Listen to this Post
Building an open-source Security Information and Event Management (SIEM) system that automatically blocks hackers in real time is achievable using Wazuh, a powerful free SIEM and XDR solution. Below is a step-by-step guide with verified commands and configurations.
You Should Know:
1. Install Wazuh Server (Ubuntu/Debian Example)
Update system sudo apt update && sudo apt upgrade -y Add Wazuh repository curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring /usr/share/keyrings/wazuh.gpg --import echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list Install Wazuh manager sudo apt update sudo apt install wazuh-manager Start and enable Wazuh sudo systemctl daemon-reload sudo systemctl enable wazuh-manager sudo systemctl start wazuh-manager
2. Install Wazuh Indexer (Elasticsearch Alternative)
Install Wazuh Indexer sudo apt install wazuh-indexer Generate certificates sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh Start Wazuh Indexer sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer sudo systemctl start wazuh-indexer
3. Install Wazuh Dashboard (Kibana Alternative)
Install Wazuh Dashboard sudo apt install wazuh-dashboard Configure certificates sudo cp /etc/wazuh-indexer/certs/admin.pem /etc/wazuh-dashboard/certs/dashboard.pem sudo cp /etc/wazuh-indexer/certs/admin-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem sudo chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/ Start Wazuh Dashboard sudo systemctl daemon-reload sudo systemctl enable wazuh-dashboard sudo systemctl start wazuh-dashboard
4. Deploy Wazuh Agents on Endpoints
For Linux agents curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb sudo WAZUH_MANAGER='SERVER_IP' dpkg -i wazuh-agent.deb Start the agent sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
5. Enable Automatic Blocking with Active Response
Edit `/var/ossec/etc/ossec.conf` on the Wazuh Manager:
<command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>firewall-drop</command> <location>local</location> <level>7</level> <timeout>600</timeout> </active-response>
6. Verify Real-Time Alerts & Blocking
Check logs:
tail -f /var/ossec/logs/alerts/alerts.json
What Undercode Say:
Wazuh is a powerful open-source SIEM that can auto-block attackers using active response. However, deploying it in Kubernetes or strict environments requires additional hardening. Key takeaways:
- Use fail2ban alongside Wazuh for extra blocking.
- Monitor `/var/log/auth.log` for SSH brute-force attacks.
- Test custom rules in `/var/ossec/etc/rules/` for tailored threat detection.
- For Windows agents, use Sysmon integration for deeper visibility.
Expected Output:
A fully functional SIEM with real-time threat blocking using Wazuh, Elasticsearch, and Kibana (Wazuh Indexer & Dashboard).
🔗 Reference: Wazuh Official Docs
References:
Reported By: Chuckkeith How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
