y
Downloading Packages:
wazuh-agent-4.10.1-1.x86_64.rpm                                   15 MB/s | 8.9 MB     00:00
-------------------------------------------------------------------------------------------------
Total                                                             15 MB/s | 8.9 MB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                         1/1
  Running scriptlet: wazuh-agent-4.10.1-1.x86_64                                             1/1
  Installing       : wazuh-agent-4.10.1-1.x86_64                                             1/1
  Running scriptlet: wazuh-agent-4.10.1-1.x86_64                                             1/1
  Verifying        : wazuh-agent-4.10.1-1.x86_64                                             1/1
Installed products updated.

Installed:
  wazuh-agent-4.10.1-1.x86_64

Complete!
[root@rhel-wazuh-agent ~]#

Start the Wazuh-Agent and check the status:

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
systemctl status wazuh-agent

example output:

[root@rhel-wazuh-agent ~]# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service.
[root@rhel-wazuh-agent ~]# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled)
     Active: active (running) since Thu 2025-01-30 11:37:47 CET; 17s ago
    Process: 5702 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status>
      Tasks: 33 (limit: 10886)
     Memory: 430.5M
        CPU: 6.436s
     CGroup: /system.slice/wazuh-agent.service
             ├─5730 /var/ossec/bin/wazuh-execd
             ├─5742 /var/ossec/bin/wazuh-agentd
             ├─5755 /var/ossec/bin/wazuh-syscheckd
             ├─5770 /var/ossec/bin/wazuh-logcollector
             ├─5787 /var/ossec/bin/wazuh-modulesd
             ├─6312 /bin/sh active-response/bin/restart.sh agent
             ├─6316 /bin/sh /var/ossec/bin/wazuh-control restart
             └─6407 expr 29 + 1

Jan 30 11:37:40 rhel-wazuh-agent systemd[1]: Starting Wazuh agent...
Jan 30 11:37:40 rhel-wazuh-agent env[5702]: Starting Wazuh v4.10.1...
Jan 30 11:37:41 rhel-wazuh-agent env[5702]: Started wazuh-execd...
Jan 30 11:37:42 rhel-wazuh-agent env[5702]: Started wazuh-agentd...
Jan 30 11:37:43 rhel-wazuh-agent env[5702]: Started wazuh-syscheckd...
Jan 30 11:37:44 rhel-wazuh-agent env[5702]: Started wazuh-logcollector...
Jan 30 11:37:45 rhel-wazuh-agent env[5702]: Started wazuh-modulesd...
Jan 30 11:37:47 rhel-wazuh-agent env[5702]: Completed.
Jan 30 11:37:47 rhel-wazuh-agent systemd[1]: Started Wazuh agent.
[root@rhel-wazuh-agent ~]#

Windows: Basic setup of Wazuh-Agent

Download the Agent-Installer and execute the command with admin-rights:

wazuh-agent-4.10.1-1.msi /q WAZUH_MANAGER="10.50.100.76"
NET START Wazuh

example-output:

C:\Windows\System32>cd C:\Users\ugu5ma\Downloads
C:\Users\ugu5ma\Downloads>dir
  Verzeichnis von C:\Users\ugu5ma\Downloads

30.01.2025  12:06    <DIR>          .
13.01.2025  09:41    <DIR>          ..
30.01.2025  12:07         5.378.048 wazuh-agent-4.10.1-1.msi
               1 Datei(en),    5.378.048 Bytes
               2 Verzeichnis(se), 709.868.328.448 Bytes frei

C:\Users\ugu5ma\Downloads>wazuh-agent-4.10.1-1.msi /q WAZUH_MANAGER="10.50.100.76"

C:\Users\ugu5ma\Downloads>C:\Users\ugu5ma\Downloads>NET START Wazuh
Wazuh wird gestartet.
Wazuh wurde erfolgreich gestartet.
C:\Users\ugu5ma\Downloads>

Access the Dashboard

open a Browser and access: https://10.50.100.76
Don’t be surprised that the connection is interested, we use the default certs.


