Linux Administrator

Installing OSSEC On Linux And UNIX System

ossec-server-installation
mm
Written by Santosh Prasad

OSSEC is a free and open source centralised log monitoring and notification system. It is also an open source Host Based Intrusion Detection System (HIDS). With OSSEC we can monitor all types of logs such as syslog, maillogs, Apache logs, MySQL logs, Cisco IOS logs, ftp logs, and more.

In this tutorial I am going to explain how we can install and configure OSSEC server on Linux machine. I assume that you have Php and MySQL related packages installed on your system.

OSSEC Features:

  • Performs system log analysis
  • Policy monitoring
  • Checking file integrity
  • Active response
  • Log monitoring
  • Real-time log alert

OSSEC Installation

You can install OSSEC using yum command or you can also download source package from its website www.ossec.net/files/ossec-hids-2.8.1.tar.gz

Using yum command

You will need to install two repository EPEL and Atomicrop.com to install OSSEC.

Installing EPEL Repository

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm

Installing Atomic Repository

# wget https://www.atomicorp.com/installers/atomic
# chmod +x atomic
# ./atomic

After installing both repository now install the ossec server. OSSEC client is also available “ossec-hide-client”.

# yum install ossec-hids ossec-hids-server

You will get some output like below after running above command.

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ossec-hids x86_64 2.6-14.el6.art atomic 50 k
ossec-hids-server x86_64 2.6-14.el6.art atomic 779 k
Installing for dependencies:
inotify-tools x86_64 3.14-1.el6 epel 46 k
perl-DBD-SQLite x86_64 1.27-3.el6 base 83 k
perl-Time-HiRes x86_64 4:1.9721-119.el6_1.1 base 46 k

Transaction Summary
================================================================================
Install 5 Package(s)

Total download size: 1.0 M
Installed size: 6.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): inotify-tools-3.14-1.el6.x86_64.rpm | 46 kB 00:00
(2/5): ossec-hids-2.6-14.el6.art.x86_64.rpm | 50 kB 00:00
(3/5): ossec-hids-server-2.6-14.el6.art.x86_64.rpm | 779 kB 00:00
(4/5): perl-DBD-SQLite-1.27-3.el6.x86_64.rpm | 83 kB 00:00
(5/5): perl-Time-HiRes-1.9721-119.el6_1.1.x86_64.rpm | 46 kB 00:00
--------------------------------------------------------------------------------
Total 953 kB/s | 1.0 MB 00:01

Installing OSSEC Server Using Tar file

Follow the below command to download and install OSSEC package.

# cd /root/download/

# wget www.ossec.net/files/ossec-hids-2.8.1.tar.gz
--2017-02-06 04:19:23-- http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
Resolving www.ossec.net... 150.70.191.237
Connecting to www.ossec.net|150.70.191.237|:80... connected.

Now extract the OSSEC ossec-hids-2.8.1.tar.gz file and go inside ossec-hids-2.8.1 directory and run the install.sh file.

# tar -zxvf ossec-hids-2.8.1.tar.gz
# cd ossec-hids-2.8.1
# ls
BUGS CONFIG CONTRIBUTORS INSTALL LICENSE README.md active-response contrib doc etc install.sh src

OSSEC Server Installation

Follow the below steps to install OSSEC Server.

# cd ossec-hids-2.8.1
# ./install.sh
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin)

** Para instalação em português, escolha [br].
** ?????????, ??? [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** G?a e??at?stas? sta ????????, ep????te [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvu telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** ?????????????.???????.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowac w jezyku Polskim, wybierz [pl].
** ??? ?????????? ?? ????????? ?? ??????? ,??????? [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: [Press Enter]

Select Here Language English is default.

After pressing enter next will shows the system detail, System user and host-name. Press enter to start installation process.

OSSEC HIDS v2.8 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to [email protected] (or [email protected]).

- System: Linux client03.example.com 2.6.32-042stab111.12
- User: root
- Host: client03.example.com
-- Press ENTER to continue or Ctrl-C to abort. -- [Press Enter]

Next shows following installation modes and type of OSSEC on the system.

-- Press ENTER to continue or Ctrl-C to abort. -- [Press Enter]

1- What kind of installation do you want (server, agent, local, hybrid or help)?

Server :- Server mode is the central piece of OSSEC deployment. It help to administrative of large number of agents.

Agent :- In agent mode, OSSEC agent send events, audit entries and logs to Server.

Local Mode :- Local mode is similar as server and agent installation, execept that the server has been configured to listen for communication from the agents.

Hybrid :- In this mode, OSSEC act same as server and client.

Server Mode

In this tutorial I am going to install server mode.

Server IP :-  192.168.1.5

1- What kind of installation do you want (server, agent, local, hybrid or help)? server

- Server installation chosen.

Type server to install server mode.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: [Press Enter]

- Installation will be made at /var/ossec .

Select the installation directory for OSSEC server. By default /var/ossec will be the installation directory.

Next you will need to configure email and smtp address. OSSEC notify you via email.

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? [email protected]
- What's your SMTP server ip/host? smtp.gmail.com

Next type “y” for system integrity checking.

It will perform the periodic integrity checking of any configured file like /etc/passwd or any registry entry on Windows System. It is important part of HIDS which notify any changes on the system.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

Next it will ask for rootkit detection, rootcheck is an open source tool for rootkit detection and system auditing. It will scan whole system and detects presence of unknown and known rootkits.

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

Next Active Response feature will help to block brute force login attempts on system using iptables.

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- 8.8.4.4

- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): 4.2.2.2

Next OSSEC will send auth.log,syslog,dpkg and Apache logs to syslog server. OSSEC will send the alerts using this feature.

3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y

- Remote syslog enabled.

3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

After above configurations and setting, OSSEC will start installation by pressing “Enter”.

--- Press ENTER to continue ---

5- Installing the system
- Running the Makefile
INFO: Little endian set.

*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
make[1]: Entering directory `/root/download/ossec-hids-2.8.1/src/external'
cd zlib-1.2.8/; ./configure; make libz.a;
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.8 with gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
make[2]: Entering directory `/root/download/ossec-hids-2.8.1/src/external/zlib-1.2.8'
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.c

Before complete installation it will show few information like OS Detail, start and stop OSSEC scripts and OSSEC configurations file.

- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at [email protected] or using our public maillist at
[email protected]
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information below). ---

Now Press “Enter” to finish the OSSEC server installation part.

- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:

/var/ossec/bin/manage_agents

More information at:
http://www.ossec.net/en/manual.html#ma

It is shown above that agents can be added/remove using “manage_agents” utility.

Now restar OSSEC server.

# service ossec-hids start
Starting ossec-hids: [ OK ]

To install or know about OSSEC Agent/Client Mode refer our next article.

How to install and configure OSSEC Client/Agent Mode on Linux

I hope this article will be helpful to Install and Configure OSSEC Server on Linux and UNIX System. Read our another article Easy Steps to Clone Your HDD (Hard Drive) using dd and Managing Web Traffic Load With HaProxy. If you have any queries and problem please comment in comment section or you can also ask your question.

 

About the author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

Leave a Comment