Baremetal Universal Hydra Deployment
🔖 The following has been updated to reflect the required changes after the patch cycle that has a release date of . Older versions of the baremetal hydra are no longer support and not available for download.
The baremetal hydra is intended for installations on Linux hosts running directly on hardware with no virtualization hypervisor. This will provide similar services to the universal hydra but it requires additional steps to deploy.
The reason for the baremetal Hydra is that a lot of customers use VMware and the hydra build was created originally for the VMware customers. However as a result of Broadcom acquiring VMware and changing the licensing model our customers approached us for more options for our Hydra Appliance. As a result we have created the Universal Hydra that runs in Azure, AWS, or on bare-metal equipment
Hardware Specifications
The following details the hardware requirements for a baremetal installation of the Hydra.
⚠️ NOTE: CPU core speed should allow for 2.4Ghz+ (normal core speed)
Item | CPU | RAM | DISK | Agent Count |
Recommended | 8vCPU | 32GB | 1TB+ | 250+ |
Maximum | 16vCPU | 64GB | 2TB+ | 1000+ |
🔖NOTE: For every 500 agents that will be connecting to the log aggregator please add 1 GB of RAM over and above the default allocation up to a maximum of 32GB of RAM. For agent volumes above 1500 please contact the SIEMonster Support team to assist with deploying an additional Hydra with a loadbalancer configuration. Please note the above resource estimations do not include syslog sources due to the varying nature of such log sources.
🔖 ADDITIONAL NOTE: Storage for higher volumes of agents should be flash based or with a consistent throughput capability of 350MBps+ at minimum.
Network Specifications
The following ports are required for the Hydra to function.
Protocol | Port | Source | Destination | Description |
|---|---|---|---|---|
TCP | 22 | admin workstations | hydra | SSH |
TCP | 1514 | Wazuh Agent | Hydra | Wazuh connectivity |
TCP | 1515 | Wazuh agent auth | Hydra and Central Platformm (AWS) | This service registers the agent with the controller |
TCP | 1516 | Wazuh Agent | Hydra | Wazuh agent registration |
UDP | 1194 | Hydra | Central Platform (AWS) | OpenVPN |
TCP | 8443 | Hydra | Central Platform (AWS) | OpenVPN registration service |
TCP | 443 | Hydra | Multiple | HTTPS is required for various aspects and should be allowed. If this cannot be allowed due to compliance etc and custom routing is required for breakout over AWS vpn channel please request a quote for professional services to have this configured. |
⚠️ NOTE: SSL interception and/or inspection MUST be turned of on all rules that are applied to allow this traffic. Failing to do so will prevent successful communication.
The following guide will cover the aspects of a deployment from a SIEMonster perspective.
Assumptions:
That the platform this is being deployed on is Debian 12.5 or later
🔖 NOTE: This MUST be AMD64 based.That ssh and users to access ssh with sudo permissions have been configured
That vim and wget is installed
The storage is setup with a default, not encrypted, LVM configuration via the Debian installer and it utilizes the entire disk.
Requirements:
Configuring a static IP is the first requirement. To do so please perform the following steps:
ssh to your hydra vm
Type su and Press [ENTER]
Type nano /etc/network/interfaces and Press [ENTER]
Now modify the file with the fixed IP you require as per following example
Once done, Press [CTRL}+[X] and type y and then Press [ENTER]
Type nano /etc/resolv.conf and Press [ENTER]
Make sure you have your DNS server(s) defined, if not present please add the relevant server(s) as per following example and ensure that you specify the correct domain for use and search domain for use.
Once done Press [CTRL]+[X] type y and Press [ENTER]
Now reboot the host by Typing systemctl reboot and Pressing [ENTER]
You will need to add your user to the sudoers list, this will require the sudoers package to be installed by using the following command:
apt update && apt install sudoOnce the installation of sudoers completes run the following command substituting %user% for the user you have created.
echo "%user% ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoerse.g. echo 'hydra ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
Logout of ssh and log back in with the user you have added to sudoers. Now test that you can elevate privileges by typing sudo -s and Pressing [ENTER].
sudo -sNext the timezone needs to be set to UTC. This is a HARD requirement to ensure that the data viewed in the webplatform reflects correctly. If you do not change the timezone to UTC your events will be displayed in the incorrect timezone and will impact your compliance/threat hunting.
You can change the timezone with the following command followed by rebooting the server.
timedatectl set-timezone UTC && systemctl rebootThe following packages are required to be installed before deployment can take place, the commands for the package installation have been included below. These commands MUST be run as root using the sudo -s command to elevate privileges with a normal user. The command can be copied and pasted.
apt update && apt install -y htop unzip python3-dnspython python3-distutils python3-pip j2cli uuid-runtimeDownload the following installation zip file by using the command displayed below
wget https://docs.siemonster.com/__attachments/70090753/bm_hydra.zipThe Sha256 for the file is
36d80fa52694a2f4c47c7bf5325b534daa662c740c7e282544de448625ad8c02
bm_hydra.zip
Unzip the file using the following command
unzip bm_hydra.zipNow sudo -s to elevate privileges and run the following command
./metal_builder.shThe first prompt will be to enter a hostname for the hydra, please choose carefully as this name will also be reflected in the bastion VPN console. The hostname should provide information of where it is deployed in many cases or its' purpose e.g. hydra-london or hydra-ny. In cases where there are tenants involved it may be prudent to add a tenant prefix to it as well. Such as tenant1-hydra-ny
Press [ENTER] when you have entered the hostname you want
Press [ENTER] again for the disabled_services listing, do not make changes here unless instructed to do so by the SIEMonster team.
Press [ENTER] on OVPN_SSL_Verify leaving the default setting in place
Specify your bastion connection for OVPN_URL, e.g. if your SIEMonster instance domain is siem.example.com and the tenant you are connecting the hydra to is tenant1 the URL will be
https://bastion.tenant1.siem.example.com:8443
Press [ENTER] on the OVPN_Login prompt, leaving the default value
Specify your bastion password in the next prompt and Press [ENTER]
If you have followed the instructions correctly you will see the following with no errors.
The deployment script for your custom baremetal hydra has now been created. You will note a new file called bare_metal.sh appear on the file system. To deploy it run the following command:
./bare_metal.shWhen the script finishes you will be prompted to reboot. Press [ENTER] to reboot
Wait for the host to reboot and reconnect via ssh.
Elevate privileges with sudo -s
Run the following command and verify that suricata, openvpn and wazuh containers are running. The container names are in the last column.
docker ps
Also perform the following command to see if OpenVPN has connected. Check for an interface tun0 and it should have an IP starting with 192.168.230.
ifconfig
Connect to the Wazuh container to see if the cluster is connected with the following commands
docker exec -it wazuh bash
tail -f /var/ossec/logs/cluster.logYou should see output similar to the following, to stop the tail command press [CTRL]+C and then [CTRL+D] to exit the container.
Your baremetal hydra is now deployed.