We see the default Dashboard:

Wazuh is shipped with default rules.
In a productive environment the real work would start now:
Create/adapt rules that are suitable for the required purposes and environment.
We will start with fixing the first (easy) vulnerability finding.

Fix a chrony-finding/vulnerability

Lets pick an RHEL-Agent and check the details of the chrony-finding:

  1. Navigate to Configuration Assesment
  2. Select an Agent
  3. Agent ID 02 looks as a good candidate
  4. filter the findings for chrony
  5. click on the failed check
  6. read carefully the finding and check the settings on the Agent to get it fixed

get the chrony finding fixed

The crony process is not executed by user chrony, let’s get it fixed:

[root@rhel-wazuh-agent ~]# cat /etc/sysconfig/chronyd
# Command-line options for chronyd
OPTIONS="-F 2"
[root@rhel-wazuh-agent ~]# sudo sed -i 's/OPTIONS="-F 2"/OPTIONS="-F 2 -u chrony"/' /etc/sysconfig/chronyd
[root@rhel-wazuh-agent ~]# cat /etc/sysconfig/chronyd
# Command-line options for chronyd
OPTIONS="-F 2 -u chrony"
[root@rhel-wazuh-agent ~]# ps -eo user,comm | grep chronyd
chrony   chronyd

[root@rhel-wazuh-agent ~]# systemctl restart chronyd
[root@rhel-wazuh-agent ~]# systemctl restart wazuh-agent

To force a new assessment a restart of the Wazuh-agent is necessary.

Go back to the Dashboard/finding-screen and check again the chrony-finding:

Chrony looks good now, just another 82 findings to fix

In one of the next sessions I will go into the details of Wazuh, it is a great product.

Run DeepSeek LLM locally on your M series Mac with LM Studio and integrate iTerm2

With the integration of LM Studio and iTerm2, powered by the cutting-edge DeepSeek LLM, developers can now streamline their workflows.
This setup enhances coding efficiency while maintaining complete control over their data.

Running DeepSeek LLM locally offers several benefits:

  1. Enhanced Privacy: Your data stays on your machine, ensuring that sensitive information is not shared with external servers.
    There’s no need to send data back and forth over the internet.
  2. Customization: You have full control over the model and can fine-tune it to better suit your specific needs and preferences.
  3. Offline Access: You can use the model even without an internet connection, making it more reliable in various situations.
  4. Cost Efficiency: Avoiding cloud service fees can be more economical, especially for extensive or long-term use.

These advantages make running DeepSeek LLM locally a powerful option for developers and users who prioritize privacy.

The following steps show the integration of LM Studio with iTerm2.

LM Studio

Download your preferred LLM and load the Model:

  1. Jump to the Developer screen
  2. Open Settings and set the Server Port to: 11434
  3. Start the Engine

The screen shows now a running service:

Click on the copy-button and close the page

iTerm2

Open the Settings of iTerm2

  1. install the plugin
  2. Enable AI features
  3. enter any API Key (entry is necessary but is not checked locally)
  4. For the first test you can leave the AI Prompt
  5. Use llama3:latest Model
  6. paste the URL copied from LM Studio and add /v1/chat/completions

    The final URL is then
    http://localhost:11434/v1/chat/completions

close the Settings-Windows

Action

-Press command-y in your iTerm2 session
-type your question into the windows and press shift-enter to ask your LLM:

Now you can use your local running LLM, even when you switch off your network-adapter 🙂

Automate Your Cloud Backups: rclone and Duplicati

In today’s digital age, safeguarding your data is more crucial than ever. With the increasing reliance on cloud storage, it’s essential to have a robust backup strategy in place. This blog post will guide you through automating your cloud backups (like Onedrive in this example) using rclone and Duplicati on a Linux system (in my case Ubuntu 24.04.1 LTS).

Why rclone and Duplicati?

