wazuh环境配置
安装wazuh
官方文档 【https://documentation.wazuh.com/current/index.html】
1、选择基于ELK安装
安装依赖包
安装它的key、加入源,然后更新
安装对应的版本
2 、也可以选择下载虚拟机(OVA)安装
下载文档中所提供的文件
虚拟机的配置要求:
点击文件,选择打开,选择刚才下载的.ova文件
然后导入.ova文件
将桥接模式改为NAT模式
开启之后,切换用户
重新启动网络服务,查看IP
用工具(这里我用的是MobaXterm)进行远程连接
连接成功
至此安装完成
wazuh初体验
去浏览器访问,输入默认的用户名和密码(都是admin)进行登录
查看告警信息
模拟登录失败,看看有什么反应
实时查看日志
tail -f alerts.log
ssh到这台服务器上,输入错误密码
ssh wazuh-user@192.168.112.133
可以看到触发了两条规则:5503(登录失败) 和 5760(认证失败)
在wazuh中也能看到
当我们连接登录wazuh-user,密码输错很多次后报了一条5763
5763规则是如果5760触发,120秒内触发8次,就触发本条规则,描述就是怀疑暴力破解
在浏览器中登录wazuh后,同样能看到
案例复现
题目:
首先,去目录/var/www/html下创建index.php并写入案例
案例源码:
<?php
function fun($var): bool{
$blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];
foreach($blacklist as $blackword){
if(strstr($var, $blackword)) return True;
}
return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}
$content = file_get_contents($temp_file);
if(fun($content)){
die("诶,被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
$img_path = UPLOAD_PATH . '/' . $new_file_name;
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = 'Upload Failed!';
die();
}
echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}
再上传前端:
然后执行: