WAZUH agentless monitoring problem

drcyberg · February 13, 2024, 1:08pm

Hi Masters!

I have successfully installed the Wazuh https://wazuh.com/install/ XDR and SIEM protection program on my VPS.
My goal would be to use wazuh Agentless https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html to report the status of my router (hAP ac²) via SSH.
It is theoretically possible, but unfortunately the method is not compatible with mikrotik or I just don’t notice something.
I use this agentless config in /var/ossec/etc/ossec.conf with Endpoints with password authentication:

<agentless>
  <type>ssh_generic_diff</type>
  <frequency>60</frequency>
  <host>admin@mydomain.com</host>
  <state>periodic_diff</state>
  <arguments>/log print</arguments>
</agentless>

Unfortunately the process gets stuck, of course it doesn’t display an error /var/ossec/logs/ossec.log:

...
2024/02/13 08:23:21 wazuh-agentlessd: INFO: Test passed for 'ssh_generic_diff'.
2024/02/13 08:23:22 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Started.
2024/02/13 08:23:22 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Starting.
2024/02/13 08:34:34 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Started.
2024/02/13 08:34:34 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Starting.
...

I tried all the existing variations that were listed as configurations, but none of them succeeded.
Of course I can log in manually via ssh console.
My question is, has anyone managed to put this together like this?
I think the problem is with the ssh_generic_diff script.

Thank you!

Regards: DrCyberg

patrikg · February 16, 2024, 12:40pm

Have you tried turning off password login and running the slightly more secure login model via pki, check this link on how to import your public key.

https://help.mikrotik.com/docs/display/ROS/SSH#SSH-EnablingPKIauthentication

You should try not to use passwords, and apply a more secure login.
And create a new user on the device that not are using admin as login.

drcyberg · February 18, 2024, 7:10am

I thought I’d try a simple solution to see if it works (Password).
I will try the method you suggested, as you say.
Although I have since solved it with a different method (VPN + Route).

Thank you!

Regards: DrCyberg

krafg · February 19, 2024, 1:02pm

[Off topic]

When I tried Wazuh (and OSSEC), I always believed that it was with agent only. I liked but I saw that the agent on Windows is super easy to vulnerate. Simply uninstalling or turning off the service is enough and no have any protection. I not know if I did something wrong, but anyway until Cortex XDR of PaloAlto was easy to turn off without uninstall (at least this last has a anti-tamper protection and you can’t uninstall without a master password that is configured on server side).

Any free recommendation is grateful.

[On topic]

Always you need use certificates and never password for automated processes that needs SSH logins. Otherwise, SSH would be anything, less secure.

Regards.