Docker Wazuh and port forwarding to host device

[NoneSence999]

Hello.
I have installed wazuh on docker on a ubuntu server running on virtualbox.
I have port forwarded the port 22 for ssh but I don't realy know what port to forward to be able to type on the host device :
https://localhost and be greated whit the wazuh interface.
My network ip is 192.168.1.0
You can find screenshots of the server and the network config bellow.

edit:
I cannot link the documentation on this forum
I have added port 443 in TCP whitout result.

[scottgus1]

I have installed wazuh on docker on a ubuntu server running on virtualbox.

To me this means you have installed Docker inside the VM:

host > Virtualbox > Ubuntu Server > Docker > Wazuh

If this is correct, you're running nested virtualization. You might have another layer of network to get through to get to the Wazuh interface.

If instead you're running this:

Ubuntu Server host > Docker using Virtualbox > Wazuh

then you may only have the one NAT firewall to get through. Please clarify which is your setup.

***************************

Assuming you're running the second setup, you have a NAT port forward, incoming port 22 to VM OS port 22.

If your host also is listening on port 22, you may be getting the host first. You should probably change the incoming "port hote" to something else, like 2222, that is not a default port number in use on your host OS.

"localhost" should theoretically already be DNS'd to mean 127.0.0.1 in your host OS. Check if this is already set up. HOSTS file, maybe? Otherwise, try using 127.0.0.1 instead of localhost.

If you use 2222 in Port Hote, 127.0.0.1:2222 should get SSH into the VM's OS, if the VM OS is listening on port 22 for SSH.

If the Wazuh interface is a web browser interface, it could be 80 if it is http, and 443 if it is https. Check Wazuh's documentation for what port Wazuh is using. Inside the VM OS, you can try 127.0.0.1:80 or 127.0.0.1:443 in the VM OS's web browser to see if the Wazuh interface comes up. If it does not come up inside the VM OS web browser, then something is wrong with Wazuh. Check the VM OS firewall to see that 80, 443, or other needed ports used by Wazuh are open.

If the VM OS web browser can access the Wazuh interface, then try making port forwards in NAT that are like but not the same as 80 and 443, just in case something on the host is listening on those ports too. 8080 and 8443 may work:

Port hote: 8080 Port invite: 80
Port hote: 8443 Port invite: 443

Then try 127.0.0.1:8080 or 127.0.0.1:8443 on the host web browser. Of course, if Wazuh uses different port numbers, adjust accordingly. You may have to open these "port hote" ports in the host OS firewall.

[NoneSence999]

I have installed wazuh on docker on a ubuntu server running on virtualbox.

To me this means you have installed Docker inside the VM:

host > Virtualbox > Ubuntu Server > Docker > Wazuh

If this is correct, you're running nested virtualization. You might have another layer of network to get through to get to the Wazuh interface.

If instead you're running this:

Ubuntu Server host > Docker using Virtualbox > Wazuh

then you may only have the one NAT firewall to get through. Please clarify which is your setup.

***************************

Assuming you're running the second setup, you have a NAT port forward, incoming port 22 to VM OS port 22.

If your host also is listening on port 22, you may be getting the host first. You should probably change the incoming "port hote" to something else, like 2222, that is not a default port number in use on your host OS.

"localhost" should theoretically already be DNS'd to mean 127.0.0.1 in your host OS. Check if this is already set up. HOSTS file, maybe? Otherwise, try using 127.0.0.1 instead of localhost.

If you use 2222 in Port Hote, 127.0.0.1:2222 should get SSH into the VM's OS, if the VM OS is listening on port 22 for SSH.

If the Wazuh interface is a web browser interface, it could be 80 if it is http, and 443 if it is https. Check Wazuh's documentation for what port Wazuh is using. Inside the VM OS, you can try 127.0.0.1:80 or 127.0.0.1:443 in the VM OS's web browser to see if the Wazuh interface comes up. If it does not come up inside the VM OS web browser, then something is wrong with Wazuh. Check the VM OS firewall to see that 80, 443, or other needed ports used by Wazuh are open.

