wazuh-packages Add firewall rules during installation

Add firewall rules during installation

Open zbalkan opened this issue 1 year ago • 1 comments

Related issue

https://github.com/wazuh/wazuh-packages/issues/1217

Related issue
https://github.com/wazuh/wazuh-packages/issues/1217

Description

Wazuh installation documents make an implicit assumption that the user configured the host firewall previously. Therefore, the installation guide does include the hardware and OS requirements but excludes firewall configuration. Basically, it requires firewall to be planned and configured ahead with no mention in the installation steps.

However, it can be an issue for the new users. It might create problems during installation, especially during cluster discovery phase, causing new users waste time during troubleshooting.

This PR adds a firewall setup step to the installation script that checks for existence of firewalld and iptables, adds rules for default mandatory ports and save/reload settings. It reminds the user to check and verify the firewall configuration in a verbose way.

Logs example

N/A

Tests

N/A

Build the package in any supported platform
- [ ] Linux
- [ ] Windows
- [ ] macOS
- [ ] Solaris
- [ ] AIX
- [ ] HP-UX
[ ] Package installation
[ ] Package upgrade
[ ] Package downgrade
[ ] Package remove
[ ] Package install/remove/install
[ ] Change added to CHANGELOG.md

Tests for Linux RPM
- [ ] Build the package for x86_64
- [ ] Build the package for i386
- [ ] Build the package for armhf
- [ ] Build the package for aarch64
- [ ] %files section is correctly updated if necessary
Tests for Linux deb
- [ ] Build the package for x86_64
- [ ] Build the package for i386
- [ ] Build the package for armhf
- [ ] Build the package for aarch64
- [ ] Package install/remove/install
- [ ] Package install/purge/install
- [ ] Check file permissions after installing the package
Tests for macOS
- [ ] Test the package from macOS Sierra to Mojave
Tests for Solaris
- [ ] Test the package on Solaris 10
- [ ] Test the package on Solaris 11
- [ ] Check file permissions on Solaris 11 template
Tests for IBM AIX
- [ ] %files section is correctly updated if necessary
- [ ] Check the changes from IBM AIX 5 to 7

Aug 07 '22 17:08 zbalkan

Addition of this step requires a documentation update.

Aug 07 '22 17:08 zbalkan

Hello @zbalkan,

If the system has firewalld install the installation works perfectly, but if not I have noticed a few errors

The command iptables -L INPUT does not show any new rule after the installation.
The debug mode show this message sudo: firewall-cmd: command not found I have executed the script with bash -x and it gave the following output:

+ installCommon_setupFirewall wazuh-dashboard
+ '[' 1 -ne 1 ']'
+ FIREWALLD_EXISTS=0
+ IPTABLES_EXISTS=0
++ command -v firewalld
+ '[' -x '' ']'
++ command -v iptables
+ '[' -x /sbin/iptables ']'
+ IPTABLES_EXISTS=1
+ [[ -n 0 ]]
+ common_logger 'Setting up firewall rules for service wazuh-dashboard.'
++ date '+%d/%m/%Y %H:%M:%S'
+ now='12/09/2022 14:10:08'
+ mtype=INFO:
+ debugLogger=
+ nolog=
+ '[' -n 'Setting up firewall rules for service wazuh-dashboard.' ']'
+ '[' -n 'Setting up firewall rules for service wazuh-dashboard.' ']'
+ case ${1} in
+ message='Setting up firewall rules for service wazuh-dashboard.'
+ shift 1
+ '[' -n '' ']'
+ '[' -z '' ']'
+ '[' 0 -eq 0 ']'
+ '[' -z '' ']'
+ printf '12/09/2022 14:10:08 INFO: Setting up firewall rules for service wazuh-dashboard.\n'
+ tee -a /var/log/wazuh-install.log
12/09/2022 14:10:08 INFO: Setting up firewall rules for service wazuh-dashboard.
+ '[' wazuh-dashboard == wazuh-manager ']'
+ '[' wazuh-dashboard == wazuh-indexer ']'
+ '[' wazuh-dashboard == wazuh-dashboard ']'
+ ports=("443")
+ for port_number in '"${ports[@]}"'
+ common_logger -d 'Enabling port 443 on the firewall.'
++ date '+%d/%m/%Y %H:%M:%S'
+ now='12/09/2022 14:10:08'
+ mtype=INFO:
+ debugLogger=
+ nolog=
+ '[' -n -d ']'
+ '[' -n -d ']'
+ case ${1} in
+ debugLogger=1
+ mtype=DEBUG:
+ shift 1
+ '[' -n 'Enabling port 443 on the firewall.' ']'
+ case ${1} in
+ message='Enabling port 443 on the firewall.'
+ shift 1
+ '[' -n '' ']'
+ '[' -z 1 ']'
+ '[' -n 1 ']'
+ '[' -n '' ']'
+ '[' 0 ']'
+ eval 'sudo firewall-cmd --permanent --add-port=443/tcp >> /var/log/wazuh-install.log 2>&1'
++ sudo firewall-cmd --permanent --add-port=443/tcp
+ '[' 0 ']'
+ eval 'sudo firewall-cmd --reload >> /var/log/wazuh-install.log 2>&1'
++ sudo firewall-cmd --reload
+ common_logger -d 'Firewall rules saved/reloaded.'

It uses firewall-cmd even though the variable FIREWALLD_EXISTS equals 0. Comparing the variables with 1 seems to work.

if [[ ${FIREWALLD_EXISTS} -eq 1 ]] || [[ ${IPTABLES_EXISTS} -eq 1 ]]; then

if [ "${FIREWALLD_EXISTS}" -eq 1 ]; then

After changing this another error appeared

iptables: unrecognized service

The command you are using is not correct sudo service iptables save

This command works sudo iptables-save https://www.cyberciti.biz/faq/how-to-save-iptables-firewall-rules-permanently-on-linux/

Sep 12 '22 15:09 miguelfdez99

Thanks for the review. I'll come up with a fix soon.

Sep 13 '22 08:09 zbalkan

I updated the code and squashed the commits.

Sep 17 '22 10:09 zbalkan

Hi @zbalkan, I have done some tests about the new changes.

Tests

Installation, iptables installed

root@ubuntu2004:/home/vagrant# bash wazuh-install.sh -a -i
20/09/2022 05:53:59 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.8
20/09/2022 05:53:59 INFO: Verbose logging redirected to /var/log/wazuh-install.log
20/09/2022 05:54:00 WARNING: Hardware and system checks ignored.
20/09/2022 05:54:11 INFO: Wazuh repository added.
20/09/2022 05:54:11 INFO: --- Configuration files ---
20/09/2022 05:54:11 INFO: Generating configuration files.
20/09/2022 05:54:11 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
20/09/2022 05:54:11 INFO: --- Wazuh indexer ---
20/09/2022 05:54:11 INFO: Starting Wazuh indexer installation.
20/09/2022 05:55:44 INFO: Wazuh indexer installation finished.
20/09/2022 05:55:44 INFO: Setting up firewall rules for service wazuh-indexer.
20/09/2022 05:55:44 INFO: Successfully set up basic firewall rules for service wazuh-indexer.
20/09/2022 05:55:44 INFO: It is suggested to verify the rules on the host firewall in accordance with the Wazuh documentation.
20/09/2022 05:55:44 INFO: Wazuh indexer post-install configuration finished.
20/09/2022 05:55:44 INFO: Starting service wazuh-indexer.
20/09/2022 05:55:52 INFO: wazuh-indexer service started.
20/09/2022 05:55:52 INFO: Initializing Wazuh indexer cluster security settings.
20/09/2022 05:55:57 INFO: Wazuh indexer cluster initialized.
20/09/2022 05:55:57 INFO: --- Wazuh server ---
20/09/2022 05:55:57 INFO: Starting the Wazuh manager installation.
20/09/2022 05:56:38 INFO: Wazuh manager installation finished.
20/09/2022 05:56:38 INFO: Setting up firewall rules for service wazuh-manager.
20/09/2022 05:56:38 INFO: Successfully set up basic firewall rules for service wazuh-manager.
20/09/2022 05:56:38 INFO: It is suggested to verify the rules on the host firewall in accordance with the Wazuh documentation.
20/09/2022 05:56:38 INFO: Starting service wazuh-manager.
20/09/2022 05:56:50 INFO: wazuh-manager service started.
20/09/2022 05:56:50 INFO: Starting Filebeat installation.
20/09/2022 05:56:54 INFO: Filebeat installation finished.
20/09/2022 05:56:55 INFO: Filebeat post-install configuration finished.
20/09/2022 05:56:55 INFO: Starting service filebeat.
20/09/2022 05:56:56 INFO: filebeat service started.
20/09/2022 05:56:56 INFO: --- Wazuh dashboard ---
20/09/2022 05:56:56 INFO: Starting Wazuh dashboard installation.
20/09/2022 05:57:34 INFO: Wazuh dashboard installation finished.
20/09/2022 05:57:34 INFO: Setting up firewall rules for service wazuh-dashboard.
20/09/2022 05:57:34 INFO: Successfully set up basic firewall rules for service wazuh-dashboard.
20/09/2022 05:57:34 INFO: It is suggested to verify the rules on the host firewall in accordance with the Wazuh documentation.
20/09/2022 05:57:34 INFO: Wazuh dashboard post-install configuration finished.
20/09/2022 05:57:34 INFO: Starting service wazuh-dashboard.
20/09/2022 05:57:34 INFO: wazuh-dashboard service started.
20/09/2022 05:57:58 INFO: Initializing Wazuh dashboard web application.
20/09/2022 05:57:59 INFO: Wazuh dashboard web application initialized.
20/09/2022 05:57:59 INFO: --- Summary ---
20/09/2022 05:57:59 INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: F95hN+wf.dZ6*Igv8Um.+MAWlHLtfyq1
20/09/2022 05:57:59 INFO: Installation finished.

