標籤:ossec
一、本文主要還是借鑒網上,自己做了小改動
server:192.168.153.172
client:192.168.153.173
192.168.153.174
二、伺服器配置
伺服器詳細安裝過程見http://whnba.blog.51cto.com/1215711/1633004
搭建ftp方便我們下載設定檔
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# service httpd start
[[email protected] ~]# mkdir /var/www/html/ossec
[[email protected] ~]# cd /var/www/html/ossec
[[email protected] ossec]# /etc/init.d/iptables stop
查看ftp是否能訪問到http://192.168.153.172/ossec/
ip.txt用來存放用戶端主機名稱和ip地址
[[email protected] ~]# cat ip.txt
agent01:192.168.153.173
agent02:192.168.153.174
用來產生key的指令碼
[[email protected] ~]# cat key_gen.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
if __name__ == ‘__main__‘:
save_keys_path = "keys.logs"
f = open("ip.txt")
lines = f.read().splitlines()
f.close()
#perl檔案在安裝包裡面
shell_path ="/root/ossec-hids-2.8.1/contrib/ossec-batch-manager.pl"
for line in lines:
arr = line.split(":")
host_name = arr[0]
ip = arr[1]
#服務端根據name和ip添加用戶端
cmd = "%s -a --ip %s --name %s" % (shell_path,ip,host_name)
os.system(cmd)
cmd = "%s -e %s >> %s" % (shell_path,ip,save_keys_path)
os.system(cmd)
執行報錯及解決:
[[email protected] ~]# python key_gen.py
Can‘t locate Time/HiRes.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /root/ossec-hids-2.7/contrib/ossec-batch-manager.pl line 113.
BEGIN failed--compilation aborted at /root/ossec-hids-2.7/contrib/ossec-batch-manager.pl line 113.
Can‘t locate Time/HiRes.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /root/ossec-hids-2.7/contrib/ossec-batch-manager.pl line 113.
BEGIN failed--compilation aborted at /root/ossec-hids-2.7/contrib/ossec-batch-manager.pl line 113.
[[email protected] ~]# yum -y install perl-Time-HiRes
產生的key檔案/var/ossec/etc/client.keys
[[email protected] ~]# python key_gen.py
[[email protected] ~]# cat /var/ossec/etc/client.keys
001 agent01 192.168.153.173 316260854925970ce8953064b1ff2fafe1245f38dd06ed1203a60f9a465a9f44
002 agent02 192.168.153.174 2ec85cdc3ac7512572cd1927ecdea88f46521c00896632c1d8b880256a117ebb
把用戶端需要的設定檔和包放在ftp裡面
[[email protected] ~]# cd /var/www/html/ossec
[[email protected] ossec]# tar xf ossec_client_conf.tar.gz
[[email protected] ossec]# ll
total 2416
-rw-r--r-- 1 root root 93 Dec 15 21:49 client.keys
-rw-r--r-- 1 root root 820077 Dec 16 02:22 ossec_client_conf.tar.gz
-rw-r--r-- 1 root root 2781 Dec 28 23:55 ossec.conf
-rw-r--r-- 1 root root 1634812 Apr 17 2015 ossec-hids-2.8.1.tar.gz
-rwxr-xr-x 1 root root 3275 Dec 16 02:16 preloaded-vars.conf
[[email protected] ossec]# grep -Ev ‘^#|^$‘ preloaded-vars.conf
USER_LANGUAGE="en" # For english
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_AGENT_SERVER_IP="192.168.153.172"
三、用戶端agent大量安裝
[[email protected] ~]# yum -y install gcc
[[email protected] ~]# /etc/init.d/iptables stop
執行指令碼自動安裝agent用戶端
[[email protected] ~]# sh ossec-agent-batch-install.sh
[[email protected] ~]# cat ossec-agent-batch-install.sh
#!/bin/bash
cd /usr/local
wget http://192.168.153.172/ossec/ossec-hids-2.8.1.tar.gz
tar xf ossec-hids-2.8.1.tar.gz
cd ossec-hids-2.8.1/etc/
mv preloaded-vars.conf preloaded-vars.conf.bak
wget http://192.168.153.172/ossec/preloaded-vars.conf
cd ..
./install.sh
cd /var/ossec/etc
wget http://192.168.153.172/ossec/client.keys
HOST_IP=`/sbin/ifconfig eth0 |grep ‘Bcast‘ |cut -d: -f2 |cut -d‘ ‘ -f1`
sed -i ‘/‘$HOST_IP‘/!‘d /var/ossec/etc/client.keys
rm -rf ossec.conf
wget http://192.168.153.172/ossec/ossec.conf
cd ..
./bin/ossec-control start
四、查看用戶端連接埠
[[email protected] ~]# netstat -lanpu |grep ossec
udp 0 0 192.168.153.173:60090 192.168.153.172:1514 ESTABLISHED 4827/ossec-agentd
五、查看伺服器連接埠
[[email protected] ~]# netstat -lanpu |grep ossec
udp 0 0 0.0.0.0:514 0.0.0.0:* 5657/ossec-remoted
udp 0 0 0.0.0.0:1514 0.0.0.0:* 5658/ossec-remoted
[[email protected] ~]# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: ossec-server (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: agent01, IP: 192.168.153.173, Active
ID: 002, Name: agent02, IP: 192.168.153.174, Active
本文出自 “卡卡西” 部落格,請務必保留此出處http://whnba.blog.51cto.com/1215711/1729606
Centos 6.4 ossec大量安裝部署用戶端