Detailed configuration of OSSEC reinforced linux System

Last Update:2015-03-02 Source: Internet

Author: User

Tags postgresql client ossec

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Detailed configuration of OSSEC reinforced linux System

OSSEC is an open-source host-based intrusion detection system that performs log analysis, file integrity check, policy monitoring, rootkit detection, real-time alarms and positive responses.

It can run on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows

The latest stable version for 2.8 download page http://www.ossec.net /? Page_id = 19

The Ossec deployment mode is C/S, and the following server: 192.168.22.240 client: 192.168.22.241

Disable selinux first and install common packages

Environment CentOS release 6.4 (Final) x86_64

sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/sysconfig/selinux  yum install gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget -y

Install Server

Ip address 192.168.22.240

Yum install mysql-server mysql-devel httpd php-mysql-ytar-xzf ossec-hids-2.8.tar.gzcd ossec-hids-2.8cd src/# make setdbError: PostgreSQL client libraries notinstalled. info: Compiled with MySQL support. # ossec supports mysql Databases #. /install

The installation process is as follows:

En # Select language Enter # continue Server # Install as server/usr/local/ossec # installation directory 3.1-Do you want e-mail notification? (Y/n) [y]: y-What's your e-mail address? Your_mail@163.com-What's your SMTP server ip/host? 127.0.0.1Enter # Running syscheck (integrity check daemon) Enter # Running rootcheck (rootkit detection) Enter # Active response enabledEnter # firewall-drop enabled (local) for levels> = 6Do you want to add more IPs to the whitelist? (Y/n )? [N]: y # set ip whitelist-IPs (space separated): 3.5-Do you want to enable remote syslog (port 514 udp )? (Y/n) [y]: EnterEnter # Start Installation

Configuration files and options after installation:

/usr/local/ossec/bin/ossec-control start/usr/local/ossec/bin/ossec-control stop/usr/local/ossec/etc/ossec.conf/usr/local/ossec/bin/manage_agents

# /usr/local/ossec/bin/ossec-control --helpUsage: /usr/local/ossec/bin/ossec-control{start|stop|restart|status|enable|disable}

# /usr/local/ossec/bin/ossec-control enable--helpInvalid enable option.Enable options: database, client-syslog,agentless, debugUsage: /usr/local/ossec/bin/ossec-controlenable [database|client-syslog|agentless|debug]

/Usr/local/ossec/bin/ossec-control enabledatabase # service mysqld start/usr/bin/mysql_secure_installation # mysql-uroot> create database ossec; mysql> grantINSERT, SELECT, UPDATE, CREATE, DELETE, EXECUTE on ossec. * to ossec @ localhostidentified by 'ossec '; mysql> grant INSERT, SELECT, UPDATE, CREATE, DELETE, EXECUTEon ossec. * to ossec@192.168.22.240 identified by 'ossec '; # This statement is for the following analogimysql> flush privileges; mysql> \ q

[Root @ localhost ossec-hids-2.8] # mysql-uossec-p ossec <src/OS _dbd/mysql. schema

Enter password:

Vim/usr/local/ossec/etc/ossec. conf # Add

<ossec_config> <database_output>

Add 128 lines of content to allow logs of this network segment

<remote>127    <connection>syslog</connection>128<allowed-ips>192.168.22.0/24</allowed-ips>129  </remote>

/usr/local/ossec/bin/ossec-control restart

At this time, the email has been received

Add the agent client

#/Usr/local/ossec/bin/manage_agents (A) dd an agent (). (E) xtract key for an agent (E ). (L) ist already added agents (L ). (R) emove an agent (R ). (Q) uit. # the following sequence: A # addPlease provide the following: * A name for The new agent: agent1 * the IP Address of the new agent: 192.168.22.241 * An ID for the new agent [001]: 001 Agent information: ID: 001 Name: agent1 IPAddress: 192.168.22.241 Confirm adding it? (Y/n): yAgent added. **************************************** * ossec hids v2.8 Agent manager. ** The following options are available: **************************************** * () dd an agent (). (E) xtract key for an agent (E ). (L) ist already added agents (L ). (R) emove an agent (R ). (Q) uit. choose your action: A, E, L, R or Q: E Available agents: ID: 001, Name: agent1, IP: 192.168.22.241Provide the ID of the agent to extract thekey (or '\ Q' to quit): 001 Agent key information for '001' is: press ** Press ENTER to return to the main menu. choose your action: A, E, L, R or Q: Q