  • rclone: A versatile command-line tool (inspired by rsync) that supports various cloud storage providers, including OneDrive. It allows you to sync, copy, and mount cloud storage as if it were a local filesystem.
  • Duplicati: An open-source backup solution that offers incremental backups, encryption, and scheduling. It’s designed to work efficiently with cloud storage, making it an ideal choice for automated backups.

We’ll use rclone to mount your OneDrive folder as a local directory seamlessly. This setup allows Duplicati to perform smart incremental backups, ensuring your data is securely backed up without unnecessary duplication. In this guide, I’ll walk you through the steps to set up rclone and Duplicati, making sure your cloud storage is backed up efficiently and securely. Let’s get started!

Install rclone

This command downloads and runs the installation script for rclone, making it easy to install on most Unix-like systems, including Linux and macOS. For Windows, you can download the executable from the rclone website.

run apt install rclone

apt install rclone
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  rclone
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 21.4 MB of archives.
After this operation, 65.9 MB of additional disk space will be used.
Get:1 http://packages.azlux.fr/debian bookworm/main arm64 rclone arm64 1.68.2 [21.4 MB]
Fetched 21.4 MB in 2s (10.2 MB/s)
Selecting previously unselected package rclone.
(Reading database ... 133411 files and directories currently installed.)
Preparing to unpack .../rclone_1.68.2_arm64.deb ...
Unpacking rclone (1.68.2) ...
Setting up rclone (1.68.2) ...
Processing triggers for man-db (2.12.0-4build2) ...

Install Duplicati

The install-process of Duplicati is already explained here.

Onedrive homework

By default, rclone uses a shared Client ID and Key when communicating with OneDrive, unless a custom client_id is specified in the configuration. This means that all rclone users share the same default Client ID for their requests. This is everything but not optimal, also throttling usually occurs.

Recommended step: Create unique Client ID for Onedrive personal

click New registration on https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade and follow the steps outlined at the rclone page.
My screenshots for this step are attached (just for your reference, please zoom in to make the file readable in your browser. ).

Setup rclone

This section guides you through the steps to configure rclone to mount your OneDrive folder to use this mount point as the source for  Duplicati backups.

run rclone config and answer the questions

Example output (Ubuntu 24.04)

rclone config
2024/12/17 11:06:25 NOTICE: Config file "/root/.config/rclone/rclone.conf" not found - using defaults
No remotes found, make a new one?
n) New remote
s) Set configuration password
q) Quit config
n/s/q> n

Enter name for new remote.
name> onedrive
Option Storage.
Type of storage to configure.
Choose a number from below, or type in your own value.
35 / Microsoft OneDrive
   \ (onedrive)
Storage> 35
Option client_id.
OAuth Client Id.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_id>

Option client_id.
OAuth Client Id.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_id>

Option client_secret.
OAuth Client Secret.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_secret>

Option region.
Choose national cloud region for OneDrive.
Choose a number from below, or type in your own value of type string.
Press Enter for the default (global).
 1 / Microsoft Cloud Global
   \ (global)
 2 / Microsoft Cloud for US Government
   \ (us)
 3 / Microsoft Cloud Germany
   \ (de)
 4 / Azure and Office 365 operated by Vnet Group in China
   \ (cn)
region> 1

Edit advanced config?
y) Yes
n) No (default)
y/n>n
Use web browser to automatically authenticate rclone with remote?
 * Say Y if the machine running rclone has a web browser you can use
 * Say N if running rclone on a (remote) machine without web browser access
If not sure try Y. If Y failed, try N.

y) Yes (default)
n) No
y/n> n
Option config_token.
For this to work, you will need rclone available on a machine that has
a web browser available.
For more help and alternate methods see: https://rclone.org/remote_setup/
Execute the following on the machine with the web browser (same rclone
version recommended):
	rclone authorize "onedrive"
Then paste the result.
Enter a value.
config_token>

for Use web browser to automatically authenticate rclone with remote?:
Choose “Yes” if your host supports a GUI.
In my case I have to answer this question with no and have to jump on an GUI-equipped host running the same clone-version to generate the needed one drive-token with the command: rclone authorize "onedrive" 