20/09/2022 06:21:33 DEBUG: Enabling port 9300-9400 on the firewall.
iptables v1.8.4 (legacy): invalid port/service `9300-9400' specified
Try `iptables -h' or 'iptables --help' for more information.
# Generated by iptables-save v1.8.4 on Tue Sep 20 06:21:33 2022
*filter
:INPUT ACCEPT [3:156]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:344]
-A INPUT -p tcp -m tcp --dport 9200 -j ACCEPT
COMMIT

root@ubuntu2004:/home/vagrant# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:55000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1516
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1515
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1514
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9200

root@ubuntu2004:/home/vagrant# firewall-cmd --list-ports

Command 'firewall-cmd' not found, but can be installed with:

apt install firewalld

Installation, firewalld and iptables installed

root@ubuntu2004:/home/vagrant# bash wazuh-install.sh -a -i 
20/09/2022 06:11:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.8
20/09/2022 06:11:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log
20/09/2022 06:11:23 WARNING: Hardware and system checks ignored.
20/09/2022 06:11:31 INFO: Wazuh repository added.
20/09/2022 06:11:31 INFO: --- Configuration files ---
20/09/2022 06:11:31 INFO: Generating configuration files.
20/09/2022 06:11:31 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
20/09/2022 06:11:31 INFO: --- Wazuh indexer ---
20/09/2022 06:11:31 INFO: Starting Wazuh indexer installation.
20/09/2022 06:11:50 INFO: Wazuh indexer installation finished.
20/09/2022 06:11:50 INFO: Setting up firewall rules for service wazuh-indexer.
20/09/2022 06:11:50 INFO: Successfully set up basic firewall rules for service wazuh-indexer.
20/09/2022 06:11:50 INFO: It is suggested to verify the rules on the host firewall in accordance with the Wazuh documentation.
20/09/2022 06:11:50 INFO: Wazuh indexer post-install configuration finished.
20/09/2022 06:11:50 INFO: Starting service wazuh-indexer.
20/09/2022 06:11:59 INFO: wazuh-indexer service started.
20/09/2022 06:11:59 INFO: Initializing Wazuh indexer cluster security settings.
20/09/2022 06:12:04 INFO: Wazuh indexer cluster initialized.
20/09/2022 06:12:04 INFO: --- Wazuh server ---
20/09/2022 06:12:04 INFO: Starting the Wazuh manager installation.
20/09/2022 06:12:21 INFO: Wazuh manager installation finished.
20/09/2022 06:12:21 INFO: Setting up firewall rules for service wazuh-manager.
20/09/2022 06:12:22 INFO: Successfully set up basic firewall rules for service wazuh-manager.
20/09/2022 06:12:22 INFO: It is suggested to verify the rules on the host firewall in accordance with the Wazuh documentation.
20/09/2022 06:12:22 INFO: Starting service wazuh-manager.
20/09/2022 06:12:32 INFO: wazuh-manager service started.
20/09/2022 06:12:32 INFO: Starting Filebeat installation.
20/09/2022 06:12:37 INFO: Filebeat installation finished.
20/09/2022 06:12:37 INFO: Filebeat post-install configuration finished.
20/09/2022 06:12:37 INFO: Starting service filebeat.
20/09/2022 06:12:38 INFO: filebeat service started.
20/09/2022 06:12:38 INFO: --- Wazuh dashboard ---
20/09/2022 06:12:38 INFO: Starting Wazuh dashboard installation.
20/09/2022 06:12:54 INFO: Wazuh dashboard installation finished.
20/09/2022 06:12:54 INFO: Setting up firewall rules for service wazuh-dashboard.
20/09/2022 06:13:02 INFO: Successfully set up basic firewall rules for service wazuh-dashboard.
20/09/2022 06:13:02 INFO: It is suggested to verify the rules on the host firewall in accordance with the Wazuh documentation.
