OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).
http://ossec.github.io
Its free, available on all major operating systems and helps meet specific compliance requirements such as PCI and HIPAA

In short: it will help you secure your servers with intrusion detection, log analysis, integrity checking, rootkit detection and time based alerting.

The following is a quick start guide to using OSSEC and setting up UI interfaces
For additional information view http://ossec.github.io/docs/

Setup:

The following commands are for Ubuntu 14.04.3 LTS, so amend if using a different OS

Create a test box in vagrant (optional)

vagrant init ubuntu/trusty32
vagrant up
vagrant ssh

or SSH to your own server

Running as a sudo user is required.
For ease, I am using root

sudo su
apt-get update
apt-get install build-essential

Install Postfix (optional to send emails from a vagrant box)

apt-get install postfix

Install OSSEC:

At time of writing version is 2.8.2

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2-checksum.txt
cat ossec-hids-2.8.2-checksum.txt
md5sum ossec-hids-2.8.2.tar.gz
sha1sum ossec-hids-2.8.2.tar.gz

Check both the MD5 and SHA1 checksums match and you are good to go.
If they do not then you should be concerned that you have not been provided a valid OSSEC installation file

tar -zxf ossec-hids-2.8.2.tar.gz
cd ossec-hids-2.8.2
./install.sh

Answers to questions:
(FYI: This example is setting this up locally. Select server if you want a central server, and agent to hook up all data into one central server point)

en
ENTER
local
ENTER
y
youremail@gmail.com (add your own email here)
y
y
y
n
ENTER
ENTER

If installation has bee successful then you should see something like this:

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). —

OSSEC usage:

Check the status

/var/ossec/bin/ossec-control status

OSSEC is configured to start at boot, but you have to start it manually the first time after an installation

Start OSSEC

/var/ossec/bin/ossec-control start

Restart OSSEC

/var/ossec/bin/ossec-control restart

Backup settings incase you break anything during changes

cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf_bak

Changing settings
If you wish to change the settings like which folders to keep an eye on and what to ignore

nano /var/ossec/etc/ossec.conf

Also look at /var/ossec/rules for further options
When making changes I would recommend that you add new rules to local_rules.xml instead of changing other files.

Checking the logs

tail -f /var/ossec/logs/ossec.log

(CTRL c to exit out of tail)

If you are not receiving emails then check the logs to see if any mention of failed emails, and change the configuration accordingly.
Using a Gmail email is harder as they are strict with what they consider spam.

Example trigger alert

First modify ossec.conf so it alerts more often
Change this back to 79200 after testing

<frequency>60</frequency>

Add inside

<directories report_changes=”yes” realtime=”yes” restrict=”.php|.js|.py|.sh|.html” check_all=”yes”>/home,/var/www</directories>

As you can see, you can limit which file types to check (optional)

cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml_bak
nano /var/ossec/rules/local_rules.xml

Add this just before </group>

<rule id=”554″ level=”7″ overwrite=”yes”>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

touch /home/test.html

wait for alert

change this files contents (with anything)

nano /home/test.html

wait for another alert

Setup a UI interfaces:

Setup apache and mysql server if required

apt-get install mysql-server libmysqlclient-dev mysql-client apache2 php5 libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl apache2-utils

harden your mysql settings

mysql_secure_installation

restart apache and mysql

service apache2 restart
service mysql restart

Install OSSEC WUI

cd ~
wget https://github.com/ossec/ossec-wui/archive/0.9.tar.gz
tar -xf 0.9.tar.gz
mkdir /var/www/ossecwui/
mv ossec-wui-0.9/* /var/www/ossecwui/
cd /var/www/ossecwui/
htpasswd -c .htpasswd admin
./setup.sh
cd /etc/apache2/sites-available/
cp 000-default.conf ossecwui.conf
nano ossecwui.conf

File should look something like:

<VirtualHost *:80>
ServerName ossecwui.dev

ServerAdmin webmaster@localhost
DocumentRoot /var/www/ossecwui

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

As I am setting up on a dev box I use .dev as my domain and point my host file to this box ip. Use what ever domain is suitable for you

a2ensite ossecwui.conf
service apache2 restart

You should now have something like:

ossecwebui

Installing Analogi Web Dashboard:

‘Analytical Log Interface’ was built to sit on top of OSSEC (built on OSSEC 2.6) and requires 0 modifications to OSSEC or the database schema that ships with OSSEC. AnaLogi requires a Webserver sporting PHP and MySQL.

Create database

mysql -u root -p
CREATE DATABASE ossec;
GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser;
SET password for ossecuser = PASSWORD('ossec');
flush privileges;

Enable database OSSEC

nano /var/ossec/etc/ossec.conf

Add to the top of the file after <ossec_config>

<database_output>
<hostname>127.0.0.1</hostname>
<username>ossecuser</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>

mysql -u root -p ossec < /root/ossec-hids-2.8.2/src/os_dbd/mysql.schema
/var/ossec/bin/ossec-control enable database

reinstall of OSSEC likely to be required

cd /home/root/ossec-hids-2.8.2/src
make setdb
cd ../
./install.sh
/var/ossec/bin/ossec-control restart
cd /var/www
git clone https://github.com/ECSC/analogi.git
cp analogi/db_ossec.php.new analogi/db_ossec.php
cd /etc/apache2/sites-available/
nano analogi.conf

<VirtualHost *:80>
ServerName analogi.dev

ServerAdmin webmaster@localhost
DocumentRoot /var/www/analogi

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

a2ensite analogi.conf
service apache2 reload

You should now have a working site like below

ossecanalogiIf you install any of these UI sites on live server, ensure that you secure them on https and with user access/IP restrictions

Leave a Reply

Your email address will not be published. Required fields are marked *