If the VM OS web browser can access the Wazuh interface, then try making port forwards in NAT that are like but not the same as 80 and 443, just in case something on the host is listening on those ports too. 8080 and 8443 may work:

Port hote: 8080 Port invite: 80
Port hote: 8443 Port invite: 443

Then try 127.0.0.1:8080 or 127.0.0.1:8443 on the host web browser. Of course, if Wazuh uses different port numbers, adjust accordingly. You may have to open these "port hote" ports in the host OS firewall.

To clarify the structure here is : host > Virtualbox > Ubuntu Server > Docker > Wazuh.
The link browser (text based browser for server) can acces the wazuh interface from the server.
The VM is accesible on the network since I connect to the internet whit it and can do ssh from host

I have tryed the :
Port hote: 8080 Port invite: 80
Port hote: 8443 Port invite: 443
whit connexion failed as a result in the browser whit localhost
Connexion reseted as a result whit 127.0.0.1:8080
Connexion SUCCES whit 127.0.0.1:8443
Thank you I was looking for days.

[scottgus1]

Awesome! Glad you're up and running.

[NoneSence999]

Awesome! Glad you're up and running.

One small issue remain the agent isn't connecting the Wazuh since it uses port 1514
It can be found in User> manualAgent >managementChecking >connection with the Wazuh manager
in the Wazuh doc

[scottgus1]

the agent isn't connecting the Wazuh since it uses port 1514

I don't know how Wazuh or its agent work, or even what Wazuh is. But a port is a port. You'd let the agent communicate with the service the same way you web-accessed it, by forwarding the correct and available port in the NAT firewall.

BTW, do you have to use NAT? If you could use Host-Only, you could have direct access to the Wazuh interface without requiring any port forwarding. Then the host could get in directly/ If you used Bridged, the host and any other computer on your LAN could access Wazuh directly.

Please see Virtualbox Networks: In Pictures

[NoneSence999]

the agent isn't connecting the Wazuh since it uses port 1514

I don't know how Wazuh or its agent work, or even what Wazuh is. But a port is a port. You'd let the agent communicate with the service the same way you web-accessed it, by forwarding the correct and available port in the NAT firewall.

BTW, do you have to use NAT? If you could use Host-Only, you could have direct access to the Wazuh interface without requiring any port forwarding. Then the host could get in directly/ If you used Bridged, the host and any other computer on your LAN could access Wazuh directly.

Please see Virtualbox Networks: In Pictures

In host only the server can acces the interface but the host get a conexion error in https://localhost.

[NoneSence999]

Here is the potential issue : (attached image)
The only interface I can select is the virtual one not the host one

[mpack]

If you want to attach to a physical host NIC then for "Attached to" you need to select "Bridged Adapter", not "Host-only".

[NoneSence999]

If you want to attach to a physical host NIC then for "Attached to" you need to select "Bridged Adapter", not "Host-only".

ERR_CONNECTION_REFUSED on host
working on server
even ssh fails port 22 refused in this mode
The only mode that seems to work is NAT but its too hard to configure whit all the ports for the application

[mpack]

ERR_CONNECTION_REFUSED on host

That doesn't sound like a VirtualBox error. Can you provide a more complete description of this error?

[NoneSence999]

ERR_CONNECTION_REFUSED on host

That doesn't sound like a VirtualBox error. Can you provide a more complete description of this error?

There is no response on port 22 or 443 or 80 from the server in bridge mode

[scottgus1]

Your Host Only dropdown list only showed one Host-Only adapter because you only have one Host-Only network on your Virtualbox at this time. Host Only only connects to the host's Host Only adapter, you cannot connect Host-Only to anything else.

See the Networks in Pictures tutorial about Host-Only.

When using Host-Only, the host and the VM have a complete direct private Ethernet network between them. There is no "router" between the host and the VM doing IP address translation and requiring port forwarding like NAT has. Host-Only has no port forwarding.

You would find out what IP address the VM has been given (probably 192.168.56.something) and use that IP address directly in your host OS. You might not even need to add port numbers to the IP address.