{"access_token":"EwCIA8blablaadv!0","expiry":"202blabla.927609745Z"}

Option config_type.
Type of connection
Choose a number from below, or type in an existing value of type string.
Press Enter for the default (onedrive).
 1 / OneDrive Personal or Business
   \ (onedrive)
 2 / Root Sharepoint site
   \ (sharepoint)
   / Sharepoint site name or URL
 3 | E.g. mysite or https://contoso.sharepoint.com/sites/mysite
   \ (url)
 4 / Search for a Sharepoint site
   \ (search)
 5 / Type in driveID (advanced)
   \ (driveid)
 6 / Type in SiteID (advanced)
   \ (siteid)
   / Sharepoint server-relative path (advanced)
 7 | E.g. /teams/hr
   \ (path)
config_type> 1
vblabla+g0","expiry":"202blabla27609745Z"}

Option config_type.
Type of connection
Choose a number from below, or type in an existing value of type string.
Press Enter for the default (onedrive).
 1 / OneDrive Personal or Business
   \ (onedrive)
 2 / Root Sharepoint site
   \ (sharepoint)
   / Sharepoint site name or URL
 3 | E.g. mysite or https://contoso.sharepoint.com/sites/mysite
   \ (url)
 4 / Search for a Sharepoint site
   \ (search)
 5 / Type in driveID (advanced)
   \ (driveid)
 6 / Type in SiteID (advanced)
   \ (siteid)
   / Sharepoint server-relative path (advanced)
 7 | E.g. /teams/hr
   \ (path)
config_type> 1

Option config_driveid.
Select drive you want to use
Choose a number from below, or type in your own value of type string.
Press Enter for the default (7bla49295c6fb0).
 1 /  (personal)
   \ (7blae49295c6fb0)
config_driveid>

Drive OK?

Found drive "root" of type "personal"
URL: https://onedrive.live.com/?cid=07bla49295c6fb0

y) Yes (default)
n) No
y/n>

Configuration complete.
Options:
- type: onedrive
- token: {"access_token":"EwCIblabla==","token_type":"Bearer","refresh_token":"K.Abla1.0.U.-CsblaFy55aAHgafDLr5t0","expiry":"202blabla609745Z"}
- drive_id: 79blabla95c6fb0
- drive_type: personal
Keep this "onedrive" remote?
y) Yes this is OK (default)
e) Edit this remote
d) Delete this remote
y/e/d>

Current remotes:

Name                 Type
====                 ====
onedrive             onedrive

Now we can mount the onedrive-storage-folder as a mount-point.
In this example I use /mnt/onedrive as the mount-point (the folder /mnt/onedrive must be present prior executing the mount command):

rclone mount onedrive:/ /mnt/onedrive

Let’s create an rclone-service to mount the one drive-folder at startup:

vi /etc/systemd/system/rclonemount.service 
[Unit]
Description=rclonemount
AssertPathIsDirectory=/mnt/onedrive
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/rclone mount \
        --config=/root/.config/rclone/rclone.conf \
        --vfs-cache-mode writes \
        onedrive: /mnt/onedrive
ExecStop=/bin/fusermount -u /mnt/onedrive
Restart=always
RestartSec=10

[Install]
WantedBy=default.target

Start and test the created rclonemount.service:

systemctl start rclonemount 

┌──$(root㉿raspi24)-[/]
└─# systemctl status rclonemount
● rclonemount.service - rclonemount
     Loaded: loaded (/etc/systemd/system/rclonemount.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-12-17 16:33:29 CET; 1 week 5 days ago
   Main PID: 1039 (rclone)
      Tasks: 12 (limit: 8674)
     Memory: 68.4M (peak: 131.5M)
        CPU: 15min 9.054s
     CGroup: /system.slice/rclonemount.service
             └─1039 /usr/bin/rclone mount --config=/root/.config/rclone/rclone.conf --vfs-cache-mode writes onedrive: /mnt/onedrive

run rclonemount.service at startup:

systemctl enable rclonemount 
┌──$(root㉿raspi24)-[/]
└─# systemctl enable rclonemount
Created symlink /etc/systemd/system/default.target.wants/rclonemount.service → /etc/systemd/system/rclonemount.service.

