f23783/wazuh-soc-homelab

# Wazuh SOC 家庭实验室 一个 SOC 家庭实验室项目，通过 Tailscale 隧道将运行在 Proxmox 上的本地 Wazuh Manager 与租用的 VPS 上的 Agent 连接起来，具有 CIS Benchmark 加固、Telegram 告警集成和自动 IP 封禁功能。 ## 架构 ``` [Proxmox - Local] [VPS - Rented Server] ┌─────────────────┐ ┌─────────────────────┐ │ Wazuh Manager │◄─── Tailscale ───► │ Wazuh Agent │ │ Ubuntu 22.04 │ Tunnel │ Ubuntu 22.04 │ │ Wazuh v4.14 │ │ Vaultwarden │ └─────────────────┘ │ Cloudflared │ │ │ Fail2ban │ │ └─────────────────────┘ ▼ Telegram Bot (Level 10+ alerts) ``` ## 使用的技术 | 组件 | 描述 | |---|---| | Wazuh v4.14 | SIEM + EDR 平台 | | Tailscale | 安全隧道（NAT 后通信） | | UFW | 防火墙（默认拒绝）| | Auditd | 内核级日志收集 | | PAM | 密码策略和暴力破解防护 | | Fail2ban | 自动 IP 封禁 | | Vaultwarden | 自托管密码管理器 | | Cloudflare Tunnel | Vaultwarden 的安全外部访问 | | Telegram Bot API | 实时告警通知 | ## 1. Wazuh Manager 安装 ### VM 要求 - 操作系统: Ubuntu 22.04 LTS - 内存: 6GB - 磁盘: 80GB - CPU: 2 核 ### Tailscale 安装 ``` curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up tailscale ip -4 ``` ### 准备 config.yml ``` curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh curl -sO https://packages.wazuh.com/4.14/config.yml ``` 将 `config.yml` 中的所有 IP 字段替换为 Tailscale IP: ``` nodes: indexer: - name: node-1 ip: "100.x.x.x" server: - name: wazuh-1 ip: "100.x.x.x" dashboard: - name: dashboard ip: "100.x.x.x" ``` ### 开始安装 ``` sudo bash wazuh-install.sh -a ``` 可以通过 `https://100.x.x.x` 访问仪表板。 ## 2. Wazuh Agent 安装 (VPS) ``` curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.0-1_amd64.deb sudo WAZUH_MANAGER='100.x.x.x' \ WAZUH_AGENT_NAME='rented-server' \ dpkg -i ./wazuh-agent_4.14.0-1_amd64.deb sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent ``` ## 3. SSH 加固 ### 创建新用户 ``` useradd -m -s /bin/bash fido passwd fido usermod -aG sudo fido ``` ### /etc/ssh/sshd_config ``` PermitRootLogin no MaxAuthTries 4 MaxStartups 10:30:100 LoginGraceTime 60 ClientAliveInterval 15 ClientAliveCountMax 3 Banner /etc/issue.net DisableForwarding yes AllowUsers fido ``` ``` echo "Authorized access only. All activity is monitored and logged." > /etc/issue.net chmod 600 /etc/ssh/sshd_config sshd -t && systemctl restart sshd ``` ## 4. Auditd 安装 ``` apt install auditd audispd-plugins -y systemctl enable --now auditd mv /etc/audit/rules.d/audit.rules /etc/audit/rules.d/10-base.rules ``` ### /etc/audit/auditd.conf ``` max_log_file = 1024 max_log_file_action = ROTATE space_left_action = email admin_space_left_action = halt ``` ### /etc/audit/rules.d/50-hardening.rules ``` -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k identity -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/sudo.log -p wa -k actions -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -k power-abuse -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools -e 2 ``` ``` augenrules --load ``` ## 5. UFW 防火墙 ``` apt install ufw -y ufw default deny incoming ufw default allow outgoing ufw allow 22/tcp ufw allow 51820/udp ufw allow from 100.64.0.0/10 to any port 8000 ufw allow from 172.16.0.0/12 to any port 8000 ufw allow in on lo ufw enable ``` ## 6. PAM 加固 ``` apt install libpam-pwquality -y ``` ### /etc/security/pwquality.conf ``` minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 dictcheck = 1 ``` ### /etc/security/faillock.conf ``` deny = 5 unlock_time = 900 ``` ### /etc/login.defs ``` PASS_MAX_DAYS 365 PASS_MIN_DAYS 1 PASS_WARN_AGE 7 ``` ``` chmod 640 /etc/shadow /etc/gshadow chown root:shadow /etc/shadow /etc/gshadow useradd -D -f 30 ``` ## 7. Sudo 日志记录 ``` touch /var/log/sudo.log chmod 640 /var/log/sudo.log chown root:adm /var/log/sudo.log echo 'Defaults logfile="/var/log/sudo.log"' | EDITOR='tee -a' visudo ``` ## 8. Fail2ban ``` apt install fail2ban -y ``` ### /etc/fail2ban/jail.local ``` [DEFAULT] bantime = 1h findtime = 10m maxretry = 5 ignoreip = 127.0.0.1 100.64.0.0/10 [sshd] enabled = true port = ssh logpath = /var/log/auth.log maxretry = 3 bantime = 24h ``` ``` systemctl enable --now fail2ban ``` ### 有用的命令 ``` fail2ban-client status sshd fail2ban-client set sshd banip fail2ban-client set sshd unbanip ``` ## 9. Telegram 告警集成 ### /var/ossec/integrations/custom-telegram ``` #!/usr/bin/env python3 import sys, json, urllib.request TELEGRAM_TOKEN = "YOUR_TOKEN_HERE" TELEGRAM_CHAT_ID = "YOUR_CHAT_ID_HERE" def send_message(msg): url = f"https://api.telegram.org/bot{TELEGRAM_TOKEN}/sendMessage" data = json.dumps({"chat_id": TELEGRAM_CHAT_ID, "text": msg, "parse_mode": "Markdown"}).encode() req = urllib.request.Request(url, data=data, headers={"Content-Type": "application/json"}) urllib.request.urlopen(req) def main(): alert = json.load(open(sys.argv[1])) msg = ( f"*Wazuh Alert*\n" f"*Level:* {alert['rule']['level']}\n" f"*Rule:* {alert['rule']['description']}\n" f"*Agent:* {alert.get('agent', {}).get('name', 'unknown')}\n" f"*Time:* {alert.get('timestamp', '')}\n" f"*Log:* `{alert.get('full_log', '')[:200]}`" ) send_message(msg) if __name__ == "__main__": main() ``` ``` chmod 750 /var/ossec/integrations/custom-telegram chown root:wazuh /var/ossec/integrations/custom-telegram ``` ### /var/ossec/etc/ossec.conf ``` custom-telegram 10 json ``` ``` systemctl restart wazuh-manager ``` ## 真实攻击场景 在项目设置阶段检测并阻止了一次实时的暴力破解攻击。 ### 攻击详情 | 信息 | 值 | |---|---| | 源 IP | 185.246.130.20 | | 位置 | 瑞典斯德哥尔摩 | | ISP | w1n ltd (数据中心) | | AbuseIPDB 报告计数 | 75,478 | | 恶意可信度 | 100% | | 目标 | SSH (无效用户名) | | 总尝试次数 | 27 | | 成功突破? | 否 | ### 事件时间线 1. Wazuh agent 收集 SSH 认证失败日志 2. Wazuh Manager 生成 10 级告警 3. Telegram 机器人发送即时通知 4. 通过 AbuseIPDB 调查 IP — 确认为恶意 5. Fail2ban 自动封禁该 IP 6. 通过 Wazuh 仪表板验证没有成功登录 ### 在 Wazuh 中验证 ``` # 来自该 IP 的所有事件 data.srcip: 185.246.130.20 # 有任何成功的登录吗？ data.srcip: 185.246.130.20 AND rule.id: 5715 ``` 结果: 只有 `authentication_failed` 事件 — 没有成功登录。 ``` grep "185.246.130.20" /var/log/auth.log | grep "Accepted" # 输出为空 — 无法攻破 ``` ## CIS Benchmark 结果 | 类别 | 总计 | 已修复 | |---|---|---| | SSH | 9 | 9 | | Audit | 19 | 19 | | PAM / 密码 | 11 | 11 | | 防火墙 | 8 | 6 | | 文件系统 | 23 | 4 | | 总计 | 207 | ~60 | ## 后续步骤 - [ ] WireGuard VPN 设置 - [ ] Velociraptor DFIR 安装 - [ ] 启用漏洞检测 - [ ] AIDE 文件完整性监控 ## 参考资料 - [Wazuh 文档](https://documentation.wazuh.com) - [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks) - [Tailscale 文档](https://tailscale.com/kb) - [AbuseIPDB](https://www.abuseipdb.com) - [Fail2ban 文档](https://www.fail2ban.org/wiki/index.php/Main_Page)

标签：ATTACK-Python-Client, Auditd, CIS Benchmark, Cloudflare Tunnel, EDR, Fail2ban, Homelab, PAM, Proxmox, Tailscale, Telegram通知, UFW, Vaultwarden, Wazuh, 动态API解析, 安全运营中心, 家庭实验室, 时间线生成, 暴力破解防御, 系统加固, 网络映射, 网络隧道, 脆弱性评估, 自动化响应, 自托管, 逆向工具, 防火墙