Securing the Wazuh server API

The communication between the Wazuh dashboard and the Wazuh server API is encrypted with HTTPS by default. The Wazuh server API will generate its own private key and certificate during the first run if users do not supply them. Additionally, the Wazuh server API automatically creates the following username-password pair when installed with the OVA installation:

wazuh:wazuh
wazuh-wui:wazuh-wui

If the Wazuh deployment was performed using the installation assistant script, the Wazuh API username is wazuh and you can extract the password by running the following command:

# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'wazuh\'" -A 1

Therefore, securing the Wazuh server API is crucial after installing the Wazuh manager.

Note

We highly recommend changing the default passwords and to use your own certificate since the one created by the Wazuh server API is self-signed.

Recommended changes to secure the Wazuh server API

1. Use a trusted certificate instead of the default self-signed one

The Wazuh server API has HTTPS enabled by default. If there is no available certificate in /var/ossec/api/configuration/ssl/, the Wazuh server will generate the private key and a self-signed certificate when it is started. If that is the case and the API log format is set as plain, the following lines will appear in /var/ossec/logs/api.log:

INFO: HTTPS is enabled but cannot find the private key and/or certificate. Attempting to generate them.
INFO: Generated private key file in WAZUH_PATH/api/configuration/ssl/server.key.
INFO: Generated certificate file in WAZUH_PATH/api/configuration/ssl/server.crt.

You can change these HTTPS options, including their status or the path to the certificate, by editing the Wazuh server API configuration file located at /var/ossec/api/configuration/api.yaml:

https:
  enabled: yes
  key: "server.key"               # or your custom path
  cert: "server.crt"              # or your custom path
  use_ca: false                   # set to true if using CA certificate
  ca: "ca.crt"                    # optional CA file
  ssl_protocol: "auto"
  ssl_ciphers: ""

Restart the Wazuh server API using the Wazuh manager service to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

2. Change the default password for the administrative users

You can change the default password for the administrative users wazuh and wazuh-wui using the following Wazuh server API request: PUT /security/users/{user_id}.

Note

The password for users must be between 8 and 64 characters long. It should contain at least one uppercase, lowercase letter, number, and symbol.

We show an example of changing the password using curl below:

Get a list of users along with their user IDs, refer to authentication steps to set $TOKEN:

# curl -k -X GET "https://localhost:55000/security/users?pretty=true" -H  "Authorization: Bearer $TOKEN"

Change the password of the desired user, replace <USER_ID> with the user's ID, and <NEW_PASSWORD> with the new password:
```
# curl -k -X PUT "https://localhost:55000/security/users/<USER_ID>" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"password": "<NEW_PASSWORD>"}'
```
Warning

Changing the wazuh-wui user password will break the Wazuh dashboard connection. After changing it, update the Wazuh dashboard /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file accordingly with the new credentials. See the Wazuh dashboard configuration guide for details.

3. Change the default host and port

By default, the host is set to ['0.0.0.0', '::'], allowing the Wazuh server API to accept incoming connections on all available network interfaces. To restrict access, edit the Wazuh server API configuration in /var/ossec/api/configuration/api.yaml:

host: ['0.0.0.0', '::']

You can also change the default port:

port: 55000

After configuring these parameters, restart the Wazuh server API using the Wazuh manager service with Systemd or SysV init:

# systemctl restart wazuh-manager

# service wazuh-manager restart

4. Enable rate limiting

To prevent overloading the Wazuh server API, you can implement rate limiting to establish the maximum number of requests the API can handle per minute. If this limit is exceeded, the API will reject further requests from any user for the rest of the period.

The default limit is 300 requests per minute. Adjust this by changing the max_request_per_minute setting in /var/ossec/api/configuration/api.yaml.

Note

To disable rate limiting, set its value to 0.

5. Limit login attempts

To protect against brute force attacks, you can limit login attempts from the same IP address within a specific timeframe. Exceeding this limit blocks the IP address for the duration of that period.

By default, you're allowed 50 login attempts per 300-second period. To adjust these limits, edit the max_login_attempts and/or block_time settings in /var/ossec/api/configuration/api.yaml.

You can find a complete Wazuh server API configuration guide here.