With Duplicati we can create now a new Backup-Job using the source directory /mnt/onedrive, or any specific subfolder like /mnt/onedrive/important_data.

Onedrive can now be backed up fully automatically with a smart backup solution 🙂

As we wrap up our journey with rclone, it’s clear that this powerful tool can significantly streamline your data management tasks. Whether you’re syncing files across multiple cloud services, automating backups, or simply exploring new ways to enhance your workflow, rclone offers a versatile and reliable solution.

Remember, the key to mastering rcloneor any tool—is practice and experimentation. Don’t hesitate to dive into the documentation, explore the various commands, and tailor rclone to fit your unique needs. The possibilities are vast, and the more you experiment, the more you’ll discover the true potential of this remarkable tool.

SSH Security Made Easy: An Introduction to ssh-audit

ssh-audit is a powerful tool designed to help you assess the security of your SSH servers (and clients!). It provides detailed information about the server’s configuration, supported algorithms, and potential vulnerabilities. In this guide, I’ll walk you through the steps to install ssh-audit and run your first security tests. Secure SSH configuration made easy.

Installation on Linux

  1. Clone the Repository: Open your terminal and clone the ssh-audit repository from GitHub:
    git clone https://github.com/jtesta/ssh-audit.git
  2. Navigate to the Directory: Change to the ssh-audit directory:
    cd ssh-audit
  3. Install Dependencies: Ensure you have Python installed on your system. If not, install it using your package manager. For example, on Ubuntu:
    sudo apt-get install python3

Installation on macOS

To install ssh-audit , run:
brew install ssh-audit
(You have already Brew installed, right ?)

Please check the ssh-audit url for many other setup options (Docker,Windows,etc.)

Test the SSH-Server against vulnerabilities

execute ssh-audit <hostname>
Replace <hostname> with the IP address or domain name of the SSH server you want to audit.

Example of Ubuntu’s 24.04 LTS default SSHD setup:

(if you add the -l warn switch you just get the vulnerabilities presented)

Interpreting the Results: ssh-audit will provide a detailed report of the server’s configuration, including supported key exchange algorithms, encryption ciphers, and MAC algorithms. Look for any warnings or recommendations to improve your server’s security.

Remediation

After running ssh-audit and identifying potential vulnerabilities or weak configurations in your SSH server, it’s important to take steps to remediate these issues. Below are examples of how to apply them:

Example for Ubuntu 24.04.1 LTS:

(Note: This is just an example. The example eliminates vulnerabilities for the SSH-daemon, but it can well be that this snippet does not fit for your setup. Handle with care)

This snippet creates a configuration file (51-ssh-harden_202412.conf) in directory /etc/ssh/sshd_config.d/ with the specified settings to enhance the security of your SSH server.

echo -e "\n# Restrict key exchange, cipher, and MAC algorithms
# Key Exchange Algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

# Ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Message Authentication Codes (MACs)
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

# Host Key Algorithms
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/51-ssh-harden_202412.conf

(SSHD restart required)



Example for RHEL 9.4

(Note: This is just an example. This example eliminates vulnerabilities for the SSH-daemon, but it can well be that this snippet does not fit for your setup. Handle with care)

# Backup the original OpenSSH server configuration file 
cp /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.orig
# Update the OpenSSH server configuration with specific cryptographic policies
echo -e "
# Ciphers: Specifies the encryption algorithms used to secure the SSH session
Ciphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Message Authentication Codes (MACs): Defines the algorithms used to ensure data integrity and authenticity
MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

# GSSAPI Key Exchange Algorithms: Specifies the algorithms used for GSSAPI key exchange
GSSAPIKexAlgorithms=gss-curve25519-sha256-

# Key Exchange Algorithms (KexAlgorithms): Lists the algorithms used for key exchange during the SSH handshake
KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

# Host Key Algorithms: Lists the algorithms used for verifying the server's host key
HostKeyAlgorithms=ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512

# Public Key Accepted Key Types: Specifies the types of public keys accepted for authentication
PubkeyAcceptedKeyTypes=ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512
" > /etc/crypto-policies/back-ends/opensshserver.config

(SSHD restart required)

Proof the remediation

run ssh-audit again!

