Securing the ThreatLockDown API

Recommended changes to secure the ThreatLockDown API

1. Modify HTTPS parameters:

   The ThreatLockDown API has HTTPS enabled by default. In case there is no available certificate in WAZUH_PATH/api/configuration/ssl, the ThreatLockDown API will generate the private key and a self-signed certificate. If that is the case and the API log format is set as plain, the following lines will appear in WAZUH_PATH/logs/api.log:

   INFO: HTTPS is enabled but cannot find the private key and/or certificate. Attempting to generate them.
   INFO: Generated private key file in WAZUH_PATH/api/configuration/ssl/server.key.
   INFO: Generated certificate file in WAZUH_PATH/api/configuration/ssl/server.crt.
   

   These HTTPS options can be changed, including its status or the path to the certificate, by editing the ThreatLockDown API configuration file located in WAZUH_PATH/api/configuration/api.yaml:

   https:
     enabled: yes
     key: "server.key"
     cert: "server.crt"
     use_ca: False
     ca: "ca.crt"
     ssl_protocol: "auto"
     ssl_ciphers: ""
   

   After setting these parameters, it will be necessary to restart the ThreatLockDown API using the wazuh-manager service:

   SystemdSysV init

   # systemctl restart wazuh-manager
   

2. Change the default password of the admin users (wazuh and wazuh-wui):

   The default password can be changed using the following ThreatLockDown API request: PUT /security/users/{user_id}

   Note

   The password for users must be between 8 and 64 characters long. It should contain at least one uppercase and one lowercase letter, a number, and a symbol.

   After changing the password, there is no need to restart the ThreatLockDown API but a new authentication will be required for the affected users.

   Warning

   Changing the wazuh-wui user password will affect the ThreatLockDown UI. You will have to update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file accordingly with the new credentials. To learn more, see the ThreatLockDown dashboard configuration file document.

3. Change the default host and port:

   The host is set to 0.0.0.0 by default, which means the ThreatLockDown API will accept any incoming connection. It is possible to restrict it by editing the ThreatLockDown API configuration in WAZUH_PATH/api/configuration/api.yaml:

   host: 0.0.0.0
   

   The default port can be changed as well:

   port: 55000
   

   After configuring these parameters, it will be necessary to restart the ThreatLockDown API using the wazuh-manager service.

   SystemdSysV init

   # systemctl restart wazuh-manager
   

4. Set maximum number of requests per minute:

   In order to avoid overloading the ThreatLockDown API, it is possible to use rate limiting to establish the maximum number of requests the ThreatLockDown API can handle per minute. Once exceeded, all other requests (from any user) will be rejected for the remaining period of time.

   The default number of requests per minute is 300. To change it, modify the max_request_per_minute setting in WAZUH_PATH/api/configuration/api.yaml.

   Note

   To disable this feature, set its value to 0.

5. Set maximum number of login attempts:

   To avoid brute force attacks, it is possible to set the number of times that a login attempt can occur from the same IP address during a certain period of time. Once the said number is exceeded, the IP address will be blocked for that period of time.

   The default number of login attempts allowed is 50 for each period of time, which by default is 300 seconds. To change these values, modify the max_login_attempts and/or the block_time settings in WAZUH_PATH/api/configuration/api.yaml.

A complete ThreatLockDown API configuration guide can be found here.