Note that you cannot use "localhost" for Host-Only. Localhost points to 127.0.0.1, which tells the host to talk to itself. Because NAT is part of the host's network stack, the unique ports set up in NAT are available for localhost to see, so the traffic you direct at localhost:VMuniqueport# goes to the host's network stack, gets redirected by Virtualbox, then goes into the VM.

Host-Only does not connect through the host's network stack, so you have to talk to Host-Only directly, using Host-Only's IP address, just like you would if you were talking to another PC on your physical network or on the internet.

One thing to remember, Linux OS's sometimes don't notice that the network type has changed and that the IP addresses are different. Check inside your VM OS for what IP address it sees. If it sees 192.168.56.something (the 56 may be a different number but it won't be 1 like your physical network is) then the VM OS is recognizing the change to Host-Only. If it still shows 10.0.2.something, then it still thinks it's talking to NAT, and you'll have to knock it loose, perhaps with a VM OS reboot, or an "IP down" and "IP up" directed at the network card inside the VM OS in a terminal, or something like that.

If this gets confusing, let us know, and we'll try to take you through step by step.

[NoneSence999]

Your Host Only dropdown list only showed one Host-Only adapter because you only have one Host-Only network on your Virtualbox at this time. Host Only only connects to the host's Host Only adapter, you cannot connect Host-Only to anything else.

See the Networks in Pictures tutorial about Host-Only.

When using Host-Only, the host and the VM have a complete direct private Ethernet network between them. There is no "router" between the host and the VM doing IP address translation and requiring port forwarding like NAT has. Host-Only has no port forwarding.

You would find out what IP address the VM has been given (probably 192.168.56.something) and use that IP address directly in your host OS. You might not even need to add port numbers to the IP address.

Note that you cannot use "localhost" for Host-Only. Localhost points to 127.0.0.1, which tells the host to talk to itself. Because NAT is part of the host's network stack, the unique ports set up in NAT are available for localhost to see, so the traffic you direct at localhost:VMuniqueport# goes to the host's network stack, gets redirected by Virtualbox, then goes into the VM.

Host-Only does not connect through the host's network stack, so you have to talk to Host-Only directly, using Host-Only's IP address, just like you would if you were talking to another PC on your physical network or on the internet.

One thing to remember, Linux OS's sometimes don't notice that the network type has changed and that the IP addresses are different. Check inside your VM OS for what IP address it sees. If it sees 192.168.56.something (the 56 may be a different number but it won't be 1 like your physical network is) then the VM OS is recognizing the change to Host-Only. If it still shows 10.0.2.something, then it still thinks it's talking to NAT, and you'll have to knock it loose, perhaps with a VM OS reboot, or an "IP down" and "IP up" directed at the network card inside the VM OS in a terminal, or something like that.

If this gets confusing, let us know, and we'll try to take you through step by step.

Can I screen share on dicord or something

[scottgus1]

No, I'm sorry, I don't do screen shares. But here's some info you can provide, and we can see what's up.

1. Start the VM from full normal shutdown, not save-state. try to log in on Wazuh from the host, then shut down the VM from within the VM's OS if possible. If not possible, close the Virtualbox window for the VM with the Power Off option set.

Right-click the VM in the main Virtualbox window's VM list, choose Show in Explorer/Finder/File Manager. In the "Logs" subfolder, zip the VM's "vbox.log", and post the zip file, using the forum's Attachments tab. (Configure your host OS to show all extensions so you can find the "vbox.log", not "vbox.log.1", etc.)

2. Right-click the VM in the main Virtualbox window's VM list, choose Show in Explorer/Finder/File Manager. Zip the VM's .vbox file (not the .vbox-prev file), and post the zip file, using the forum's Attachments tab. (Configure your host OS to show all extensions if the folder that opens does not show a .vbox file.)

3. Inside the VM, in the Linux OS, open a Terminal and run ifconfig or ip address. Post the command output.

4. On the host OS, also please open a Terminal and run ifconfig or ip address. Post the command output.