Ossec Hardening Linux System detailed configuration

OSSEC official website http://www.ossec.net/

ossec Help documentation http://ossec-docs.readthedocs.org/en/latest/manual/index.html

Ossec is an open source host-based intrusion detection system that performs log analysis, file integrity checks, policy monitoring, rootkit detection, real-time alerting, and positive response.

It can run on most operating systems, including Linux,macos, Solaris,hp-ux,aix and Windows

The latest stable version is 2.8 download page http://www.ossec.net/?page_id=19

Ossec deployment mode is C/S, the following server:192.168.22.240 client:192.168.22.241

Turn off SELinux First, install common packages

Environment CentOS Release 6.4 (Final) x86_64

Sed-i s/selinux=enforcing/selinux=disabled/g/etc/sysconfig/selinux yum install gcc gcc-c++ vim wget lrzsz ntpdate sysst At Dstat wget-y

Installing the service side

Ip 192.168.22.240

Yum install MySQL mysql-server mysql-devel httpd php php-mysql–ytar-xzf ossec-hids-2.8.tar.gzcd ossec-hids-2.8cd src/# m Ake Setdberror:postgresql Client Libraries notinstalled.   Info:compiled with MySQL support. #ossec支持mysql数据库 #./install

Here is the installation process

en    #选择语言Enter   #继续Server   #安装为server/usr/local/ossec  #安装目录3.1- do you  want e-mail notification?  (y/n) [Y]: y   -what ' S your e-mail  address? [email protected]   -what ' s your smtp server ip/ host? 127.0.0.1enter # running syscheck  (Integrity check daemon) Enter  # running rootcheck  (rootkit detection) enter  #Active  response enabledenter  # firewall-drop enabled  (local)  for levels >= 6Do you  want to add more ips to the whitelist?  (y/n)? [n]: y    #设置ip白名单    -IPs  (space separated):3.5- do you want to  Enable remote syslog (PORT 514 UDP)?  (y/n)  [y]:EnterEnter  #开始安装

Setup completed configuration files and options:

/usr/local/ossec/bin/ossec-control Start/usr/local/ossec/bin/ossec-control stop/usr/local/ossec/etc/ossec.conf/ Usr/local/ossec/bin/manage_agents

#/usr/local/ossec/bin/ossec-control--helpusage:/usr/local/ossec/bin/ossec-control{start|stop|restart|status| Enable|disable}

#/usr/local/ossec/bin/ossec-control enable--helpinvalid enable option. Enable options:database, Client-syslog,agentless, debugusage:/usr/local/ossec/bin/ossec-controlenable [database| Client-syslog|agentless|debug]

/usr/local/ossec/bin/ossec-control enabledatabase# service mysqld start/usr/bin/mysql_secure_installation# mysql- Uroot–pmysql> CREATE Database ossec;mysql> grantinsert,select,update,create,delete,execute on ossec.* to [email Protected] by ' ossec ';mysql> grant Insert,select,update,create,delete,executeon ossec.* to [email protected]   Identified by ' ossec '; #此句是为下面的analogimysql > Flush privileges;mysql> \q

[Email protected] ossec-hids-2.8]# Mysql-uossec-p ossec < Src/os_dbd/mysql.schema

Enter Password:

Vim/usr/local/ossec/etc/ossec.conf # added at the end

<ossec_config> <database_output> 

Add A line of content that allows the log of this network segment
<remote>127 <connection>syslog</connection>128<allowed-ips>192.168.22.0/24</ allowed-ips>129 </remote>

/usr/local/ossec/bin/ossec-control restart
At this point, the mailbox has received a message

Add Agent client below
# /usr/local/ossec/bin/manage_agents   (a) dd an agent  (a) .   (E) xtract  key for an agent  (E) .   (L) ist already added agents  (L) .   (R) emove an agent  (r) .   (Q) uit.   #下面依次: a   # addplease provide the following:   *a name for the new  agent: agent1   *the ip address of the new agent:  192.168.22.241   *an id for the new agent[001]: 001agent  information:   id:001  name:agent1   ipaddress:192.168.22.241  Confirm adding it? (y/n): yagent added.  ***************************************** ossec hids  v2.8 agent manager.     ** the following options are available: *****************************************   (a) dd an agent  (a).    (e) xtract key for an agent  (e) .   (L) ist already added  agents  (L) .   (R) emove an agent  (r) .   (Q) uit. choose your action: a,e,l,r or q: e  available agents:    id: 001, name: agent1, ip: 192.168.22.241provide the id of  the agent to extract thekey  (or  ' \q '  to quit): 001   Agent key information for  ' 001 '  is:  Mdaxigfnzw50msaxotiumty4ljiylji0msbmytcxywe1zwqxytg0ytm3mdcwntfkmgrkmdy4ntcyndq5ndy2mwrkyti3ztmxzsnhzdd3ymfjzjddztfkmmnj   ** Press ENTER to return to the main menu.   Choose your action: a,e,l,r or q: q

# Netstat-unlp|grep Ossec #ossec communication is with UDP 514,1514 port,
UDP 0 0 0.0.0.0:514 0.0.0.0:* 4511/ossec-remoted UDP 0 0 0.0.0.0:1514 0.0.0.0:* 4513/ossec-re moted

