OSSEC is an Open Source Host-based Intrusion Detection System. It mixes together all the aspects of HIDS (host-based intrusion detection) and Security Incident Management (SIM)/Security Information and Event Management (SIEM) together in a simple, powerful, and open source solution.
OSSEC’s key benefits are:
- Compliance Requirements
- Multi platform
- Real-time and Configurable Alerts
- Integration with current infrastructure
- Centralized management
- Agent and agentless monitoring
OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. To check the operating systems and log formats that OSSEC supports, please visit their page.
We will be using our SSD 1 Linux VPS Hosting plan for this tutorial.
Log in to your server via SSH:
# ssh root@server_ip
Before starting, enter the below command to check whether you have the proper version of Ubuntu installed on your machine:
# lsb_release -a
It should give you the underneath output:
Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty
UPDATE THE SYSTEM
Make sure your server is fully up to date:
# apt-get update && apt-get upgrade
Now install Apache, MySQL, PHP and some needed modules with the below command:
# apt-get install mysql-server libmysqlclient-dev mysql-client apache2 php5 libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Enter the /opt directory:
# cd /opt
# wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
Unpack the archive and enter the unpacked directory:
# tar -xzf ossec-hids-2.8.3.tar.gz # cd ossec-hids-2.8.3
Enable the MySQL database support:
# cd src # make setdb
Go back to the previous directory:
# cd ../
Now, start the OSSEC installation script and follow the easy instructions:
Underneath is the output of the entire installation procedure and the features that we enabled. Of course you choose which options to enable/disable, but we recommend you to follow the output below. You can press enter if you want to go with the default choice (which is put in brackets) for every question asked.
OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to firstname.lastname@example.org (or email@example.com). - System: Linux vps 2.6.32-042stab113.11 - User: root - Host: vps.rosehosting.com -- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server - Server installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: - What's your e-mail address? firstname.lastname@example.org - What's your SMTP server ip/host? smtp.example.com 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - xxx.xxx.xxx.xx - xx.xxx.xx.xxx - Do you want to add more IPs to the white list? (y/n)? [n]: 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue ---
Now press enter to continue with the installation which shouldn’t take more than 2 minutes. After everything is completed you will get:
- System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at email@example.com or using our public maillist at firstname.lastname@example.org ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - In order to connect agent and server, you need to add each agent to the server. Run the 'manage_agents' to add or remove them: /var/ossec/bin/manage_agents
# /var/ossec/bin/ossec-control start
The next step is to create a MySQL user and database for OSSEC. Enter MySQL as root:
# mysql -u root -p mysql> create database ossec; Query OK, 1 row affected (0.00 sec) mysql> grant all privileges on ossec.* to ossecuser@localhost identified by 'your_password'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> exit Bye
OSSEC provides a schema for the database and it’s located in the src/os_dbd/ directory. Therefore, import it into your newly created ossec database:
# mysql -u ossecuser -p ossec < src/os_dbd/mysql.schema
Enter the ossecuser password when prompted.
Now add the database config to OSSEC config file:
# nano /var/ossec/etc/ossec.conf
<database_output> <hostname>127.0.0.1</hostname> <username>ossecuser</username> <password>your_password</password> <database>ossec</database> <type>mysql</type> </database_output>
You can put the above lines anywhere in the <ossec_config> block. Save and exit the file. Then, enable the database and restart OSSEC:
# /var/ossec/bin/ossec-control enable database # /var/ossec/bin/ossec-control restart
INSTALL OSSEC WEB UI
Install the OSSEC Web UI in Apache’s default document root. Enter the directory:
# cd /var/www/html/
Download the latest OSSEC WUI and unpack the archive:
# wget https://github.com/ossec/ossec-wui/archive/master.zip # unzip master.zip
Rename the directory to ossec:
# mv ossec-wui-master/ ossec/
Create a tmp directory inside and set the correct files ownership and permissions:
# mkdir ossec/tmp/ # chown www-data: -R ossec/ # chmod 666 /var/www/html/ossec/tmp
You can now access the web UI by opening your favorite web browser and navigating to http://your_server_IP/ossec/
In the second part of this tutorial we will cover the OSSEC agent installation on another machine and we will install the Analogi Web Dashboard which gives a better and more informative interface when compared to the standard Web UI.
Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to do this for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.