Amazon Machine Images (AMI)
ThreatLockDown provides a pre-built Amazon Machine Image (AMI). An AMI is a pre-configured template that is ready to use for creating a virtual computing environment within the Amazon Elastic Compute Cloud (Amazon EC2). The latest ThreatLockDown AMI packages together Amazon Linux 2 with the following central components for your ThreatLockDown server:
ThreatLockDown manager 4.9.0
Filebeat-OSS 7.10.2
ThreatLockDown indexer 4.9.0
ThreatLockDown dashboard 4.9.0
Packages list
Distribution |
Architecture |
VM Format |
Latest version |
Product page |
---|---|---|---|---|
Amazon Linux 2 |
64-bit |
AWS AMI |
4.9.0 |
Deployment alternatives
There are two alternatives for deploying a ThreatLockDown instance. You can launch the ThreatLockDown All-In-One Deployment AMI directly from the AWS Marketplace or you can configure and deploy an instance using the AWS Management Console.
Note
Our ThreatLockDown Consulting Service is also available in the AWS Marketplace. Check the Professional Service packages that ThreatLockDown has to offer.
Launch an instance from the AWS Marketplace
Go to ThreatLockDown All-In-One Deployment in the AWS Marketplace, then click Continue to Subscribe.
Review the information and accept the terms for the software. Click Continue to Configuration to confirm subscribing to our Server product.
Select a Software Version and the Region where the instance is going to be deployed. Then, click Continue to Launch.
Review your configuration, making sure that all settings are correct before launching the software. Adapt the default configuration values to your needs.
When selecting the EC2 Instance Type, we recommend that you use an instance type
c5a.xlarge
.When selecting the Security Group, it must be one with the appropriate settings for your ThreatLockDown instance to guarantee the correct operation. You can create a new security group by choosing Create new based on seller settings. This new group will have the appropriate settings by default.
Click Launch to generate the instance.
Once your instance is successfully launched and a few minutes have elapsed, you can access the ThreatLockDown dashboard.
Deploy an instance using the AWS Management Console
Select Launch instance from your AWS Management Console dashboard.
Find ThreatLockDown All-In-One Deployment by ThreatLockDown Inc., and click Select to subscribe.
Review the Server product characteristics, then click Continue. This allows subscribing to our Server product.
Select the instance type according to your needs, then click Next: Configure Instance Details. We recommend that you use an instance type
c5a.xlarge
.Configure your instance as needed, then click Next: Add Storage.
Set the storage capacity of your instance under the Size (GiB) column, then click Next: Add Tags. We recommend 100 GiB GP3 or more.
Add as many tags as you need, then click Next: Configure Security Group.
Check that the ports and protocols are the ports and protocols for Wazuh. Check the security measures for your instance. This will establish the Security Group (SG). Then, click Review and Launch.
Review the instance configuration and click Launch.
Select one of three configuration alternatives available regarding the key pair settings: Choose an existing key pair, Create a new key pair, Proceed without a key pair. You need to choose an existing key pair or create a new one to access the instance with SSH.
Click Launch instances to complete the process and deploy your instance.
Once your instance is fully configured and ready after a few minutes since launch, you can access the ThreatLockDown dashboard.
Configuration files
All components included in this AMI are configured to work out-of-the-box without the need to modify any settings. However, all components can be fully customized. The configuration files locations are the following.
ThreatLockDown manager:
/var/ossec/etc/ossec.conf
ThreatLockDown indexer:
/etc/wazuh-indexer/opensearch.yml
Filebeat-OSS:
/etc/filebeat/filebeat.yml
ThreatLockDown dashboard:
/etc/wazuh-dashboard/opensearch_dashboards.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
To learn more about configuring Wazuh, see the User manual.
Access the ThreatLockDown dashboard
When the instance is launched, the passwords of the users are automatically changed to the ID of the instance. In this way, access to the interface is guaranteed only to the creator of it. This process can take an average of five minutes, depending on the type of instance. Both the SSH access and the ThreatLockDown dashboard access are disabled during this process.
Once the instance is running and the process to initialize passwords is complete, you can access the ThreatLockDown dashboard with your credentials.
URL: https://<YOUR_INSTANCE_IP>
Username: admin
Password: <YOUR_INSTANCE_ID>
Warning
It is highly recommended to change the default users passwords in the first SSH access. To perform this action, see the Password management section.
Security considerations about SSH
The
root
user cannot be identified by SSH and the instance can only be accessed through the user:wazuh-user
.SSH authentication through passwords is disabled and the instance can only be accessed through a key pair. This means that only the user with the key pair has access to the instance.
To access the instance with a key pair, you need to download the key generated or stored in AWS. Then, run the following command to connect with the instance.
# ssh -i "<KEY_PAIR_NAME>" wazuh-user@<YOUR_INSTANCE_IP>
Access during the initial password change process is disabled to prevent potential problems. This process may take a few minutes to complete. Any access attempt before completion will show
wazuh-user@<INSTANCE_IP>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
.
Next steps
The ThreatLockDown AMI is now ready and you can proceed with deploying the ThreatLockDown agents on the systems to be monitored.
Upgrading the AMI
Follow the instructions on how to upgrade the ThreatLockDown central components.