Vim/etc/sysconfig/iptables #开启iptables的端口-A input-m State--state new-m udp-p udp--dport 514-j accept-a input-m STA Te--state new-m udp-p udp--dport 1514-j acceptservice iptables restart

Installing the Client
Ip 192.168.22.241
TAR-XZF ossec-hids-2.8.tar.gz # cd ossec-hids-2.8#/install.shy #默认为enEnter #开始安装Agent #作为代理/usr/local /ossec #安装目录192.168.22.240 #添加server的ipEnter #Running syscheck (Integrity check daemon) Enter #Running Rootcheck (ROOTK It detection) Enter #active responseenter #开始安装
Post-installation configuration
/usr/local/ossec/bin/ossec-control Start/usr/local/ossec/bin/ossec-control stop/usr/local/ossec/etc/ossec.conf/ Usr/local/ossec/bin/manage_agents
     
# /usr/local/ossec/bin/manage_agents***************************************** ossec hids  V2.8 agent manager.     ** the following options are  available: *****************************************   (I) mport key from  the server  (I) .   (Q) uit. choose your action: i or q: i * provide the key  Generated by the server.* the best approach is to cut and  paste it.*** obs: do not include spaces or newlines. paste  it here  (or  ' \q '  to quit):  Mdaxigfnzw50msaxotiumty4ljiylji0zsbmytcxywe1zwqxytg0ytm3mdcwntfkmgrkmdy4ntcyndq5ndy2mwrkyti3ztmxztndzdc3ymfjzjdmztfk5mnj  agent information:  id:001  name:agent1   ipaddress : 192.168.22.241 confirm  Adding it? (y/n): yadded.** press enter to return to the main menu.  Choose your action: i or q: q

Ossec 's Log
/usr/local/ossec/logs/ossec.log

Install the Web interface
Ossec-wui interface
Cd/var/wwwunzip ossec-wui-master.zipmv ossec-wui-master HTML/OSSECCD html/ossec/# cat ossec_conf.php/* ossec Directo  Ry */# $ossec _dir= "/var/ossec"; $ossec _dir= "/usr/local/ossec";  #./setup.sh Setting up Ossec UI ... Username:ossecnew password:re-type new password:adding password for user ossecenter your Web server user name (E.g.apac He, www, nobody, www-data, ...) Apacheenter your ossec install directory path (e.g./var/ossec)/usr/local/ossecyou must restart your Web server after Thiss Etup is done. Setup completed successfuly.
# vim/etc/httpd/conf.d/ossec.conf alias/analogi/var/www/html/ossec<directory/var/www/html/ossec> Order deny, Allow Deny from all to 192.168.22.0/24options-multiviews authname "Ossec AUTH" AuthType Basic authuserf ILE/VAR/WWW/HTML/OSSEC/.HTPASSWD Require valid-user</directory>

don't forget to open the iptables.
-A input-m state--state new-m tcp-p tcp--dport 80-j acceptchown apache:apache *service httpd restart
Analogi interface
Cd/var/www/htmlwgethttps://github.com/ecsc/analogi/archive/master.zipunzip ANALOGI-MASTER.ZIPMV Analogi-master Ossec/analogichown apache.apache-r OSSECCD ossec/analogicp db_ossec.php.new db_ossec.php vim db_ossec.phpdefine (' DB_  User_o ', ' ossec ');d efine (' db_password_o ', ' ossec ');d efine (' db_host_o ', ' localhost ');d efine (' db_name_o ', ' ossec '); Vim/etc/httpd/conf.d/analogi.confalias/analogi/var/www/html/analogi<directory/var/www/html/analogi> Order Deny,allow Deny from all to allow from 192.168.22.0/24</directory>

View status information
#/usr/local/ossec/bin/agent_control-lcossec HIDS Agent_control. List of availableagents:id:000, Name:localhost.localdomain (server), ip:127.0.0.1,active/local id:001, Name:agent1  , ip:192.168.22.241, Active #/usr/local/ossec/bin/list_agents-aagent1-192.168.22.241 is available. #/usr/local/ossec/bin/ossec-control Statusossec-monitord is Running...ossec-logcollector is running...ossec-remoted Is RUNNING...OSSEC-SYSCHECKD are RUNNING...OSSEC-ANALYSISD is Running...ossec-maild are RUNNING...OSSEC-EXECD is running ... ossec-dbd is running ...

Ossec's graphical interface
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/45/C0/wKiom1Pq1T6x-S7fAAM12H09WeQ484.jpg "title=" Qq20140813110124.jpg "alt=" Wkiom1pq1t6x-s7faam12h09weq484.jpg "/>
Analogi graphical interface
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/45/C1/wKioL1Pq1ojDJVmjAANOSzsaq7U906.jpg "title=" Qq20140813110207.jpg "alt=" Wkiol1pq1ojdjvmjaanoszsaq7u906.jpg "/>
Receive messages sent by ossec
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/45/C1/wKioL1Pq1r7S1xp8AAHU1bdTEgY197.jpg "title=" Qq20140813110305.jpg "alt=" Wkiol1pq1r7s1xp8aahu1bdtegy197.jpg "/>
This article is from "a Stone Bbotte blog" blog, please be sure to keep this source http://bbotte.blog.51cto.com/6205307/1539285