Example-output after remediation:

How can I test if my SSH-Client is not vulnerable ?

If you run ssh-audit with the switch -c it creates an ssh-service on port 2222 and audits every connection attempt:

output after the login-attempt (ssh 127.0.0.1 -p 2222)

➜  ~ ssh-audit -c
# general
(gen) client IP: 127.0.0.1
(gen) banner: SSH-2.0-OpenSSH_9.8
(gen) software: OpenSSH 9.8
(gen) compression: enabled (zlib@openssh.com, zlib)

# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com           -- [info] available since OpenSSH 8.5
                                                   `- [info] default key exchange from OpenSSH 9.0 to 9.8
                                                   `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) curve25519-sha256                            -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
                                                   `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org                 -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256         -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512                -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512                -- [info] available since OpenSSH 7.3
(kex) ext-info-c                                   -- [info] available since OpenSSH 7.2
                                                   `- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
(kex) kex-strict-c-v00@openssh.com                 -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)

# host-key algorithms
(key) ssh-ed25519-cert-v01@openssh.com             -- [info] available since OpenSSH 6.5
(key) sk-ssh-ed25519-cert-v01@openssh.com          -- [info] available since OpenSSH 8.2
(key) rsa-sha2-512-cert-v01@openssh.com            -- [info] available since OpenSSH 7.8
(key) rsa-sha2-256-cert-v01@openssh.com            -- [info] available since OpenSSH 7.8
(key) ssh-ed25519                                  -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
(key) sk-ssh-ed25519@openssh.com                   -- [info] available since OpenSSH 8.2
(key) rsa-sha2-512                                 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256                                 -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com                -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
                                                   `- [info] default cipher since OpenSSH 6.9
(enc) aes128-ctr                                   -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                                   -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                                   -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-gcm@openssh.com                       -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com                       -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) umac-128-etm@openssh.com                     -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com                -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com                -- [info] available since OpenSSH 6.2


# algorithm recommendations (for OpenSSH 9.8)
(rec) -ecdh-sha2-nistp256                          -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                          -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                          -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                         -- key algorithm to remove
(rec) -ecdsa-sha2-nistp256-cert-v01@openssh.com    -- key algorithm to remove
(rec) -ecdsa-sha2-nistp384                         -- key algorithm to remove
(rec) -ecdsa-sha2-nistp384-cert-v01@openssh.com    -- key algorithm to remove
(rec) -ecdsa-sha2-nistp521                         -- key algorithm to remove
(rec) -ecdsa-sha2-nistp521-cert-v01@openssh.com    -- key algorithm to remove
(rec) -hmac-sha1                                   -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com                   -- mac algorithm to remove
(rec) -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com -- key algorithm to remove
(rec) -sk-ecdsa-sha2-nistp256@openssh.com          -- key algorithm to remove
(rec) -diffie-hellman-group14-sha256               -- kex algorithm to remove
(rec) -hmac-sha2-256                               -- mac algorithm to remove
(rec) -hmac-sha2-512                               -- mac algorithm to remove
(rec) -umac-128@openssh.com                        -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com                     -- mac algorithm to remove
(rec) -umac-64@openssh.com                         -- mac algorithm to remove


Make your SSH-communication more secure, if not the SSH-Service opens an attack surface for uninvited visitors.
Secure SSH configuration is Key!

Consider other additional security-steps like:
Secure your SSH communication with certificates
Lab setup: Secure your SSH communication with certificates
Fail2Ban: ban hosts that cause multiple authentication errors

..
.