20/09/2022 06:13:02 INFO: Wazuh dashboard post-install configuration finished.
20/09/2022 06:13:02 INFO: Starting service wazuh-dashboard.
20/09/2022 06:13:02 INFO: wazuh-dashboard service started.
20/09/2022 06:13:26 INFO: Initializing Wazuh dashboard web application.
20/09/2022 06:13:27 INFO: Wazuh dashboard web application initialized.
20/09/2022 06:13:27 INFO: --- Summary ---
20/09/2022 06:13:27 INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: YEX41l1w?6?Chzi87TLu?add4yNKLKWJ
20/09/2022 06:13:27 INFO: Installation finished.

root@ubuntu2004:/home/vagrant# firewall-cmd --list-ports
9200/tcp 9300-9400/tcp 1514/tcp 1515/tcp 1516/tcp 55000/tcp 443/tcp
root@ubuntu2004:/home/vagrant# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED,DNAT
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Installation, firewalld and iptables not installed

root@ubuntu2004:/home/vagrant# bash wazuh-install.sh -a -i 
20/09/2022 06:16:35 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.8
20/09/2022 06:16:35 INFO: Verbose logging redirected to /var/log/wazuh-install.log
20/09/2022 06:16:36 WARNING: Hardware and system checks ignored.
20/09/2022 06:16:51 INFO: Wazuh repository added.
20/09/2022 06:16:51 INFO: --- Configuration files ---
20/09/2022 06:16:51 INFO: Generating configuration files.
20/09/2022 06:16:52 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
20/09/2022 06:16:52 INFO: --- Wazuh indexer ---
20/09/2022 06:16:52 INFO: Starting Wazuh indexer installation.
20/09/2022 06:17:11 INFO: Wazuh indexer installation finished.
20/09/2022 06:17:11 ERROR: Could not find a firewall. Please configure ports on the host firewall in accordance with the Wazuh documentation.
20/09/2022 06:17:11 INFO: Wazuh indexer post-install configuration finished.
20/09/2022 06:17:11 INFO: Starting service wazuh-indexer.
20/09/2022 06:17:19 INFO: wazuh-indexer service started.
20/09/2022 06:17:19 INFO: Initializing Wazuh indexer cluster security settings.
20/09/2022 06:17:25 INFO: Wazuh indexer cluster initialized.
20/09/2022 06:17:25 INFO: --- Wazuh server ---
20/09/2022 06:17:25 INFO: Starting the Wazuh manager installation.
20/09/2022 06:17:42 INFO: Wazuh manager installation finished.
20/09/2022 06:17:42 ERROR: Could not find a firewall. Please configure ports on the host firewall in accordance with the Wazuh documentation.
20/09/2022 06:17:42 INFO: Starting service wazuh-manager.
20/09/2022 06:17:54 INFO: wazuh-manager service started.
20/09/2022 06:17:54 INFO: Starting Filebeat installation.
20/09/2022 06:17:59 INFO: Filebeat installation finished.
20/09/2022 06:18:00 INFO: Filebeat post-install configuration finished.
20/09/2022 06:18:00 INFO: Starting service filebeat.
20/09/2022 06:18:00 INFO: filebeat service started.
20/09/2022 06:18:00 INFO: --- Wazuh dashboard ---
20/09/2022 06:18:00 INFO: Starting Wazuh dashboard installation.
20/09/2022 06:18:15 INFO: Wazuh dashboard installation finished.
20/09/2022 06:18:15 ERROR: Could not find a firewall. Please configure ports on the host firewall in accordance with the Wazuh documentation.
20/09/2022 06:18:15 INFO: Wazuh dashboard post-install configuration finished.
20/09/2022 06:18:15 INFO: Starting service wazuh-dashboard.
20/09/2022 06:18:16 INFO: wazuh-dashboard service started.
20/09/2022 06:18:40 INFO: Initializing Wazuh dashboard web application.
20/09/2022 06:18:41 INFO: Wazuh dashboard web application initialized.
20/09/2022 06:18:41 INFO: --- Summary ---
20/09/2022 06:18:41 INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: QUyObJ2osvz?0qwl?Bxj*zw5*Tf*unIH
20/09/2022 06:18:41 INFO: Installation finished.