# Netstat-unlp | grep ossec # port and port 1514 are used for ossec communication,

udp   0   0 0.0.0.0:514    0.0.0.0:*        4511/ossec-remoted  udp   0   0 0.0.0.0:1514   0.0.0.0:*         4513/ossec-remoted

Vim/etc/sysconfig/iptables # enable iptables Port-a input-m state -- state NEW-m udp-p udp -- dport 514-j ACCEPT-A INPUT-m state -- state NEW -m udp-p udp -- dport 1514-j ACCEPTservice iptables restart

Install the client

Ip 192.168.22.241

Tar-xzf ossec-hids-2.8.tar.gz # cd ossec-hids-2.8 #. /install. shY # enEnter by default # Start to install Agent # as Agent/usr/local/ossec # installation directory 192.168.22.240 # Add server ipEnter # Running syscheck (integrity check daemon) enter # Running rootcheck (rootkit detection) Enter # active responseEnter # Start Installation

Configuration after installation

/usr/local/ossec/bin/ossec-control start/usr/local/ossec/bin/ossec-control stop/usr/local/ossec/etc/ossec.conf/usr/local/ossec/bin/manage_agents

Set agent

# /usr/local/ossec/bin/manage_agents***************************************** OSSEC HIDS v2.8 Agent manager.     ** The following options are available: *****************************************  (I)mport key from the server (I).  (Q)uit.Choose your action: I or Q: I * Provide the Key generated by the server.* The best approach is to cut and paste it.*** OBS: Do not include spaces or newlines. Paste it here (or '\q' to quit): MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0zSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZTNdZDc3YmFjZjdmZTFk5mNj Agent information:  ID:001  Name:agent1   IPAddress:192.168.22.241 Confirm adding it?(y/n): yAdded.** Press ENTER to return to the main menu. Choose your action: I or Q: Q

Ossec logs

/usr/local/ossec/logs/ossec.log

Install web Interface

Ossec-wui Interface

cd /var/wwwunzip ossec-wui-master.zipmv ossec-wui-master html/osseccd html/ossec/  # cat ossec_conf.php   /* Ossec directory */#$ossec_dir="/var/ossec";$ossec_dir="/usr/local/ossec";  # ./setup.sh Setting up ossec ui...  Username: ossecNew password: Re-type new password: Adding password for user ossecEnter your web server user name (e.g.apache, www, nobody, www-data, ...)apacheEnter your OSSEC install directory path(e.g. /var/ossec)/usr/local/ossecYou must restart your web server after thissetup is done. Setup completed successfuly.

# vim /etc/httpd/conf.d/ossec.conf  Alias /analogi /var/www/html/ossec<Directory /var/www/html/ossec>  Order deny,allow  Deny from all  Allow from 192.168.22.0/24Options -MultiViews  AuthName "OSSEC AUTH"  AuthType Basic  AuthUserFile /var/www/html/ossec/.htpasswd  Require valid-user</Directory>

Don't forget to open 80 of iptables

-A INPUT -m state --state NEW -m tcp -p tcp--dport 80 -j ACCEPTchown apache:apache *service httpd restart

Analogi Interface

cd /var/www/htmlwgethttps://github.com/ECSC/analogi/archive/master.zipunzip analogi-master.zipmv analogi-master ossec/analogichown apache.apache -R osseccd ossec/analogicp db_ossec.php.new db_ossec.php vim db_ossec.phpdefine ('DB_USER_O', 'ossec');define ('DB_PASSWORD_O', 'ossec');define ('DB_HOST_O', 'localhost');define ('DB_NAME_O', 'ossec');  vim /etc/httpd/conf.d/analogi.confAlias /analogi /var/www/html/analogi<Directory /var/www/html/analogi>   Order deny,allow   Deny from all   Allow from 192.168.22.0/24</Directory>

View status information

# /usr/local/ossec/bin/agent_control -lcOSSEC HIDS agent_control. List of availableagents:  ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active/Local  ID: 001, Name: agent1, IP: 192.168.22.241, Active  # /usr/local/ossec/bin/list_agents -aagent1-192.168.22.241 is available.  # /usr/local/ossec/bin/ossec-control statusossec-monitord is running...ossec-logcollector is running...ossec-remoted is running...ossec-syscheckd is running...ossec-analysisd is running...ossec-maild is running...ossec-execd is running...ossec-dbd is running...

OSSEC Gui

Analogi graphical interface

Received an email from ossec

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More