Feature Request: OSSEC or fail2ban on the opnsense

[ruggerio]

See discussion here:
https://forum.opnsense.org/index.php?topic=9607.0

First sights:

• syslog-server on opensense
• applicationserver sending logs to opnsense
• opnsense verifying and blocking according traffic

[mimugmail]

I'm not sure if Bro would fit better .. there's already a ticket from @lattera

[fabianfrz]

@mimugmail Bro is a network IDS like suricata, but maybe more advanced which has also some downsides like more disk and memory usage as well as performance. OSSEC is a host IDS which will act based on events inside applications and logs which are collected. So they are totally different.

[juliocbc]

I already have OSSEC running on a dozen of OPNsenses and works great. Couple of years ago I've submit this script to work with OSSEC's active response on OPNsense to Wazuh's project:

wazuh/wazuh@4d3c445

I'm finishing a plugin that include an OSSEC agent, when I finished it I'll let you know.

[mimugmail]

This sounds really cool :)

[mimugmail]

@juliocbc do you need help with the plugin? :)

[juliocbc]

Hi @mimugmail sorry... I'm busy these last weeks with a squid + squidguard plugin with SSO that I'm porting from 16.x to 18.x... it's a internal plugin that we use here, but when I finished the port we'll make it a public version.

All help is very welcome! I'm thinking to start to use a wazuh agent version to this plugin, what do you think about it?

[beren12]

I would like to see this. fail2ban would be enough for me, but there's no reason to not have options. Yes, I can ssh into my firewall remotely. It's needed as there is often nobody behind the firewall to check on things or kick it when the interface starts flapping.

[mimugmail]

fail2ban cannot read circular logs .. also there's already sshlockout so after 15 fails the IP get's blocked.

[beren12]

Sure most things cannot, that's why the first bullet point is "syslog-server on opnsense" up top. Also, with zfs, circular logs aren't a good idea anyway. The filesystem is CoW so things are never directly written over like with UFS. syslog with log rotate is a far better option. Every time opnsense writes to the circular log, my entire log has to be rewritten.

[juliocbc]

Hi guys!! Anyone here that can help me with a port of wazuh-agent to FreeBSD? I've posted this in their forum, but anybody replied yet... @mimugmail

[mimugmail]

Can you open an issue in tools to build a pkg for it?

[juliocbc]

Done!
opnsense/tools#112

[AdSchellevis]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

[FathiBenNasr]

Is this what all of you and I are looking for https://github.com/cloudfence/opnsense-wazuh ?

[fichtner]

this issue has been closed 4 years ago, wazuh-agent plugin readily available nowadays in OPNsense...