root@ubuntu2004:/home/vagrant# iptables -L INPUT
bash: /usr/sbin/iptables: No such file or directory
root@ubuntu2004:/home/vagrant# firewall-cmd --list-ports
bash: /usr/bin/firewall-cmd: No such file or directory

I have found two errors:

The command eval "sudo iptables -I INPUT -p tcp -m tcp --dport ${port_number} -j ACCEPT ${debug}" gives an error when the value is 9300-9400

20/09/2022 06:21:33 DEBUG: Enabling port 9300-9400 on the firewall.
iptables v1.8.4 (legacy): invalid port/service `9300-9400' specified
Try `iptables -h' or 'iptables --help' for more information.
# Generated by iptables-save v1.8.4 on Tue Sep 20 06:21:33 2022
*filter
:INPUT ACCEPT [3:156]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:344]
-A INPUT -p tcp -m tcp --dport 9200 -j ACCEPT
COMMIT

When uninstalling, in debug mode it says enabling instead of disabling

20/09/2022 06:31:55 INFO: Removing firewall rules for service wazuh-dashboard.
20/09/2022 06:31:55 DEBUG: Enabling port 443 on the firewall.

Sep 20 '22 07:09 miguelfdez99

Fixed and squashed into one commit.

Sep 22 '22 18:09 zbalkan

Hello @zbalkan

Thanks again for your pull requests, it's great to have you as an active community contributor. Although your development is correct, it pushes the wazuh-tool.sh to a stage that maybe we would not put there. We are talking about changing the system configuration, and changes in a firewall tool. We think that wazuh-install.sh should detect any connectivity problems present. Or further, check a firewall configuration, if exist a rule disallowing the Wazuh necessary connection. But maybe the next step, the firewall configuration, needs to be in the user's hands. The tool or documentation should guide the user on how to do it, of course. But implementing it automatically is a door that the tool should not walk through.

I hope your comprehension of this "tools' philosophy tool" decision. I will keep this PR opened some days more and please, don't doubt to ask, suggest whatever you consider.

Regards, Alberto R

Sep 29 '22 13:09 alberpilot

Hi,

If that is the philosophy to follow consistently within Wazuh, then I totally agree with it. It's then better to add a check or an obvious warning than something that changes the environment.

This kind of approach, where a wizard takes care of everything, is common in Windows environments where I am more accustomed to and comfortable with. That's why I started this PR, improving the installation script to an all-in-one wizard, when you hit finish, everything is set up. And I agree, that it is a different philosophy.

It is up to the policies, principles and philosophy of Wazuh to make the architectural decisions to align the implementations. I am totally fine with it.

Best regards,

Zafer Balkan

Sep 29 '22 14:09 zbalkan

Nice, thanks for your understanding. I proceed to close.

Oct 03 '22 15:10 alberpilot

wazuh-packages wazuh-packages copied to clipboard

Add firewall rules during installation

Description

Logs example

Tests

Tests

wazuh-packages
wazuh-packages copied to clipboard